KLA11385 Multiple vulnerabilities in Microsoft Windows

2018-12-11T00:00:00

Description

### *Detect date*: 12/11/2018 ### *Severity*: Critical ### *Description*: Multiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, cause denial of service, obtain sensitive information, execute arbitrary code. ### *Affected products*: Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for ARM64-based Systems Windows Server 2019 Windows Server 2019 (Server Core installation) Windows 10 Version 1809 for 32-bit Systems Windows Server 2012 (Server Core installation) Windows 7 for 32-bit Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows 7 for x64-based Systems Service Pack 1 Windows Server 2012 R2 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 R2 Windows RT 8.1 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows 8.1 for 32-bit systems Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows 8.1 for x64-based systems Windows Server 2012 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server, version 1803 (Server Core Installation) Windows 10 Version 1803 for ARM64-based Systems Windows 10 for 32-bit Systems Windows 10 Version 1803 for 32-bit Systems Windows Server 2016 Windows Server 2016 (Server Core installation) Windows 10 Version 1709 for 32-bit Systems Windows 10 Version 1703 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1703 for x64-based Systems Windows 10 Version 1803 for x64-based Systems Windows 10 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1709 for ARM64-based Systems Windows 10 Version 1709 for x64-based Systems ### *Solution*: Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel) ### *Original advisories*: [CVE-2018-8599](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8599>) [CVE-2018-8649](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8649>) [CVE-2018-8622](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8622>) [CVE-2018-8641](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8641>) [CVE-2018-8639](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8639>) [CVE-2018-8637](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8637>) [CVE-2018-8596](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8596>) [CVE-2018-8611](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8611>) [CVE-2018-8621](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8621>) [CVE-2018-8638](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8638>) [CVE-2018-8477](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8477>) [CVE-2018-8514](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8514>) [CVE-2018-8595](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8595>) [CVE-2018-8612](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8612>) [CVE-2018-8634](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8634>) [CVE-2018-8626](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8626>) ### *Impacts*: ACE ### *Related products*: [Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>) ### *CVE-IDS*: [CVE-2018-8599](<https://vulners.com/cve/CVE-2018-8599>)4.6Warning [CVE-2018-8649](<https://vulners.com/cve/CVE-2018-8649>)4.9Warning [CVE-2018-8622](<https://vulners.com/cve/CVE-2018-8622>)2.1Warning [CVE-2018-8641](<https://vulners.com/cve/CVE-2018-8641>)7.2High [CVE-2018-8639](<https://vulners.com/cve/CVE-2018-8639>)7.2High [CVE-2018-8637](<https://vulners.com/cve/CVE-2018-8637>)2.1Warning [CVE-2018-8596](<https://vulners.com/cve/CVE-2018-8596>)4.3Warning [CVE-2018-8611](<https://vulners.com/cve/CVE-2018-8611>)7.2High [CVE-2018-8621](<https://vulners.com/cve/CVE-2018-8621>)2.1Warning [CVE-2018-8638](<https://vulners.com/cve/CVE-2018-8638>)2.1Warning [CVE-2018-8477](<https://vulners.com/cve/CVE-2018-8477>)2.1Warning [CVE-2018-8514](<https://vulners.com/cve/CVE-2018-8514>)2.1Warning [CVE-2018-8595](<https://vulners.com/cve/CVE-2018-8595>)4.3Warning [CVE-2018-8612](<https://vulners.com/cve/CVE-2018-8612>)2.1Warning [CVE-2018-8634](<https://vulners.com/cve/CVE-2018-8634>)9.3Critical ### *KB list*: [4471329](<http://support.microsoft.com/kb/4471329>) [4471323](<http://support.microsoft.com/kb/4471323>) [4471324](<http://support.microsoft.com/kb/4471324>) [4471327](<http://support.microsoft.com/kb/4471327>) [4471321](<http://support.microsoft.com/kb/4471321>) [4471332](<http://support.microsoft.com/kb/4471332>) [4471320](<http://support.microsoft.com/kb/4471320>) [4471322](<http://support.microsoft.com/kb/4471322>) [4471326](<http://support.microsoft.com/kb/4471326>) [4471330](<http://support.microsoft.com/kb/4471330>) ### *Microsoft official advisories*: ### *Exploitation*: Malware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).

{"id": "KLA11385", "vendorId": null, "type": "kaspersky", "bulletinFamily": "info", "title": "KLA11385 Multiple vulnerabilities in Microsoft Windows", "description": "### *Detect date*:\n12/11/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, cause denial of service, obtain sensitive information, execute arbitrary code.\n\n### *Affected products*:\nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2019 \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 R2 \nWindows RT 8.1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 8.1 for 32-bit systems \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 8.1 for x64-based systems \nWindows Server 2012 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server, version 1803 (Server Core Installation) \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows Server 2016 \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 10 Version 1709 for x64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8599](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8599>) \n[CVE-2018-8649](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8649>) \n[CVE-2018-8622](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8622>) \n[CVE-2018-8641](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8641>) \n[CVE-2018-8639](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8639>) \n[CVE-2018-8637](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8637>) \n[CVE-2018-8596](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8596>) \n[CVE-2018-8611](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8611>) \n[CVE-2018-8621](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8621>) \n[CVE-2018-8638](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8638>) \n[CVE-2018-8477](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8477>) \n[CVE-2018-8514](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8514>) \n[CVE-2018-8595](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8595>) \n[CVE-2018-8612](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8612>) \n[CVE-2018-8634](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8634>) \n[CVE-2018-8626](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8626>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2018-8599](<https://vulners.com/cve/CVE-2018-8599>)4.6Warning \n[CVE-2018-8649](<https://vulners.com/cve/CVE-2018-8649>)4.9Warning \n[CVE-2018-8622](<https://vulners.com/cve/CVE-2018-8622>)2.1Warning \n[CVE-2018-8641](<https://vulners.com/cve/CVE-2018-8641>)7.2High \n[CVE-2018-8639](<https://vulners.com/cve/CVE-2018-8639>)7.2High \n[CVE-2018-8637](<https://vulners.com/cve/CVE-2018-8637>)2.1Warning \n[CVE-2018-8596](<https://vulners.com/cve/CVE-2018-8596>)4.3Warning \n[CVE-2018-8611](<https://vulners.com/cve/CVE-2018-8611>)7.2High \n[CVE-2018-8621](<https://vulners.com/cve/CVE-2018-8621>)2.1Warning \n[CVE-2018-8638](<https://vulners.com/cve/CVE-2018-8638>)2.1Warning \n[CVE-2018-8477](<https://vulners.com/cve/CVE-2018-8477>)2.1Warning \n[CVE-2018-8514](<https://vulners.com/cve/CVE-2018-8514>)2.1Warning \n[CVE-2018-8595](<https://vulners.com/cve/CVE-2018-8595>)4.3Warning \n[CVE-2018-8612](<https://vulners.com/cve/CVE-2018-8612>)2.1Warning \n[CVE-2018-8634](<https://vulners.com/cve/CVE-2018-8634>)9.3Critical\n\n### *KB list*:\n[4471329](<http://support.microsoft.com/kb/4471329>) \n[4471323](<http://support.microsoft.com/kb/4471323>) \n[4471324](<http://support.microsoft.com/kb/4471324>) \n[4471327](<http://support.microsoft.com/kb/4471327>) \n[4471321](<http://support.microsoft.com/kb/4471321>) \n[4471332](<http://support.microsoft.com/kb/4471332>) \n[4471320](<http://support.microsoft.com/kb/4471320>) \n[4471322](<http://support.microsoft.com/kb/4471322>) \n[4471326](<http://support.microsoft.com/kb/4471326>) \n[4471330](<http://support.microsoft.com/kb/4471330>)\n\n### *Microsoft official advisories*:\n\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).", "published": "2018-12-11T00:00:00", "modified": "2020-07-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA11385/", "reporter": "Kaspersky Lab", "references": ["https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8599", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8649", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8622", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8641", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8639", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8637", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8596", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8611", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8621", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8638", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8477", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8514", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8595", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8612", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8634", "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8626", "https://threats.kaspersky.com/en/product/Microsoft-Windows/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-Server/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-Server-2012/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-8/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-7/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-Server-2008/", "https://threats.kaspersky.com/en/product/Windows-RT/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-10/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8599", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8649", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8622", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8641", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8639", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8637", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8596", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8611", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8621", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8638", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8477", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8514", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8595", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8612", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8634", "http://support.microsoft.com/kb/4471329", "http://support.microsoft.com/kb/4471323", "http://support.microsoft.com/kb/4471324", "http://support.microsoft.com/kb/4471327", "http://support.microsoft.com/kb/4471321", "http://support.microsoft.com/kb/4471332", "http://support.microsoft.com/kb/4471320", "http://support.microsoft.com/kb/4471322", "http://support.microsoft.com/kb/4471326", "http://support.microsoft.com/kb/4471330", "https://portal.msrc.microsoft.com/en-us/security-guidance", "https://threats.kaspersky.com/en/class/Exploit/", "https://statistics.securelist.com/vulnerability-scan/month"], "cvelist": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8599", "CVE-2018-8611", "CVE-2018-8612", "CVE-2018-8621", "CVE-2018-8622", "CVE-2018-8626", "CVE-2018-8634", "CVE-2018-8637", "CVE-2018-8638", "CVE-2018-8639", "CVE-2018-8641", "CVE-2018-8649"], "immutableFields": [], "lastseen": "2023-02-08T16:00:29", "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:04EA1B54-D2F3-492C-8840-E61BDA5162E7", "AKB:AADC94FF-A101-411D-91A5-4F61F0BBF467"]}, {"type": "cert", "idList": ["VU:289907", "VU:531281"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-1120", "CPAI-2018-1231", "CPAI-2019-0151", "CPAI-2019-0156"]}, {"type": "cisa", "idList": ["CISA:AFED810A1B96D9158C0497156BFFC453"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2018-8611"]}, {"type": "cve", "idList": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8599", "CVE-2018-8611", "CVE-2018-8612", "CVE-2018-8621", "CVE-2018-8622", "CVE-2018-8626", "CVE-2018-8634", "CVE-2018-8637", "CVE-2018-8638", "CVE-2018-8639", "CVE-2018-8641", "CVE-2018-8649"]}, {"type": "kaspersky", "idList": ["KLA11383", "KLA11884", "KLA11897"]}, {"type": "krebs", "idList": ["KREBS:806855EDF30AAF031028DA4405D90B39", "KREBS:B3F20C0C41C613971FDADBAE93382CDF"]}, {"type": "mscve", "idList": ["MS:CVE-2018-8477", "MS:CVE-2018-8514", "MS:CVE-2018-8595", "MS:CVE-2018-8596", "MS:CVE-2018-8599", "MS:CVE-2018-8611", "MS:CVE-2018-8612", "MS:CVE-2018-8621", "MS:CVE-2018-8622", "MS:CVE-2018-8626", "MS:CVE-2018-8634", "MS:CVE-2018-8637", "MS:CVE-2018-8638", "MS:CVE-2018-8639", "MS:CVE-2018-8641", "MS:CVE-2018-8649"]}, {"type": "mskb", "idList": ["KB4469516", "KB4471319", "KB4471322", "KB4471326", "KB4471328", "KB4473077", "KB4473078"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_DEC_4471318.NASL", "SMB_NT_MS18_DEC_4471320.NASL", "SMB_NT_MS18_DEC_4471321.NASL", "SMB_NT_MS18_DEC_4471323.NASL", "SMB_NT_MS18_DEC_4471324.NASL", "SMB_NT_MS18_DEC_4471325.NASL", "SMB_NT_MS18_DEC_4471327.NASL", "SMB_NT_MS18_DEC_4471329.NASL", "SMB_NT_MS18_DEC_4471330.NASL", "SMB_NT_MS18_DEC_4471332.NASL", "SMB_NT_MS18_DEC_VISUAL_STUDIO.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310814610", "OPENVAS:1361412562310814611", "OPENVAS:1361412562310814612", "OPENVAS:1361412562310814613", "OPENVAS:1361412562310814614", "OPENVAS:1361412562310814615", "OPENVAS:1361412562310814616", "OPENVAS:1361412562310814619", "OPENVAS:1361412562310814638"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:6AC221B6FC3416AF7787F326F79DCBE1"]}, {"type": "securelist", "idList": ["SECURELIST:3813D41319B88396F5995A4071DFA47F", "SECURELIST:52185495AADEC0E6183185DE5799E6B5", "SECURELIST:63F08CF43123326EE123EADFF8681D0D", "SECURELIST:7286FDD05AF03323AEA8EDD25DF1604F", "SECURELIST:78C1216872C5187377E9C874AEDF73FC"]}, {"type": "symantec", "idList": ["SMNTC-106076", "SMNTC-106078", "SMNTC-106079", "SMNTC-106081", "SMNTC-106082", "SMNTC-106083", "SMNTC-106085", "SMNTC-106086", "SMNTC-106087", "SMNTC-106088", "SMNTC-106089", "SMNTC-106090", "SMNTC-106091", "SMNTC-106093", "SMNTC-106094", "SMNTC-106095"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E1235309A97B4CBFE2437713DD6742B8"]}, {"type": "thn", "idList": ["THN:F34754C92EBDDF21C3F920DF7E64971E"]}, {"type": "threatpost", "idList": ["THREATPOST:2449B7C3317E847CB7244592BA73C2B8", "THREATPOST:2E654D55F3DCC64D0CE6111B5A74B86B"]}, {"type": "zdi", "idList": ["ZDI-18-1403", "ZDI-18-1404", "ZDI-18-1429", "ZDI-18-1430"]}]}, "score": {"value": 3.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:04EA1B54-D2F3-492C-8840-E61BDA5162E7"]}, {"type": "cert", "idList": ["VU:289907", "VU:531281"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-1120", "CPAI-2018-1231", "CPAI-2019-0151", "CPAI-2019-0156"]}, {"type": "cisa", "idList": ["CISA:AFED810A1B96D9158C0497156BFFC453"]}, {"type": "cve", "idList": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8599", "CVE-2018-8611", "CVE-2018-8612", "CVE-2018-8621", "CVE-2018-8622", "CVE-2018-8626", "CVE-2018-8634", "CVE-2018-8637", "CVE-2018-8638", "CVE-2018-8639", "CVE-2018-8641", "CVE-2018-8649"]}, {"type": "kaspersky", "idList": ["KLA11383"]}, {"type": "krebs", "idList": ["KREBS:806855EDF30AAF031028DA4405D90B39"]}, {"type": "mscve", "idList": ["MS:CVE-2018-8477", "MS:CVE-2018-8514", "MS:CVE-2018-8595", "MS:CVE-2018-8596", "MS:CVE-2018-8599", "MS:CVE-2018-8611", "MS:CVE-2018-8612", "MS:CVE-2018-8621", "MS:CVE-2018-8622", "MS:CVE-2018-8626", "MS:CVE-2018-8634", "MS:CVE-2018-8637", "MS:CVE-2018-8638", "MS:CVE-2018-8639", "MS:CVE-2018-8641", "MS:CVE-2018-8649"]}, {"type": "mskb", "idList": ["KB4469516"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_DEC_VISUAL_STUDIO.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310814610", "OPENVAS:1361412562310814611", "OPENVAS:1361412562310814612", "OPENVAS:1361412562310814613", "OPENVAS:1361412562310814614", "OPENVAS:1361412562310814615", "OPENVAS:1361412562310814616", "OPENVAS:1361412562310814619", "OPENVAS:1361412562310814638"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:6AC221B6FC3416AF7787F326F79DCBE1"]}, {"type": "securelist", "idList": ["SECURELIST:3813D41319B88396F5995A4071DFA47F"]}, {"type": "symantec", "idList": ["SMNTC-106083"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E1235309A97B4CBFE2437713DD6742B8"]}, {"type": "thn", "idList": ["THN:F34754C92EBDDF21C3F920DF7E64971E"]}, {"type": "threatpost", "idList": ["THREATPOST:2E654D55F3DCC64D0CE6111B5A74B86B"]}, {"type": "zdi", "idList": ["ZDI-18-1429", "ZDI-18-1430"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-8477", "epss": "0.000460000", "percentile": "0.139680000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8514", "epss": "0.000460000", "percentile": "0.139680000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8595", "epss": "0.224960000", "percentile": "0.957340000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8596", "epss": "0.224960000", "percentile": "0.957340000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8599", "epss": "0.000580000", "percentile": "0.218520000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8611", "epss": "0.000500000", "percentile": "0.175820000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8612", "epss": "0.000430000", "percentile": "0.077860000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8621", "epss": "0.000460000", "percentile": "0.139680000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8622", "epss": "0.000460000", "percentile": "0.139680000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8626", "epss": "0.033320000", "percentile": "0.898450000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8634", "epss": "0.052770000", "percentile": "0.918360000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8637", "epss": "0.000430000", "percentile": "0.077860000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8638", "epss": "0.000460000", "percentile": "0.139680000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8639", "epss": "0.000540000", "percentile": "0.206550000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8641", "epss": "0.000540000", "percentile": "0.206550000", "modified": "2023-03-14"}, {"cve": "CVE-2018-8649", "epss": "0.000430000", "percentile": "0.077860000", "modified": "2023-03-14"}], "vulnersScore": 3.5}, "_state": {"dependencies": 1675872124, "score": 1675872308, "epss": 1678874978}, "_internal": {"score_hash": "d478f6ced9eb57ea4fcf324513761264"}}

{"nessus": [{"lastseen": "2023-01-11T14:53:50", "description": "The remote Windows host is missing security update 4471324.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - A Denial Of Service vulnerability exists when Connected User Experiences and Telemetry Service fails to validate certain function values. An attacker who successfully exploited this vulnerability could deny dependent security feature functionality. (CVE-2018-8612)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists in Windows where Microsoft text-to-speech fails to properly handle objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8634)\n\n - An information disclosure vulnerability exists in Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. An attacker who successfully exploited this vulnerability could retrieve the memory address of a kernel object. (CVE-2018-8637)\n\n - A denial of service vulnerability exists when .NET Framework improperly handles special web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an .NET Framework web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application. The update addresses the vulnerability by correcting how the .NET Framework web application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly impersonates file operations.\n (CVE-2018-8599)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. (CVE-2018-8626)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2018-8641)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8639)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "nessus", "title": "KB4471324: Windows 10 Version 1803 and Windows Server Version 1803 December 2018 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8517", "CVE-2018-8540", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8599", "CVE-2018-8611", "CVE-2018-8612", "CVE-2018-8626", "CVE-2018-8634", "CVE-2018-8637", "CVE-2018-8639", "CVE-2018-8641"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS18_DEC_4471324.NASL", "href": "https://www.tenable.com/plugins/nessus/119586", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119586);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2018-8477\",\n \"CVE-2018-8514\",\n \"CVE-2018-8517\",\n \"CVE-2018-8540\",\n \"CVE-2018-8595\",\n \"CVE-2018-8596\",\n \"CVE-2018-8599\",\n \"CVE-2018-8611\",\n \"CVE-2018-8612\",\n \"CVE-2018-8626\",\n \"CVE-2018-8634\",\n \"CVE-2018-8637\",\n \"CVE-2018-8639\",\n \"CVE-2018-8641\"\n );\n script_xref(name:\"MSKB\", value:\"4471324\");\n script_xref(name:\"MSFT\", value:\"MS18-4471324\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/14\");\n\n script_name(english:\"KB4471324: Windows 10 Version 1803 and Windows Server Version 1803 December 2018 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4471324.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - A Denial Of Service vulnerability exists when Connected\n User Experiences and Telemetry Service fails to validate\n certain function values. An attacker who successfully\n exploited this vulnerability could deny dependent\n security feature functionality. (CVE-2018-8612)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists in Windows\n where Microsoft text-to-speech fails to properly handle\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8634)\n\n - An information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object. (CVE-2018-8637)\n\n - A denial of service vulnerability exists when .NET\n Framework improperly handles special web requests. An\n attacker who successfully exploited this vulnerability\n could cause a denial of service against an .NET\n Framework web application. The vulnerability can be\n exploited remotely, without authentication. A remote\n unauthenticated attacker could exploit this\n vulnerability by issuing specially crafted requests to\n the .NET Framework application. The update addresses the\n vulnerability by correcting how the .NET Framework web\n application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n impersonates certain file operations. An attacker who\n successfully exploited this vulnerability could gain\n elevated privileges. An attacker with unprivileged\n access to a vulnerable system could exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring the Diagnostics Hub Standard\n Collector Service properly impersonates file operations.\n (CVE-2018-8599)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when\n Remote Procedure Call runtime improperly initializes\n objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) servers when they fail to\n properly handle requests. An attacker who successfully\n exploited the vulnerability could run arbitrary code in\n the context of the Local System Account. Windows servers\n that are configured as DNS servers are at risk from this\n vulnerability. (CVE-2018-8626)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8641)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8639)\");\n # https://support.microsoft.com/en-us/help/4471324/windows-10-update-kb4471324\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7a2a924f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4471324.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8626\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-12\";\nkbs = make_list('4471324');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17134\",\n rollup_date:\"12_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4471324])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:53:36", "description": "The remote Windows host is missing security update 4471329.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - A Denial Of Service vulnerability exists when Connected User Experiences and Telemetry Service fails to validate certain function values. An attacker who successfully exploited this vulnerability could deny dependent security feature functionality. (CVE-2018-8612)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists in Windows where Microsoft text-to-speech fails to properly handle objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8634)\n\n - A denial of service vulnerability exists when .NET Framework improperly handles special web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an .NET Framework web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application. The update addresses the vulnerability by correcting how the .NET Framework web application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly impersonates file operations.\n (CVE-2018-8599)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. (CVE-2018-8626)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2018-8641)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8639)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "nessus", "title": "KB4471329: Windows 10 Version 1709 and Windows Server Version 1709 December 2018 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8517", "CVE-2018-8540", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8599", "CVE-2018-8611", "CVE-2018-8612", "CVE-2018-8626", "CVE-2018-8634", "CVE-2018-8639", "CVE-2018-8641"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS18_DEC_4471329.NASL", "href": "https://www.tenable.com/plugins/nessus/119589", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119589);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2018-8477\",\n \"CVE-2018-8514\",\n \"CVE-2018-8517\",\n \"CVE-2018-8540\",\n \"CVE-2018-8595\",\n \"CVE-2018-8596\",\n \"CVE-2018-8599\",\n \"CVE-2018-8611\",\n \"CVE-2018-8612\",\n \"CVE-2018-8626\",\n \"CVE-2018-8634\",\n \"CVE-2018-8639\",\n \"CVE-2018-8641\"\n );\n script_xref(name:\"MSKB\", value:\"4471329\");\n script_xref(name:\"MSFT\", value:\"MS18-4471329\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/14\");\n\n script_name(english:\"KB4471329: Windows 10 Version 1709 and Windows Server Version 1709 December 2018 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4471329.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - A Denial Of Service vulnerability exists when Connected\n User Experiences and Telemetry Service fails to validate\n certain function values. An attacker who successfully\n exploited this vulnerability could deny dependent\n security feature functionality. (CVE-2018-8612)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists in Windows\n where Microsoft text-to-speech fails to properly handle\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8634)\n\n - A denial of service vulnerability exists when .NET\n Framework improperly handles special web requests. An\n attacker who successfully exploited this vulnerability\n could cause a denial of service against an .NET\n Framework web application. The vulnerability can be\n exploited remotely, without authentication. A remote\n unauthenticated attacker could exploit this\n vulnerability by issuing specially crafted requests to\n the .NET Framework application. The update addresses the\n vulnerability by correcting how the .NET Framework web\n application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n impersonates certain file operations. An attacker who\n successfully exploited this vulnerability could gain\n elevated privileges. An attacker with unprivileged\n access to a vulnerable system could exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring the Diagnostics Hub Standard\n Collector Service properly impersonates file operations.\n (CVE-2018-8599)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when\n Remote Procedure Call runtime improperly initializes\n objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) servers when they fail to\n properly handle requests. An attacker who successfully\n exploited the vulnerability could run arbitrary code in\n the context of the Local System Account. Windows servers\n that are configured as DNS servers are at risk from this\n vulnerability. (CVE-2018-8626)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8641)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8639)\");\n # https://support.microsoft.com/en-us/help/4471329/windows-10-update-kb4471329\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?24e3688b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4471329.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8626\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-12\";\nkbs = make_list('4471329');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"12_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4471329])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:54:20", "description": "The remote Windows host is missing security update 4471332.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how DirectX handles objects in memory.\n (CVE-2018-8638)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8583, CVE-2018-8617, CVE-2018-8618, CVE-2018-8624, CVE-2018-8629)\n\n - A Denial Of Service vulnerability exists when Connected User Experiences and Telemetry Service fails to validate certain function values. An attacker who successfully exploited this vulnerability could deny dependent security feature functionality. (CVE-2018-8612)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8631)\n\n - A remote code execution vulnerability exists in Windows where Microsoft text-to-speech fails to properly handle objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8634)\n\n - A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8477)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly impersonates file operations.\n (CVE-2018-8599)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2018-8649)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8639)\n\n - An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8611)\n\n - An information disclosure vulnerability exists in Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. An attacker who successfully exploited this vulnerability could retrieve the memory address of a kernel object. (CVE-2018-8637)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8625)\n\n - A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions. An attacker who exploited the vulnerability could run arbitrary code with medium-integrity level privileges (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - A denial of service vulnerability exists when .NET Framework improperly handles special web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an .NET Framework web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application. The update addresses the vulnerability by correcting how the .NET Framework web application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2018-8641)\n\n - A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. (CVE-2018-8626)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "nessus", "title": "KB4471332: Windows 10 Version 1809 and Windows Server 2019 December 2018 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8517", "CVE-2018-8540", "CVE-2018-8583", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8599", "CVE-2018-8611", "CVE-2018-8612", "CVE-2018-8617", "CVE-2018-8618", "CVE-2018-8619", "CVE-2018-8624", "CVE-2018-8625", "CVE-2018-8626", "CVE-2018-8629", "CVE-2018-8631", "CVE-2018-8634", "CVE-2018-8637", "CVE-2018-8638", "CVE-2018-8639", "CVE-2018-8641", "CVE-2018-8643", "CVE-2018-8649"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_DEC_4471332.NASL", "href": "https://www.tenable.com/plugins/nessus/119591", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119591);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2018-8477\",\n \"CVE-2018-8514\",\n \"CVE-2018-8517\",\n \"CVE-2018-8540\",\n \"CVE-2018-8583\",\n \"CVE-2018-8595\",\n \"CVE-2018-8596\",\n \"CVE-2018-8599\",\n \"CVE-2018-8611\",\n \"CVE-2018-8612\",\n \"CVE-2018-8617\",\n \"CVE-2018-8618\",\n \"CVE-2018-8619\",\n \"CVE-2018-8624\",\n \"CVE-2018-8625\",\n \"CVE-2018-8626\",\n \"CVE-2018-8629\",\n \"CVE-2018-8631\",\n \"CVE-2018-8634\",\n \"CVE-2018-8637\",\n \"CVE-2018-8638\",\n \"CVE-2018-8639\",\n \"CVE-2018-8641\",\n \"CVE-2018-8643\",\n \"CVE-2018-8649\"\n );\n script_xref(name:\"MSKB\", value:\"4471332\");\n script_xref(name:\"MSFT\", value:\"MS18-4471332\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/14\");\n\n script_name(english:\"KB4471332: Windows 10 Version 1809 and Windows Server 2019 December 2018 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4471332.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2018-8638)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8583, CVE-2018-8617,\n CVE-2018-8618, CVE-2018-8624, CVE-2018-8629)\n\n - A Denial Of Service vulnerability exists when Connected\n User Experiences and Telemetry Service fails to validate\n certain function values. An attacker who successfully\n exploited this vulnerability could deny dependent\n security feature functionality. (CVE-2018-8612)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8631)\n\n - A remote code execution vulnerability exists in Windows\n where Microsoft text-to-speech fails to properly handle\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8634)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8477)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n impersonates certain file operations. An attacker who\n successfully exploited this vulnerability could gain\n elevated privileges. An attacker with unprivileged\n access to a vulnerable system could exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring the Diagnostics Hub Standard\n Collector Service properly impersonates file operations.\n (CVE-2018-8599)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8649)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8639)\n\n - An information disclosure vulnerability exists when\n Remote Procedure Call runtime improperly initializes\n objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8611)\n\n - An information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object. (CVE-2018-8637)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-8625)\n\n - A remote code execution vulnerability exists when the\n Internet Explorer VBScript execution policy does not\n properly restrict VBScript under specific conditions. An\n attacker who exploited the vulnerability could run\n arbitrary code with medium-integrity level privileges\n (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - A denial of service vulnerability exists when .NET\n Framework improperly handles special web requests. An\n attacker who successfully exploited this vulnerability\n could cause a denial of service against an .NET\n Framework web application. The vulnerability can be\n exploited remotely, without authentication. A remote\n unauthenticated attacker could exploit this\n vulnerability by issuing specially crafted requests to\n the .NET Framework application. The update addresses the\n vulnerability by correcting how the .NET Framework web\n application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8641)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) servers when they fail to\n properly handle requests. An attacker who successfully\n exploited the vulnerability could run arbitrary code in\n the context of the Local System Account. Windows servers\n that are configured as DNS servers are at risk from this\n vulnerability. (CVE-2018-8626)\");\n # https://support.microsoft.com/en-us/help/4471332/windows-10-update-kb4471332\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c1602e2b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4471332.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8626\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-12\";\nkbs = make_list('4471332');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17763\",\n rollup_date:\"12_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4471332])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:53:50", "description": "The remote Windows host is missing security update 4471322 or cumulative update 4471320. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions. An attacker who exploited the vulnerability could run arbitrary code with medium-integrity level privileges (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8631)\n\n - A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. (CVE-2018-8626)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8625)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2018-8622)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - A denial of service vulnerability exists when .NET Framework improperly handles special web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an .NET Framework web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application. The update addresses the vulnerability by correcting how the .NET Framework web application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2018-8641)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8639)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "nessus", "title": "KB4471322: Windows 8.1 and Windows Server 2012 R2 December 2018 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8517", "CVE-2018-8540", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8611", "CVE-2018-8619", "CVE-2018-8622", "CVE-2018-8625", "CVE-2018-8626", "CVE-2018-8631", "CVE-2018-8639", "CVE-2018-8641", "CVE-2018-8643"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS18_DEC_4471320.NASL", "href": "https://www.tenable.com/plugins/nessus/119583", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119583);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2018-8477\",\n \"CVE-2018-8514\",\n \"CVE-2018-8517\",\n \"CVE-2018-8540\",\n \"CVE-2018-8595\",\n \"CVE-2018-8596\",\n \"CVE-2018-8611\",\n \"CVE-2018-8619\",\n \"CVE-2018-8622\",\n \"CVE-2018-8625\",\n \"CVE-2018-8626\",\n \"CVE-2018-8631\",\n \"CVE-2018-8639\",\n \"CVE-2018-8641\",\n \"CVE-2018-8643\"\n );\n script_xref(name:\"MSKB\", value:\"4471322\");\n script_xref(name:\"MSKB\", value:\"4471320\");\n script_xref(name:\"MSFT\", value:\"MS18-4471322\");\n script_xref(name:\"MSFT\", value:\"MS18-4471320\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/14\");\n\n script_name(english:\"KB4471322: Windows 8.1 and Windows Server 2012 R2 December 2018 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4471322\nor cumulative update 4471320. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the\n Internet Explorer VBScript execution policy does not\n properly restrict VBScript under specific conditions. An\n attacker who exploited the vulnerability could run\n arbitrary code with medium-integrity level privileges\n (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8631)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) servers when they fail to\n properly handle requests. An attacker who successfully\n exploited the vulnerability could run arbitrary code in\n the context of the Local System Account. Windows servers\n that are configured as DNS servers are at risk from this\n vulnerability. (CVE-2018-8626)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when\n Remote Procedure Call runtime improperly initializes\n objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-8625)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how the Windows kernel handles objects in\n memory. (CVE-2018-8622)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - A denial of service vulnerability exists when .NET\n Framework improperly handles special web requests. An\n attacker who successfully exploited this vulnerability\n could cause a denial of service against an .NET\n Framework web application. The vulnerability can be\n exploited remotely, without authentication. A remote\n unauthenticated attacker could exploit this\n vulnerability by issuing specially crafted requests to\n the .NET Framework application. The update addresses the\n vulnerability by correcting how the .NET Framework web\n application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8641)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8639)\");\n # https://support.microsoft.com/en-us/help/4471322/windows-8-1-update-kb4471322\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?454a6553\");\n # https://support.microsoft.com/en-us/help/4471320/windows-8-1-update-kb4471320\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56bb4eaa\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4471322 or Cumulative Update KB4471320.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8626\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-12\";\nkbs = make_list('4471322', '4471320');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"12_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4471322, 4471320])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:53:49", "description": "The remote Windows host is missing security update 4471326 or cumulative update 4471330. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8631)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8639)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8625)\n\n - A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions. An attacker who exploited the vulnerability could run arbitrary code with medium-integrity level privileges (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - A denial of service vulnerability exists when .NET Framework improperly handles special web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an .NET Framework web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application. The update addresses the vulnerability by correcting how the .NET Framework web application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2018-8641)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2018-8621, CVE-2018-8622)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "nessus", "title": "KB4471326: Windows Server 2012 December 2018 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8517", "CVE-2018-8540", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8611", "CVE-2018-8619", "CVE-2018-8621", "CVE-2018-8622", "CVE-2018-8625", "CVE-2018-8631", "CVE-2018-8639", "CVE-2018-8641", "CVE-2018-8643"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS18_DEC_4471330.NASL", "href": "https://www.tenable.com/plugins/nessus/119590", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119590);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2018-8477\",\n \"CVE-2018-8514\",\n \"CVE-2018-8517\",\n \"CVE-2018-8540\",\n \"CVE-2018-8595\",\n \"CVE-2018-8596\",\n \"CVE-2018-8611\",\n \"CVE-2018-8619\",\n \"CVE-2018-8621\",\n \"CVE-2018-8622\",\n \"CVE-2018-8625\",\n \"CVE-2018-8631\",\n \"CVE-2018-8639\",\n \"CVE-2018-8641\",\n \"CVE-2018-8643\"\n );\n script_xref(name:\"MSKB\", value:\"4471326\");\n script_xref(name:\"MSKB\", value:\"4471330\");\n script_xref(name:\"MSFT\", value:\"MS18-4471326\");\n script_xref(name:\"MSFT\", value:\"MS18-4471330\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/14\");\n\n script_name(english:\"KB4471326: Windows Server 2012 December 2018 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4471326\nor cumulative update 4471330. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8631)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8639)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when\n Remote Procedure Call runtime improperly initializes\n objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-8625)\n\n - A remote code execution vulnerability exists when the\n Internet Explorer VBScript execution policy does not\n properly restrict VBScript under specific conditions. An\n attacker who exploited the vulnerability could run\n arbitrary code with medium-integrity level privileges\n (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - A denial of service vulnerability exists when .NET\n Framework improperly handles special web requests. An\n attacker who successfully exploited this vulnerability\n could cause a denial of service against an .NET\n Framework web application. The vulnerability can be\n exploited remotely, without authentication. A remote\n unauthenticated attacker could exploit this\n vulnerability by issuing specially crafted requests to\n the .NET Framework application. The update addresses the\n vulnerability by correcting how the .NET Framework web\n application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8641)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how the Windows kernel handles objects in\n memory. (CVE-2018-8621, CVE-2018-8622)\");\n # https://support.microsoft.com/en-us/help/4471326/windows-server-2012-update-kb4471326\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1ae96598\");\n # https://support.microsoft.com/en-us/help/4471330/windows-server-2012-kb4471330\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?720406bc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4471326 or Cumulative Update KB4471330.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8540\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-12\";\nkbs = make_list('4471326', '4471330');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"12_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4471326, 4471330])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:53:34", "description": "The remote Windows host is missing security update 4471328 or cumulative update 4471318. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8631)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8639)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8625)\n\n - A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions. An attacker who exploited the vulnerability could run arbitrary code with medium-integrity level privileges (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - A denial of service vulnerability exists when .NET Framework improperly handles special web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an .NET Framework web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application. The update addresses the vulnerability by correcting how the .NET Framework web application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2018-8641)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2018-8621, CVE-2018-8622)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "nessus", "title": "KB4471328: Windows 7 and Windows Server 2008 R2 December 2018 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8517", "CVE-2018-8540", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8611", "CVE-2018-8619", "CVE-2018-8621", "CVE-2018-8622", "CVE-2018-8625", "CVE-2018-8631", "CVE-2018-8639", "CVE-2018-8641", "CVE-2018-8643"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS18_DEC_4471318.NASL", "href": "https://www.tenable.com/plugins/nessus/119582", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119582);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2018-8477\",\n \"CVE-2018-8514\",\n \"CVE-2018-8517\",\n \"CVE-2018-8540\",\n \"CVE-2018-8595\",\n \"CVE-2018-8596\",\n \"CVE-2018-8611\",\n \"CVE-2018-8619\",\n \"CVE-2018-8621\",\n \"CVE-2018-8622\",\n \"CVE-2018-8625\",\n \"CVE-2018-8631\",\n \"CVE-2018-8639\",\n \"CVE-2018-8641\",\n \"CVE-2018-8643\"\n );\n script_xref(name:\"MSKB\", value:\"4471328\");\n script_xref(name:\"MSKB\", value:\"4471318\");\n script_xref(name:\"MSFT\", value:\"MS18-4471328\");\n script_xref(name:\"MSFT\", value:\"MS18-4471318\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/14\");\n\n script_name(english:\"KB4471328: Windows 7 and Windows Server 2008 R2 December 2018 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4471328\nor cumulative update 4471318. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8631)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8639)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when\n Remote Procedure Call runtime improperly initializes\n objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-8625)\n\n - A remote code execution vulnerability exists when the\n Internet Explorer VBScript execution policy does not\n properly restrict VBScript under specific conditions. An\n attacker who exploited the vulnerability could run\n arbitrary code with medium-integrity level privileges\n (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - A denial of service vulnerability exists when .NET\n Framework improperly handles special web requests. An\n attacker who successfully exploited this vulnerability\n could cause a denial of service against an .NET\n Framework web application. The vulnerability can be\n exploited remotely, without authentication. A remote\n unauthenticated attacker could exploit this\n vulnerability by issuing specially crafted requests to\n the .NET Framework application. The update addresses the\n vulnerability by correcting how the .NET Framework web\n application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8641)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how the Windows kernel handles objects in\n memory. (CVE-2018-8621, CVE-2018-8622)\");\n # https://support.microsoft.com/en-us/help/4471328/windows-7-update-kb4471328\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8c39e47a\");\n # https://support.microsoft.com/en-us/help/4471318/windows-7-update-kb4471318\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4b518909\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4471328 or Cumulative Update KB4471318.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8540\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-12\";\nkbs = make_list('4471328', '4471318');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"12_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4471328, 4471318])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:53:50", "description": "The remote Windows host is missing security update 4471321.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - A Denial Of Service vulnerability exists when Connected User Experiences and Telemetry Service fails to validate certain function values. An attacker who successfully exploited this vulnerability could deny dependent security feature functionality. (CVE-2018-8612)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists in Windows where Microsoft text-to-speech fails to properly handle objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8634)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8631)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8639)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly impersonates file operations.\n (CVE-2018-8599)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory. (CVE-2018-8514)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8617, CVE-2018-8618, CVE-2018-8624, CVE-2018-8629)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8625)\n\n - A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions. An attacker who exploited the vulnerability could run arbitrary code with medium-integrity level privileges (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - A denial of service vulnerability exists when .NET Framework improperly handles special web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an .NET Framework web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application. The update addresses the vulnerability by correcting how the .NET Framework web application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2018-8641)\n\n - A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. (CVE-2018-8626)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "nessus", "title": "KB4471321: Windows 10 Version 1607 and Windows Server 2016 December 2018 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8517", "CVE-2018-8540", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8599", "CVE-2018-8611", "CVE-2018-8612", "CVE-2018-8617", "CVE-2018-8618", "CVE-2018-8619", "CVE-2018-8624", "CVE-2018-8625", "CVE-2018-8626", "CVE-2018-8629", "CVE-2018-8631", "CVE-2018-8634", "CVE-2018-8639", "CVE-2018-8641", "CVE-2018-8643"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_DEC_4471321.NASL", "href": "https://www.tenable.com/plugins/nessus/119584", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119584);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2018-8477\",\n \"CVE-2018-8514\",\n \"CVE-2018-8517\",\n \"CVE-2018-8540\",\n \"CVE-2018-8595\",\n \"CVE-2018-8596\",\n \"CVE-2018-8599\",\n \"CVE-2018-8611\",\n \"CVE-2018-8612\",\n \"CVE-2018-8617\",\n \"CVE-2018-8618\",\n \"CVE-2018-8619\",\n \"CVE-2018-8624\",\n \"CVE-2018-8625\",\n \"CVE-2018-8626\",\n \"CVE-2018-8629\",\n \"CVE-2018-8631\",\n \"CVE-2018-8634\",\n \"CVE-2018-8639\",\n \"CVE-2018-8641\",\n \"CVE-2018-8643\"\n );\n script_xref(name:\"MSKB\", value:\"4471321\");\n script_xref(name:\"MSFT\", value:\"MS18-4471321\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/14\");\n\n script_name(english:\"KB4471321: Windows 10 Version 1607 and Windows Server 2016 December 2018 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4471321.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - A Denial Of Service vulnerability exists when Connected\n User Experiences and Telemetry Service fails to validate\n certain function values. An attacker who successfully\n exploited this vulnerability could deny dependent\n security feature functionality. (CVE-2018-8612)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists in Windows\n where Microsoft text-to-speech fails to properly handle\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8634)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8631)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8639)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n impersonates certain file operations. An attacker who\n successfully exploited this vulnerability could gain\n elevated privileges. An attacker with unprivileged\n access to a vulnerable system could exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring the Diagnostics Hub Standard\n Collector Service properly impersonates file operations.\n (CVE-2018-8599)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when\n Remote Procedure Call runtime improperly initializes\n objects in memory. (CVE-2018-8514)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8617, CVE-2018-8618,\n CVE-2018-8624, CVE-2018-8629)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-8625)\n\n - A remote code execution vulnerability exists when the\n Internet Explorer VBScript execution policy does not\n properly restrict VBScript under specific conditions. An\n attacker who exploited the vulnerability could run\n arbitrary code with medium-integrity level privileges\n (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - A denial of service vulnerability exists when .NET\n Framework improperly handles special web requests. An\n attacker who successfully exploited this vulnerability\n could cause a denial of service against an .NET\n Framework web application. The vulnerability can be\n exploited remotely, without authentication. A remote\n unauthenticated attacker could exploit this\n vulnerability by issuing specially crafted requests to\n the .NET Framework application. The update addresses the\n vulnerability by correcting how the .NET Framework web\n application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8641)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) servers when they fail to\n properly handle requests. An attacker who successfully\n exploited the vulnerability could run arbitrary code in\n the context of the Local System Account. Windows servers\n that are configured as DNS servers are at risk from this\n vulnerability. (CVE-2018-8626)\");\n # https://support.microsoft.com/en-us/help/4471321/windows-10-update-kb4471321\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?417b4781\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4471321.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8626\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-12\";\nkbs = make_list('4471321');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"12_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4471321])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:54:21", "description": "The remote Windows host is missing security update 4471323.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8631)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists in Windows where Microsoft text-to-speech fails to properly handle objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8634)\n\n - A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8639)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly impersonates file operations.\n (CVE-2018-8599)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8617, CVE-2018-8629)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8625)\n\n - A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions. An attacker who exploited the vulnerability could run arbitrary code with medium-integrity level privileges (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2018-8641)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "nessus", "title": "KB4471323: Windows 10 December 2018 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8540", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8599", "CVE-2018-8611", "CVE-2018-8617", "CVE-2018-8619", "CVE-2018-8625", "CVE-2018-8629", "CVE-2018-8631", "CVE-2018-8634", "CVE-2018-8639", "CVE-2018-8641", "CVE-2018-8643"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_DEC_4471323.NASL", "href": "https://www.tenable.com/plugins/nessus/119585", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119585);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2018-8477\",\n \"CVE-2018-8514\",\n \"CVE-2018-8540\",\n \"CVE-2018-8595\",\n \"CVE-2018-8596\",\n \"CVE-2018-8599\",\n \"CVE-2018-8611\",\n \"CVE-2018-8617\",\n \"CVE-2018-8619\",\n \"CVE-2018-8625\",\n \"CVE-2018-8629\",\n \"CVE-2018-8631\",\n \"CVE-2018-8634\",\n \"CVE-2018-8639\",\n \"CVE-2018-8641\",\n \"CVE-2018-8643\"\n );\n script_xref(name:\"MSKB\", value:\"4471323\");\n script_xref(name:\"MSFT\", value:\"MS18-4471323\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/14\");\n\n script_name(english:\"KB4471323: Windows 10 December 2018 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4471323.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8631)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists in Windows\n where Microsoft text-to-speech fails to properly handle\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8634)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8639)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n impersonates certain file operations. An attacker who\n successfully exploited this vulnerability could gain\n elevated privileges. An attacker with unprivileged\n access to a vulnerable system could exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring the Diagnostics Hub Standard\n Collector Service properly impersonates file operations.\n (CVE-2018-8599)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8617, CVE-2018-8629)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when\n Remote Procedure Call runtime improperly initializes\n objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-8625)\n\n - A remote code execution vulnerability exists when the\n Internet Explorer VBScript execution policy does not\n properly restrict VBScript under specific conditions. An\n attacker who exploited the vulnerability could run\n arbitrary code with medium-integrity level privileges\n (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8641)\");\n # https://support.microsoft.com/en-us/help/4471323/windows-10-update-kb4471323\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7b3e08e7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4471323.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8540\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-12\";\nkbs = make_list('4471323');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"12_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4471323])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:53:34", "description": "The remote Windows host is missing security update 4471319 or cumulative update 4471325. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions. An attacker who exploited the vulnerability could run arbitrary code with medium-integrity level privileges (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8631)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8639)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8625)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2018-8622)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - A denial of service vulnerability exists when .NET Framework improperly handles special web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an .NET Framework web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application. The update addresses the vulnerability by correcting how the .NET Framework web application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2018-8641)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "nessus", "title": "KB4471319: Windows Server 2008 December 2018 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8517", "CVE-2018-8540", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8611", "CVE-2018-8619", "CVE-2018-8622", "CVE-2018-8625", "CVE-2018-8631", "CVE-2018-8639", "CVE-2018-8641", "CVE-2018-8643"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS18_DEC_4471325.NASL", "href": "https://www.tenable.com/plugins/nessus/119587", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119587);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2018-8477\",\n \"CVE-2018-8514\",\n \"CVE-2018-8517\",\n \"CVE-2018-8540\",\n \"CVE-2018-8595\",\n \"CVE-2018-8596\",\n \"CVE-2018-8611\",\n \"CVE-2018-8619\",\n \"CVE-2018-8622\",\n \"CVE-2018-8625\",\n \"CVE-2018-8631\",\n \"CVE-2018-8639\",\n \"CVE-2018-8641\",\n \"CVE-2018-8643\"\n );\n script_xref(name:\"MSKB\", value:\"4471319\");\n script_xref(name:\"MSKB\", value:\"4471325\");\n script_xref(name:\"MSFT\", value:\"MS18-4471319\");\n script_xref(name:\"MSFT\", value:\"MS18-4471325\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/14\");\n\n script_name(english:\"KB4471319: Windows Server 2008 December 2018 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4471319\nor cumulative update 4471325. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the\n Internet Explorer VBScript execution policy does not\n properly restrict VBScript under specific conditions. An\n attacker who exploited the vulnerability could run\n arbitrary code with medium-integrity level privileges\n (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8631)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8639)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when\n Remote Procedure Call runtime improperly initializes\n objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-8625)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how the Windows kernel handles objects in\n memory. (CVE-2018-8622)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - A denial of service vulnerability exists when .NET\n Framework improperly handles special web requests. An\n attacker who successfully exploited this vulnerability\n could cause a denial of service against an .NET\n Framework web application. The vulnerability can be\n exploited remotely, without authentication. A remote\n unauthenticated attacker could exploit this\n vulnerability by issuing specially crafted requests to\n the .NET Framework application. The update addresses the\n vulnerability by correcting how the .NET Framework web\n application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8641)\");\n # https://support.microsoft.com/en-us/help/4471319/windows-server-2008-kb4471319\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f00ca152\");\n # https://support.microsoft.com/en-us/help/4471325/windows-server-2008-update-kb4471325\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2da08abc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4471319 or Cumulative Update KB4471325.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8540\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-12\";\nkbs = make_list('4471319', '4471325');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:\"12_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4471319, 4471325])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:54:20", "description": "The remote Windows host is missing security update 4471327.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8583, CVE-2018-8617, CVE-2018-8618, CVE-2018-8624, CVE-2018-8629)\n\n - A Denial Of Service vulnerability exists when Connected User Experiences and Telemetry Service fails to validate certain function values. An attacker who successfully exploited this vulnerability could deny dependent security feature functionality. (CVE-2018-8612)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists in Windows where Microsoft text-to-speech fails to properly handle objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8634)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8631)\n\n - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8639)\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly impersonates file operations.\n (CVE-2018-8599)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8625)\n\n - A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions. An attacker who exploited the vulnerability could run arbitrary code with medium-integrity level privileges (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - A denial of service vulnerability exists when .NET Framework improperly handles special web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an .NET Framework web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application. The update addresses the vulnerability by correcting how the .NET Framework web application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2018-8641)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "nessus", "title": "KB4471327: Windows 10 Version 1703 December 2018 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8517", "CVE-2018-8540", "CVE-2018-8583", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8599", "CVE-2018-8611", "CVE-2018-8612", "CVE-2018-8617", "CVE-2018-8618", "CVE-2018-8619", "CVE-2018-8624", "CVE-2018-8625", "CVE-2018-8629", "CVE-2018-8631", "CVE-2018-8634", "CVE-2018-8639", "CVE-2018-8641", "CVE-2018-8643"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_DEC_4471327.NASL", "href": "https://www.tenable.com/plugins/nessus/119588", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119588);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2018-8477\",\n \"CVE-2018-8514\",\n \"CVE-2018-8517\",\n \"CVE-2018-8540\",\n \"CVE-2018-8583\",\n \"CVE-2018-8595\",\n \"CVE-2018-8596\",\n \"CVE-2018-8599\",\n \"CVE-2018-8611\",\n \"CVE-2018-8612\",\n \"CVE-2018-8617\",\n \"CVE-2018-8618\",\n \"CVE-2018-8619\",\n \"CVE-2018-8624\",\n \"CVE-2018-8625\",\n \"CVE-2018-8629\",\n \"CVE-2018-8631\",\n \"CVE-2018-8634\",\n \"CVE-2018-8639\",\n \"CVE-2018-8641\",\n \"CVE-2018-8643\"\n );\n script_xref(name:\"MSKB\", value:\"4471327\");\n script_xref(name:\"MSFT\", value:\"MS18-4471327\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/14\");\n\n script_name(english:\"KB4471327: Windows 10 Version 1703 December 2018 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4471327.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8540)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8583, CVE-2018-8617,\n CVE-2018-8618, CVE-2018-8624, CVE-2018-8629)\n\n - A Denial Of Service vulnerability exists when Connected\n User Experiences and Telemetry Service fails to validate\n certain function values. An attacker who successfully\n exploited this vulnerability could deny dependent\n security feature functionality. (CVE-2018-8612)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8595, CVE-2018-8596)\n\n - A remote code execution vulnerability exists in Windows\n where Microsoft text-to-speech fails to properly handle\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8634)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8631)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8639)\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n impersonates certain file operations. An attacker who\n successfully exploited this vulnerability could gain\n elevated privileges. An attacker with unprivileged\n access to a vulnerable system could exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring the Diagnostics Hub Standard\n Collector Service properly impersonates file operations.\n (CVE-2018-8599)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8477)\n\n - An information disclosure vulnerability exists when\n Remote Procedure Call runtime improperly initializes\n objects in memory. (CVE-2018-8514)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8611)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-8625)\n\n - A remote code execution vulnerability exists when the\n Internet Explorer VBScript execution policy does not\n properly restrict VBScript under specific conditions. An\n attacker who exploited the vulnerability could run\n arbitrary code with medium-integrity level privileges\n (the permissions of the current user). (CVE-2018-8619)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8643)\n\n - A denial of service vulnerability exists when .NET\n Framework improperly handles special web requests. An\n attacker who successfully exploited this vulnerability\n could cause a denial of service against an .NET\n Framework web application. The vulnerability can be\n exploited remotely, without authentication. A remote\n unauthenticated attacker could exploit this\n vulnerability by issuing specially crafted requests to\n the .NET Framework application. The update addresses the\n vulnerability by correcting how the .NET Framework web\n application handles web requests. (CVE-2018-8517)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8641)\");\n # https://support.microsoft.com/en-us/help/4471327/windows-10-update-kb4471327\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8b54dbf3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4471327.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8540\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-12\";\nkbs = make_list('4471327');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date:\"12_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4471327])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:54:08", "description": "The Microsoft Visual Studio Products are missing a security update. It is, therefore, affected by the following vulnerability :\n\n - An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. The security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly impersonates file operations.\n (CVE-2018-8599)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-13T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Visual Studio Products (December 2018)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8599"], "modified": "2022-06-27T00:00:00", "cpe": ["cpe:/a:microsoft:visual_studio"], "id": "SMB_NT_MS18_DEC_VISUAL_STUDIO.NASL", "href": "https://www.tenable.com/plugins/nessus/119611", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119611);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/27\");\n\n script_cve_id(\"CVE-2018-8599\");\n script_xref(name:\"MSKB\", value:\"4469516\");\n script_xref(name:\"MSFT\", value:\"MS18-4469516\");\n\n script_name(english:\"Security Updates for Microsoft Visual Studio Products (December 2018)\");\n script_summary(english:\"Checks for Microsoft security updates.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Visual Studio Products are missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Visual Studio Products are missing a security\nupdate. It is, therefore, affected by the following\nvulnerability :\n\n - An elevation of privilege vulnerability exists when the\n Diagnostics Hub Standard Collector Service improperly\n impersonates certain file operations. An attacker who\n successfully exploited this vulnerability could gain\n elevated privileges. An attacker with unprivileged\n access to a vulnerable system could exploit this\n vulnerability. The security update addresses the\n vulnerability by ensuring the Diagnostics Hub Standard\n Collector Service properly impersonates file operations.\n (CVE-2018-8599)\");\n # https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8599\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b1ec68a6\");\n # https://support.microsoft.com/en-us/help/4469516/security-update-for-vulnerabilities-in-visual-studio-2015\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eaabc286\");\n # https://docs.microsoft.com/en-us/visualstudio/releasenotes/vs2017-relnotes-v15.0#15.0.26228.64\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1cc17f68\");\n # https://docs.microsoft.com/en-us/visualstudio/releasenotes/vs2017-relnotes#15.9.4\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?829bdf9f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB4469516 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8599\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_studio\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_visual_studio_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\", \"installed_sw/Microsoft Visual Studio\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\n\nget_kb_item_or_exit('installed_sw/Microsoft Visual Studio');\nport = kb_smb_transport();\nappname = \"Microsoft Visual Studio\";\n\ninstalls = get_installs(app_name:appname, exit_if_not_found:TRUE);\n\nreport = '';\n\nforeach install (installs[1])\n{\n version = install['version'];\n path = install['path'];\n prod = install['product_version'];\n\n # VS 2015 Up3 - #verified\n # File Check change: using file 'StandardCollector.Service.exe'\n if (version =~ '^14\\\\.0\\\\.')\n {\n fver = hotfix_get_fversion(path:path+\"Team Tools\\DiagnosticsHub\\Collector\\StandardCollector.Service.exe\");\n if (fver['error'] != 0)\n continue;\n if (empty_or_null(fver['value']))\n continue;\n fversion = join(sep:\".\", fver['value']);\n if (ver_compare(ver: fversion, fix: '14.0.27529.0', strict:FALSE) < 0)\n {\n report +=\n '\\n Path : ' + path + \"Team Tools\\DiagnosticsHub\\Collector\\StandardCollector.Service.exe\" +\n '\\n Installed version : ' + fversion +\n '\\n Fixed version : 14.0.27529.0' +\n '\\n';\n }\n }\n\n # VS 2017 version 15.0\n else if (prod == '2017' && version =~ '^15\\\\.0\\\\.')\n {\n fix = '15.0.26228.64'; \n\n if (ver_compare(ver: version, fix: fix, strict:FALSE) < 0)\n {\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n }\n }\n # VS 2017 version 15.9\n # On 15.7.5, it asks to update to 15.9.4\n else if (prod == '2017' && version =~ '^15\\\\.[1-9]\\\\.')\n {\n fix = '15.9.28307.222';\n\n if (ver_compare(ver: version, fix: fix, strict:FALSE) < 0)\n {\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n }\n }\n\n}\n\n\nif (report != '')\n security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\nelse\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-01-08T13:28:53", "description": "This host is missing a critical security\n update according to Microsoft KB4471320", "cvss3": {}, "published": "2018-12-12T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4471320)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8622", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8639", "CVE-2018-8626", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8625", "CVE-2018-8477"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310814616", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814616", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4471320)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814616\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2018-8477\", \"CVE-2018-8514\", \"CVE-2018-8611\", \"CVE-2018-8619\",\n \"CVE-2018-8622\", \"CVE-2018-8625\", \"CVE-2018-8626\", \"CVE-2018-8631\",\n \"CVE-2018-8639\", \"CVE-2018-8641\", \"CVE-2018-8643\", \"CVE-2018-8595\",\n \"CVE-2018-8596\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 13:11:27 +0530 (Wed, 12 Dec 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4471320)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4471320\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Internet Explorer VBScript execution policy does not properly\n restrict VBScript under specific conditions.\n\n - Scripting engine improperly handles objects in memory in Internet\n Explorer.\n\n - Windows kernel-mode driver fails to properly handle objects in memory.\n\n - Internet Explorer improperly accesses objects in memory\n\n - Windows GDI component improperly discloses the contents of its\n memory.\n\n - Windows Domain Name System (DNS) servers when they fail to properly handle\n requests.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - VBScript engine improperly handles objects in memory.\n\n - Remote Procedure Call runtime improperly initializes objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code, elevate privileges and obtain information to further\n compromise the user's system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4471320\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"win32k.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.3.9600.19208\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\win32k.sys\",\n file_version:fileVer, vulnerable_range:\"Less than 6.3.9600.19208\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:12", "description": "This host is missing a critical security\n update according to Microsoft KB4471318", "cvss3": {}, "published": "2018-12-12T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4471318)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8621", "CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8622", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8639", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8625", "CVE-2018-8477"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310814619", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814619", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4471318)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814619\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-8477\", \"CVE-2018-8514\", \"CVE-2018-8611\", \"CVE-2018-8619\",\n \"CVE-2018-8621\", \"CVE-2018-8622\", \"CVE-2018-8625\", \"CVE-2018-8631\",\n \"CVE-2018-8639\", \"CVE-2018-8641\", \"CVE-2018-8643\", \"CVE-2018-8595\",\n \"CVE-2018-8596\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 13:11:27 +0530 (Wed, 12 Dec 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4471318)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4471318\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - Windows kernel improperly handles objects in memory.\n\n - Internet Explorer VBScript execution policy does not properly\n restrict VBScript under specific conditions.\n\n - Scripting engine improperly handles objects in memory in Internet\n Explorer.\n\n - Windows kernel-mode driver fails to properly handle objects in memory.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows GDI component improperly discloses the contents of its\n memory.\n\n - Windows Domain Name System (DNS) servers when they fail to properly handle\n requests.\n\n - Windows Win32k component fails to properly handle objects in\n memory.\n\n - VBScript engine improperly handles objects in memory.\n\n - Remote Procedure Call runtime improperly initializes objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to run arbitrary code, elevate privileges and obtain information to further\n compromise the user's system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\n\n - Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4471318\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008r2:2, win7:2, win7x64:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Win32k.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.1.7601.24313\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Win32k.sys\",\n file_version:fileVer, vulnerable_range:\"Less than 6.1.7601.24313\");\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:18", "description": "This host is missing a critical security\n update according to Microsoft KB4471332", "cvss3": {}, "published": "2018-12-12T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4471332)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8649", "CVE-2018-8634", "CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8612", "CVE-2018-8618", "CVE-2018-8617", "CVE-2018-8624", "CVE-2018-8583", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8629", "CVE-2018-8639", "CVE-2018-8626", "CVE-2018-8599", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8638", "CVE-2018-8625", "CVE-2018-8637", "CVE-2018-8477"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310814610", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814610", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4471332)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814610\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-8477\", \"CVE-2018-8514\", \"CVE-2018-8596\", \"CVE-2018-8599\",\n \"CVE-2018-8611\", \"CVE-2018-8612\", \"CVE-2018-8617\", \"CVE-2018-8618\",\n \"CVE-2018-8619\", \"CVE-2018-8624\", \"CVE-2018-8625\", \"CVE-2018-8626\",\n \"CVE-2018-8629\", \"CVE-2018-8631\", \"CVE-2018-8634\", \"CVE-2018-8637\",\n \"CVE-2018-8638\", \"CVE-2018-8639\", \"CVE-2018-8641\", \"CVE-2018-8643\",\n \"CVE-2018-8649\", \"CVE-2018-8583\", \"CVE-2018-8595\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 08:55:03 +0530 (Wed, 12 Dec 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4471332)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4471332\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Connected User Experiences and Telemetry Service fails to validate\n certain function values.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Internet Explorer VBScript execution policy does not properly restrict\n VBScript under specific conditions.\n\n - VBScript engine improperly handles objects in memory.\n\n - Windows Domain Name System (DNS) servers fail to properly handle requests.\n\n - Scripting engine handles objects in memory in Internet Explorer.\n\n - Windows kernel-mode driver fails to properly handle objects in memory.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Diagnostics Hub Standard Collector Service improperly impersonates certain\n file operations.\n\n - Remote Procedure Call runtime improperly initializes objects in memory.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - DirectX improperly handles objects in memory.\n\n - An error in Windows kernel that could allow an attacker to retrieve information that\n could lead to a Kernel Address Space Layout Randomization (KASLR) bypass.\n\n - Microsoft text-to-speech fails to properly handle objects in the memory.\n\n - Internet Explorer improperly accesses objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode, deny dependent security feature\n functionality, gain elevated privileges, disclose sensitive information, cause\n denial of service condition and take control of the affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1809 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1809 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4471332\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.17763.0\", test_version2:\"11.0.17763.193\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.17763.0 - 11.0.17763.193\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:29:00", "description": "This host is missing a critical security\n update according to Microsoft KB4471321", "cvss3": {}, "published": "2018-12-12T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4471321)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8634", "CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8612", "CVE-2018-8618", "CVE-2018-8540", "CVE-2018-8617", "CVE-2018-8624", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8629", "CVE-2018-8639", "CVE-2018-8626", "CVE-2018-8599", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8517", "CVE-2018-8625", "CVE-2018-8477"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310814613", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814613", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4471321)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814613\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2018-8477\", \"CVE-2018-8514\", \"CVE-2018-8517\", \"CVE-2018-8540\",\n \"CVE-2018-8599\", \"CVE-2018-8611\", \"CVE-2018-8612\", \"CVE-2018-8617\",\n \"CVE-2018-8618\", \"CVE-2018-8619\", \"CVE-2018-8624\", \"CVE-2018-8625\",\n \"CVE-2018-8626\", \"CVE-2018-8629\", \"CVE-2018-8631\", \"CVE-2018-8634\",\n \"CVE-2018-8639\", \"CVE-2018-8641\", \"CVE-2018-8643\", \"CVE-2018-8595\",\n \"CVE-2018-8596\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 10:13:23 +0530 (Wed, 12 Dec 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4471321)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4471321\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Connected User Experiences and Telemetry Service fails to validate\n certain function values.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Internet Explorer VBScript execution policy does not properly restrict\n VBScript under specific conditions.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Scripting engine handles objects in memory in Internet Explorer.\n\n - VBScript engine improperly handles objects in memory.\n\n - Microsoft text-to-speech fails to properly handle objects in the memory.\n\n - Windows kernel-mode driver fails to properly handle objects in memory.\n\n - Windows Domain Name System (DNS) servers fail to properly handle requests.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Diagnostics Hub Standard Collector Service improperly impersonates\n certain file operations.\n\n - Remote Procedure Call runtime improperly initializes objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode, obtain sensitive information, deny\n dependent security feature functionality, gain elevated privileges, cause a\n denial of service and take control of the affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4471321\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.2664\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.14393.0 - 11.0.14393.2664\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:06", "description": "This host is missing a critical security\n update according to Microsoft KB4471324", "cvss3": {}, "published": "2018-12-12T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4471324)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8634", "CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8612", "CVE-2018-8618", "CVE-2018-8540", "CVE-2018-8617", "CVE-2018-8624", "CVE-2018-8583", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8629", "CVE-2018-8639", "CVE-2018-8626", "CVE-2018-8599", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8517", "CVE-2018-8625", "CVE-2018-8637", "CVE-2018-8477"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310814611", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814611", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4471324)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814611\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-8477\", \"CVE-2018-8514\", \"CVE-2018-8517\", \"CVE-2018-8540\",\n \"CVE-2018-8596\", \"CVE-2018-8599\", \"CVE-2018-8611\", \"CVE-2018-8612\",\n \"CVE-2018-8617\", \"CVE-2018-8618\", \"CVE-2018-8619\", \"CVE-2018-8624\",\n \"CVE-2018-8625\", \"CVE-2018-8626\", \"CVE-2018-8629\", \"CVE-2018-8631\",\n \"CVE-2018-8634\", \"CVE-2018-8637\", \"CVE-2018-8639\", \"CVE-2018-8641\",\n \"CVE-2018-8643\", \"CVE-2018-8583\", \"CVE-2018-8595\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 09:46:04 +0530 (Wed, 12 Dec 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4471324)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4471324\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Connected User Experiences and Telemetry Service fails to validate\n certain function values.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Internet Explorer VBScript execution policy does not properly restrict\n VBScript under specific conditions.\n\n - VBScript engine improperly handles objects in memory.\n\n - Windows Domain Name System (DNS) servers fail to properly handle requests.\n\n - Scripting engine handles objects in memory in Internet Explorer.\n\n - Windows kernel-mode driver fails to properly handle objects in memory.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Diagnostics Hub Standard Collector Service improperly impersonates certain\n file operations.\n\n - Remote Procedure Call runtime improperly initializes objects in memory.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - An error in Windows kernel could allow an attacker to retrieve information\n that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass.\n\n - Microsoft text-to-speech fails to properly handle objects in the memory.\n\n - Internet Explorer improperly accesses objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode, deny dependent security feature functionality,\n gain elevated privileges, obtain sensitive information and could cause a denial\n of service.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1803 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1803 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4471324\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.17134.0\", test_version2:\"11.0.17134.470\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.17134.0 - 11.0.17134.470\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:05:59", "description": "This host is missing a critical security\n update according to Microsoft KB4471323", "cvss3": {}, "published": "2018-12-12T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4471323)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8634", "CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8540", "CVE-2018-8617", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8629", "CVE-2018-8639", "CVE-2018-8599", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8625", "CVE-2018-8477"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310814614", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814614", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4471323)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814614\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-8477\", \"CVE-2018-8514\", \"CVE-2018-8540\", \"CVE-2018-8599\",\n \"CVE-2018-8611\", \"CVE-2018-8617\", \"CVE-2018-8619\", \"CVE-2018-8625\",\n \"CVE-2018-8629\", \"CVE-2018-8631\", \"CVE-2018-8634\", \"CVE-2018-8639\",\n \"CVE-2018-8641\", \"CVE-2018-8643\", \"CVE-2018-8595\", \"CVE-2018-8596\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 10:39:09 +0530 (Wed, 12 Dec 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4471323)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4471323\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Microsoft text-to-speech fails to properly handle objects in the memory.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Internet Explorer VBScript execution policy does not properly restrict\n VBScript under specific conditions.\n\n - Scripting engine handles objects in memory in Internet Explorer.\n\n - Windows kernel-mode driver fails to properly handle objects in memory.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Diagnostics Hub Standard Collector Service improperly impersonates\n certain file operations.\n\n - VBScript engine improperly handles objects in memory.\n\n - Remote Procedure Call runtime improperly initializes objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode, gain elevated privileges, obtain sensitive\n information and take control of an affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4471323\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.18062\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.10240.0 - 11.0.10240.18062\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:18", "description": "This host is missing a critical security\n update according to Microsoft KB4471329", "cvss3": {}, "published": "2018-12-12T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4471329)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8634", "CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8612", "CVE-2018-8618", "CVE-2018-8540", "CVE-2018-8617", "CVE-2018-8624", "CVE-2018-8583", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8629", "CVE-2018-8639", "CVE-2018-8626", "CVE-2018-8599", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8517", "CVE-2018-8625", "CVE-2018-8477"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310814615", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814615", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4471329)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814615\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-8477\", \"CVE-2018-8514\", \"CVE-2018-8517\", \"CVE-2018-8540\",\n \"CVE-2018-8596\", \"CVE-2018-8599\", \"CVE-2018-8611\", \"CVE-2018-8612\",\n \"CVE-2018-8617\", \"CVE-2018-8618\", \"CVE-2018-8619\", \"CVE-2018-8624\",\n \"CVE-2018-8625\", \"CVE-2018-8626\", \"CVE-2018-8629\", \"CVE-2018-8631\",\n \"CVE-2018-8634\", \"CVE-2018-8639\", \"CVE-2018-8641\", \"CVE-2018-8643\",\n \"CVE-2018-8583\", \"CVE-2018-8595\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 10:50:45 +0530 (Wed, 12 Dec 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4471329)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4471329\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Connected User Experiences and Telemetry Service fails to validate\n certain function values.\n\n - Chakra scripting engine improperly handles objects in memory in\n Microsoft Edge.\n\n - Internet Explorer VBScript execution policy does not properly restrict\n VBScript under specific conditions.\n\n - VBScript engine improperly handles objects in memory.\n\n - Windows Domain Name System (DNS) servers fail to properly handle\n requests.\n\n - Scripting engine handles objects in memory in Internet Explorer.\n\n - Windows kernel-mode driver fails to properly handle objects in memory.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Diagnostics Hub Standard Collector Service improperly impersonates\n certain file operations.\n\n - Remote Procedure Call runtime improperly initializes objects in memory.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Microsoft text-to-speech fails to properly handle objects in the memory.\n\n - Internet Explorer improperly accesses objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode, deny dependent security feature\n functionality, obtain sensitive information, cause denial of service and could\n take control of an affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1709 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1709 for 64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4471329\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.16299.0\", test_version2:\"11.0.16299.845\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.16299.0 - 11.0.16299.845\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:05:57", "description": "This host is missing a critical security\n update according to Microsoft KB4471327", "cvss3": {}, "published": "2018-12-12T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4471327)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8634", "CVE-2018-8596", "CVE-2018-8641", "CVE-2018-8619", "CVE-2018-8612", "CVE-2018-8618", "CVE-2018-8540", "CVE-2018-8617", "CVE-2018-8624", "CVE-2018-8583", "CVE-2018-8611", "CVE-2018-8595", "CVE-2018-8629", "CVE-2018-8639", "CVE-2018-8599", "CVE-2018-8643", "CVE-2018-8514", "CVE-2018-8631", "CVE-2018-8517", "CVE-2018-8625", "CVE-2018-8477"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310814612", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814612", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4471327)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814612\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-8477\", \"CVE-2018-8514\", \"CVE-2018-8517\", \"CVE-2018-8540\",\n \"CVE-2018-8599\", \"CVE-2018-8611\", \"CVE-2018-8612\", \"CVE-2018-8617\",\n \"CVE-2018-8618\", \"CVE-2018-8619\", \"CVE-2018-8624\", \"CVE-2018-8625\",\n \"CVE-2018-8629\", \"CVE-2018-8631\", \"CVE-2018-8634\", \"CVE-2018-8639\",\n \"CVE-2018-8641\", \"CVE-2018-8643\", \"CVE-2018-8583\", \"CVE-2018-8595\",\n \"CVE-2018-8596\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 10:03:10 +0530 (Wed, 12 Dec 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4471327)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4471327\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Chakra scripting engine improperly handles objects in memory in\n Microsoft Edge.\n\n - Connected User Experiences and Telemetry Service fails to validate\n certain function values.\n\n - Internet Explorer VBScript execution policy does not properly\n restrict VBScript under specific conditions.\n\n - Windows GDI component improperly discloses the contents of its\n memory.\n\n - Scripting engine improperly handles objects in memory in Internet\n Explorer.\n\n - VBScript engine improperly handles objects in memory.\n\n - Windows kernel-mode driver fails to properly handle objects in memory.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Microsoft text-to-speech fails to properly handle objects in the memory.\n\n - Diagnostics Hub Standard Collector Service improperly impersonates\n certain file operations.\n\n - Remote Procedure Call runtime improperly initializes objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode, obtain sensitive information, deny dependent\n security feature functionality, gain elevated privileges and could take control\n of the affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4471327\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.1505\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.15063.0 - 11.0.15063.1505\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:28:54", "description": "This host is missing an important security\n update according to Microsoft Security Update December-2018.", "cvss3": {}, "published": "2018-12-28T00:00:00", "type": "openvas", "title": "Microsoft Visual Studio 'Diagnostic Hub Standard Collector' Elevation of Privilege Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8599"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310814638", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814638", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Visual Studio 'Diagnostic Hub Standard Collector' Elevation of Privilege Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814638\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2018-8599\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-12-28 14:00:04 +0530 (Fri, 28 Dec 2018)\");\n script_name(\"Microsoft Visual Studio 'Diagnostic Hub Standard Collector' Elevation of Privilege Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Security Update December-2018.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists when the Diagnostics Hub\n Standard Collector Service improperly impersonates certain file operations.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker who successfully exploited this vulnerability to gain elevated\n privileges.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Visual Studio 2017\n\n - Microsoft Visual Studio 2015 Update 3\n\n - Microsoft Visual Studio 2017 Version 15.9\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8599\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4469516\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/visualstudio/releasenotes/vs2017-relnotes-v15.0\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/visualstudio/releasenotes/vs2017-relnotes\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_ms_visual_prdts_detect.nasl\");\n script_mandatory_keys(\"Microsoft/VisualStudio/Ver\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nvsVer = get_kb_item(\"Microsoft/VisualStudio/Ver\");\nif(!vsVer){\n exit(0);\n}\n\nos_arch = get_kb_item(\"SMB/Windows/Arch\");\nif(!os_arch){\n exit(0);\n}\n\nif(\"x86\" >< os_arch){\n key_list = make_list(\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\");\n}\n\nelse if(\"x64\" >< os_arch){\n key_list = make_list(\"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\",\n \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\");\n}\n\nif(vsVer =~ \"^14\\.\")\n{\n foreach key (key_list)\n {\n foreach item (registry_enum_keys(key:key))\n {\n upName = registry_get_sz(key:key + item, item:\"DisplayName\");\n if(upName =~ \"^Microsoft Visual Studio 2015 Update 3\")\n {\n if(!registry_key_exists(key:\"SOFTWARE\\Microsoft\\Updates\\Microsoft Visual Studio 2015\\Update for Microsoft Visual Studio 2015 (KB4469516)\") &&\n !registry_key_exists(key:\"SOFTWARE\\Wow6432Node\\Microsoft\\Updates\\Microsoft Visual Studio 2015\\Update for Microsoft Visual Studio 2015 (KB4469516)\"))\n {\n report = report_fixed_ver(installed_version:\"Visual Studio 2015 \" + vsVer, fixed_version:\"14.0.27529.0\");\n security_message(data:report);\n exit(0);\n }\n }\n }\n }\n}\n\nelse if(vsVer =~ \"^15\\.\")\n{\n if(\"x86\" >< os_arch){\n key_list_new = make_list(\"SOFTWARE\\Microsoft\\VisualStudio\\SxS\\VS7\\\");\n }\n\n else if(\"x64\" >< os_arch){\n key_list_new = make_list(\"SOFTWARE\\Microsoft\\VisualStudio\\SxS\\VS7\\\",\n \"SOFTWARE\\Wow6432Node\\Microsoft\\VisualStudio\\SxS\\VS7\\\");\n }\n\n foreach key (key_list_new)\n {\n installPath = registry_get_sz(key:key, item:\"15.0\");\n if(!installPath){\n continue;\n }\n\n binPath = installPath + \"Common7\\IDE\\PrivateAssemblies\\\";\n dllVer = fetch_file_version(sysPath:binPath, file_name:\"Microsoft.VisualStudio.Setup.dll\");\n }\n\n if(dllVer)\n {\n if(version_is_less_equal(version:dllVer, test_version:\"1.8.58.40810\")){\n vulnerable_range = \"Less than or equal to 1.8.58.40810\";\n }\n else\n {\n foreach key (key_list)\n {\n foreach item (registry_enum_keys(key:key))\n {\n version = registry_get_sz(key:key + item, item:\"DisplayVersion\");\n if(version == \"15.9.28307.53\")\n {\n if(version_is_less(version:dllVer, test_version:\"1.18.1042.9589\")){\n vulnerable_range = \"Less than 1.18.1042.9589\";\n }\n }\n }\n }\n }\n }\n}\n\nif(vulnerable_range)\n{\n report = report_fixed_ver(file_checked: binPath + \"Microsoft.VisualStudio.Setup.dll\",\n file_version:dllVer, vulnerable_range:vulnerable_range);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2023-02-08T15:51:39", "description": "### *Detect date*:\n12/11/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows Server, version 1803 (Server Core Installation) \nInternet Explorer 9 \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2012 \nInternet Explorer 11 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2016 \nWindows 10 Version 1709 for x64-based Systems \nWindows RT 8.1 \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2019 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1803 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1709 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 10 Version 1703 for 32-bit Systems \nInternet Explorer 10 \nWindows Server 2012 R2 \nWindows Server 2019\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8611](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8611>) \n[CVE-2018-8477](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8477>) \n[CVE-2018-8619](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8619>) \n[CVE-2018-8643](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8643>) \n[CVE-2018-8641](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8641>) \n[CVE-2018-8596](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8596>) \n[CVE-2018-8514](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8514>) \n[CVE-2018-8639](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8639>) \n[CVE-2018-8595](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8595>) \n[CVE-2018-8621](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8621>) \n[CVE-2018-8622](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8622>) \n[CVE-2018-8625](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8625>) \n[CVE-2018-8631](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8631>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2018-8622](<https://vulners.com/cve/CVE-2018-8622>)2.1Warning \n[CVE-2018-8641](<https://vulners.com/cve/CVE-2018-8641>)7.2High \n[CVE-2018-8639](<https://vulners.com/cve/CVE-2018-8639>)7.2High \n[CVE-2018-8596](<https://vulners.com/cve/CVE-2018-8596>)4.3Warning \n[CVE-2018-8611](<https://vulners.com/cve/CVE-2018-8611>)7.2High \n[CVE-2018-8621](<https://vulners.com/cve/CVE-2018-8621>)2.1Warning \n[CVE-2018-8477](<https://vulners.com/cve/CVE-2018-8477>)2.1Warning \n[CVE-2018-8514](<https://vulners.com/cve/CVE-2018-8514>)2.1Warning \n[CVE-2018-8595](<https://vulners.com/cve/CVE-2018-8595>)4.3Warning \n[CVE-2018-8643](<https://vulners.com/cve/CVE-2018-8643>)7.6Critical \n[CVE-2018-8631](<https://vulners.com/cve/CVE-2018-8631>)7.6Critical \n[CVE-2018-8625](<https://vulners.com/cve/CVE-2018-8625>)7.6Critical \n[CVE-2018-8619](<https://vulners.com/cve/CVE-2018-8619>)7.6Critical\n\n### *KB list*:\n[4471319](<http://support.microsoft.com/kb/4471319>) \n[4471328](<http://support.microsoft.com/kb/4471328>) \n[4471318](<http://support.microsoft.com/kb/4471318>) \n[4471325](<http://support.microsoft.com/kb/4471325>) \n[4470199](<http://support.microsoft.com/kb/4470199>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "kaspersky", "title": "KLA11884 Multiple vulnerability in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8611", "CVE-2018-8619", "CVE-2018-8621", "CVE-2018-8622", "CVE-2018-8625", "CVE-2018-8631", "CVE-2018-8639", "CVE-2018-8641", "CVE-2018-8643"], "modified": "2020-07-22T00:00:00", "id": "KLA11884", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11884/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-08T15:51:28", "description": "### *Detect date*:\n12/11/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to gain privileges, cause denial of service, execute arbitrary code.\n\n### *Affected products*:\nMicrosoft .NET Framework 4.6 \nMicrosoft .NET Framework 4.6.2 \nMicrosoft .NET Framework 3.5 \nMicrosoft .NET Framework 3.5.1 \nMicrosoft .NET Framework 4.7/4.7.1/4.7.2 \nMicrosoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8) \nMicrosoft .NET Framework 4.5.2 \nMicrosoft .NET Framework 4.7.2 \nMicrosoft .NET Framework 3.5 Service Pack 1 \nMicrosoft .NET Framework 4.7.1/4.7.2 \nMicrosoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 \nMicrosoft Visual Studio 2015 Update 3 \nMicrosoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 \nMicrosoft Visual Studio 2017\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8599](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8599>) \n[CVE-2018-8517](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8517>) \n[CVE-2018-8540](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8540>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft .NET Framework](<https://threats.kaspersky.com/en/product/Microsoft-.NET-Framework/>)\n\n### *CVE-IDS*:\n[CVE-2018-8517](<https://vulners.com/cve/CVE-2018-8517>)\n\n### *KB list*:\n[4469516](<http://support.microsoft.com/kb/4469516>) \n[4470500](<http://support.microsoft.com/kb/4470500>) \n[4470638](<http://support.microsoft.com/kb/4470638>) \n[4471329](<http://support.microsoft.com/kb/4471329>) \n[4471323](<http://support.microsoft.com/kb/4471323>) \n[4470640](<http://support.microsoft.com/kb/4470640>) \n[4470498](<http://support.microsoft.com/kb/4470498>) \n[4471324](<http://support.microsoft.com/kb/4471324>) \n[4470637](<http://support.microsoft.com/kb/4470637>) \n[4470601](<http://support.microsoft.com/kb/4470601>) \n[4470639](<http://support.microsoft.com/kb/4470639>) \n[4470491](<http://support.microsoft.com/kb/4470491>) \n[4470641](<http://support.microsoft.com/kb/4470641>) \n[4470622](<http://support.microsoft.com/kb/4470622>) \n[4470493](<http://support.microsoft.com/kb/4470493>) \n[4470600](<http://support.microsoft.com/kb/4470600>) \n[4471327](<http://support.microsoft.com/kb/4471327>) \n[4470602](<http://support.microsoft.com/kb/4470602>) \n[4470492](<http://support.microsoft.com/kb/4470492>) \n[4470502](<http://support.microsoft.com/kb/4470502>) \n[4470623](<http://support.microsoft.com/kb/4470623>) \n[4471321](<http://support.microsoft.com/kb/4471321>) \n[4470630](<http://support.microsoft.com/kb/4470630>) \n[4470629](<http://support.microsoft.com/kb/4470629>) \n[4470499](<http://support.microsoft.com/kb/4470499>) \n[4470633](<http://support.microsoft.com/kb/4470633>) \n[4471102](<http://support.microsoft.com/kb/4471102>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "kaspersky", "title": "KLA11897 Multiple vulnerabilities in Microsoft Developer Tools", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8517", "CVE-2018-8540", "CVE-2018-8599"], "modified": "2020-07-21T00:00:00", "id": "KLA11897", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11897/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-08T16:00:30", "description": "### *Detect date*:\n12/11/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code, gain privileges.\n\n### *Affected products*:\nMicrosoft .NET Framework 3.5 \nMicrosoft .NET Framework 3.5 Service Pack 1 \nMicrosoft .NET Framework 3.5.1 \nMicrosoft .NET Framework 4.5.2 \nMicrosoft .NET Framework 4.6 \nMicrosoft .NET Framework 4.6.2 \nMicrosoft .NET Framework 4.7.2 \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2016 \nMicrosoft Visual Studio 2017 \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1709 for 32-bit Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1703 for 32-bit Systems \nMicrosoft Visual Studio 2015 Update 3 \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1709 for x64-based Systems \nMicrosoft .NET Framework 4.7/4.7.1/4.7.2 \nMicrosoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8) \nMicrosoft .NET Framework 4.7.1/4.7.2 \nMicrosoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 \nMicrosoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8517](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8517>) \n[CVE-2018-8540](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8540>) \n[CVE-2018-8599](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8599>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft .NET Framework](<https://threats.kaspersky.com/en/product/Microsoft-.NET-Framework/>)\n\n### *CVE-IDS*:\n[CVE-2018-8517](<https://vulners.com/cve/CVE-2018-8517>)\n\n### *KB list*:\n[4469516](<http://support.microsoft.com/kb/4469516>) \n[4470500](<http://support.microsoft.com/kb/4470500>) \n[4470638](<http://support.microsoft.com/kb/4470638>) \n[4471329](<http://support.microsoft.com/kb/4471329>) \n[4471323](<http://support.microsoft.com/kb/4471323>) \n[4470640](<http://support.microsoft.com/kb/4470640>) \n[4470498](<http://support.microsoft.com/kb/4470498>) \n[4471324](<http://support.microsoft.com/kb/4471324>) \n[4470637](<http://support.microsoft.com/kb/4470637>) \n[4470601](<http://support.microsoft.com/kb/4470601>) \n[4470639](<http://support.microsoft.com/kb/4470639>) \n[4470491](<http://support.microsoft.com/kb/4470491>) \n[4470641](<http://support.microsoft.com/kb/4470641>) \n[4470622](<http://support.microsoft.com/kb/4470622>) \n[4470493](<http://support.microsoft.com/kb/4470493>) \n[4470600](<http://support.microsoft.com/kb/4470600>) \n[4471327](<http://support.microsoft.com/kb/4471327>) \n[4470602](<http://support.microsoft.com/kb/4470602>) \n[4470492](<http://support.microsoft.com/kb/4470492>) \n[4470502](<http://support.microsoft.com/kb/4470502>) \n[4470623](<http://support.microsoft.com/kb/4470623>) \n[4471321](<http://support.microsoft.com/kb/4471321>) \n[4470630](<http://support.microsoft.com/kb/4470630>) \n[4470629](<http://support.microsoft.com/kb/4470629>) \n[4470499](<http://support.microsoft.com/kb/4470499>) \n[4470633](<http://support.microsoft.com/kb/4470633>) \n[4471102](<http://support.microsoft.com/kb/4471102>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-11T00:00:00", "type": "kaspersky", "title": "KLA11383 Multiple vulnerabilities in Microsoft Developer Tools", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8517", "CVE-2018-8540", "CVE-2018-8599"], "modified": "2020-07-22T00:00:00", "id": "KLA11383", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11383/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-02-09T14:32:57", "description": "An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka \"Windows Kernel Information Disclosure Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8621, CVE-2018-8622.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8477", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477", "CVE-2018-8621", "CVE-2018-8622"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:1709", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-"], "id": "CVE-2018-8477", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8477", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*"]}, {"lastseen": "2023-02-09T14:33:08", "description": "An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka \"Windows Kernel Information Disclosure Vulnerability.\" This affects Windows Server 2012, Windows 7, Windows Server 2008 R2. This CVE ID is unique from CVE-2018-8477, CVE-2018-8622.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8621", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477", "CVE-2018-8621", "CVE-2018-8622"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2018-8621", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8621", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*"]}, {"lastseen": "2023-02-09T14:33:10", "description": "An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka \"Windows Kernel Information Disclosure Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2008 R2. This CVE ID is unique from CVE-2018-8477, CVE-2018-8621.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8622", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477", "CVE-2018-8621", "CVE-2018-8622"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:-"], "id": "CVE-2018-8622", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8622", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*"]}, {"lastseen": "2023-02-09T14:33:08", "description": "An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka \"Windows GDI Information Disclosure Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8595.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8596", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8595", "CVE-2018-8596"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:1709", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-"], "id": "CVE-2018-8596", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8596", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:pro_n:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*"]}, {"lastseen": "2023-02-09T14:33:05", "description": "An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka \"Windows GDI Information Disclosure Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8596.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8595", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8595", "CVE-2018-8596"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:1709", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-"], "id": "CVE-2018-8595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8595", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:pro_n:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*"]}, {"lastseen": "2023-02-09T14:33:09", "description": "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka \"Win32k Elevation of Privilege Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8641.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8639", "cwe": ["CWE-404"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8639", "CVE-2018-8641"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:1709", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-"], "id": "CVE-2018-8639", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8639", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:*:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:pro_n:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:33:09", "description": "An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka \"Win32k Elevation of Privilege Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8639.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8641", "cwe": ["CWE-404"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8639", "CVE-2018-8641"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:1709", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-"], "id": "CVE-2018-8641", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8641", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:33:06", "description": "An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations, aka \"Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability.\" This affects Microsoft Visual Studio, Windows Server 2019, Windows Server 2016, Windows 10, Windows 10 Servers.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8599", "cwe": ["CWE-273"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8599"], "modified": "2020-09-14T12:59:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:1709", "cpe:/a:microsoft:visual_studio_2017:15.9", "cpe:/a:microsoft:visual_studio:2015", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1703"], "id": "CVE-2018-8599", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8599", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio:2015:update3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio_2017:15.9:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:33:00", "description": "An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory, aka \"Remote Procedure Call runtime Information Disclosure Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8514", "cwe": ["CWE-665"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8514"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:1709", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-"], "id": "CVE-2018-8514", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8514", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*"]}, {"lastseen": "2023-02-09T14:33:08", "description": "A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests, aka \"Windows DNS Server Heap Overflow Vulnerability.\" This affects Windows Server 2012 R2, Windows Server 2019, Windows Server 2016, Windows 10, Windows 10 Servers.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8626", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8626"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:1709", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1809"], "id": "CVE-2018-8626", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8626", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:33:08", "description": "A Denial Of Service vulnerability exists when Connected User Experiences and Telemetry Service fails to validate certain function values, aka \"Connected User Experiences and Telemetry Service Denial of Service Vulnerability.\" This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8612", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8612"], "modified": "2019-01-04T14:17:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:1709", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1703"], "id": "CVE-2018-8612", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8612", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:33:09", "description": "An information disclosure vulnerability exists in Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass, aka \"Win32k Information Disclosure Vulnerability.\" This affects Windows 10 Servers, Windows 10, Windows Server 2019.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8637", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8637"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:1803"], "id": "CVE-2018-8637", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8637", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:33:07", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka \"Windows Kernel Elevation of Privilege Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8611", "cwe": ["CWE-404"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8611"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:1709", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-"], "id": "CVE-2018-8611", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8611", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:*:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:pro_n:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:33:10", "description": "A remote code execution vulnerability exists in Windows where Microsoft text-to-speech fails to properly handle objects in the memory, aka \"Microsoft Text-To-Speech Remote Code Execution Vulnerability.\" This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8634", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8634"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:1709", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1703"], "id": "CVE-2018-8634", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8634", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:33:09", "description": "An information disclosure vulnerability exists when DirectX improperly handles objects in memory, aka \"DirectX Information Disclosure Vulnerability.\" This affects Windows 10, Windows Server 2019.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8638", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8638"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809"], "id": "CVE-2018-8638", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8638", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:33:10", "description": "A denial of service vulnerability exists when Windows improperly handles objects in memory, aka \"Windows Denial of Service Vulnerability.\" This affects Windows 10, Windows Server 2019.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-12T00:29:00", "type": "cve", "title": "CVE-2018-8649", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8649"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809"], "id": "CVE-2018-8649", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8649", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}], "cisa": [{"lastseen": "2021-02-24T18:07:14", "description": "The CERT Coordination Center (CERT/CC) has released information on vulnerabilities affecting versions of Microsoft Windows and Windows Server. A remote attacker could exploit these vulnerabilities to take control of an affected system.\n\nThe National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review CERT/CC\u2019s Vulnerability Notes [VU#289907](<https://www.kb.cert.org/vuls/id/289907/>) and [VU#531281](<https://www.kb.cert.org/vuls/id/531281/>) and Microsoft\u2019s security advisories for [CVE-2018-8611](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611>) and [CVE-2018-8626](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626>) and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2019/01/04/CERTCC-Reports-Critical-Vulnerabilities-Microsoft-Windows-Server>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-01-04T00:00:00", "type": "cisa", "title": "CERT/CC Reports Critical Vulnerabilities in Microsoft Windows, Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8611", "CVE-2018-8626"], "modified": "2019-01-04T00:00:00", "id": "CISA:AFED810A1B96D9158C0497156BFFC453", "href": "https://us-cert.cisa.gov/ncas/current-activity/2019/01/04/CERTCC-Reports-Critical-Vulnerabilities-Microsoft-Windows-Server", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2019-01-04T10:25:11", "description": "[![](https://1.bp.blogspot.com/-o-bMM_JQczQ/XBKvF5mhu2I/AAAAAAAAABE/DRJvFGzVnH8ODP7dMWLdnhgYbZqlF9Z8QCLcBGAs/s1600/recurring%2Bblog%2Bimages_patch%2Btuesday.jpg)](<https://1.bp.blogspot.com/-o-bMM_JQczQ/XBKvF5mhu2I/AAAAAAAAABE/DRJvFGzVnH8ODP7dMWLdnhgYbZqlF9Z8QCLcBGAs/s1600/recurring%2Bblog%2Bimages_patch%2Btuesday.jpg>)\n\n \nMicrosoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 38 vulnerabilities, nine of which are rated \u201ccritical\u201d and 29 that are considered \u201cimportant.\u201d There are no \u201cmoderate\u201d or \u201clow\u201d vulnerabilities in this release. \n \nThe advisories cover bugs in the Chakra scripting engine, several Microsoft Office products and the Microsoft Internet Explorer web browser. \n \nFor coverage of these vulnerabilities, check out our Snort blog post on [this week's rule update](<https://blog.snort.org/2018/12/snort-rule-update-for-dec-11-2018.html>). \n \n\n\n### Critical vulnerabilities\n\n \nMicrosoft disclosed nine critical vulnerabilities this month, which we will highlight below. \n \n[CVE-2018-8583](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8583>), [CVE-2018-8617](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8617>), [CVE-2018-8618](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8618>), [CVE-2018-8624](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8624>) and C[VE-2018-8629](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8629>) are all memory corruption vulnerabilities in the Chakra scripting engine that could allow an attacker to execute code on the victim machine remotely. All of the bugs lie in the way the scripting engine handles objects in memory in the Microsoft Edge web browser. An attacker could exploit these vulnerabilities by tricking a user into visiting a web page using Microsoft Edge, or by tricking them into clicking on specially crafted content on other sites that accept user-created content. \n \n[CVE-2018-8540](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8540>) is a remote code injection vulnerability in the Microsoft .NET framework. An attacker can exploit this flaw by passing a specific input to an application utilizing vulnerable .NET methods. If successful, the attacker could take control of an affected system. \n \n[CVE-2018-8626](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626>) is a remote code execution vulnerability that exists in Windows DNS servers when they fail to properly handle requests. An attacker could run arbitrary code on an affected system if they exploit the vulnerability by sending malicious requests to a Windows DNS server. Windows servers that are configured as DNS servers are susceptible to this vulnerability. \n \n[CVE-2018-8631](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8631>) is a remote code execution vulnerability in Internet Explorer. The bug lies in the way the web browser accesses objects in memory. An attacker could exploit this bug by tricking a user into visiting a specially crafted, malicious web page in Internet Explorer. If successful, the attacker could execute arbitrary code in the context of the current user. \n \n[CVE-2018-8634](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8634>) is a memory corruption vulnerability in the Microsoft Edge that exists when the web browser improperly handles objects in memory. An attacker who successfully exploits this flaw by tricking a user into visiting a malicious, specially crafted web page could gain the ability to execute arbitrary code on the machine in the context of the current user. \n\n\n### Important vulnerabilities\n\nThis release also contains 29 important vulnerabilities, eight of which we will highlight below. \n \n[CVE-2018-8597](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8597>) and [CVE-2018-8636](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8636>) are remote code execution vulnerabilities in Microsoft Excel that exist when the software fails to properly handle objects in memory. An attacker can exploit these bugs by tricking the user into opening a specially crafted Excel file, either via the web or as an email attachment. If successful, the attacker could gain the ability to execute arbitrary code on the system in the context of the current user. \n \n[CVE-2018-8587](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8587>) is a remote code execution vulnerability in Microsoft Outlook that exists when the software fails to properly handle objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted email attachment while using the Outlook client. If successful, the attacker could use a specially crafted file to perform actions in the security context of the current user. For example, the file could act on behalf of the logged-on user with the same permissions as the current users. \n \n[CVE-2018-8590](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8590>) is a remote code execution vulnerability in Microsoft Word that exists when the software fails to properly handle objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a malicious, specially crafted Word document, either via email, the web, or another vector. \n \n[CVE-2018-8619](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8619>) is a remote code execution vulnerability that exists when the Internet Explorer VBScript execution policy improperly restricts VBScript in certain scenarios. An attacker could use this vulnerability to run arbitrary code with the permissions of the current user. A user could trigger this vulnerability if they visited a specially crafted web page using Internet Explorer. \n \n[CVE-2018-8625](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8625>) is a remote code execution vulnerability in the VBScript engine. The vulnerability could corrupt memory in such a way that an attacker could execute code in the context of the current user. An attacker could trigger this flaw by tricking the user into visiting a specially crafted website on Internet Explorer. Additionally, they could embed an ActiveX control marked \u201csafe for initialization\u201d in an application or Microsoft Office document that hosts the Internet Explorer rendering engine. \n \n[CVE-2018-8628](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8628>) is a remote code execution vulnerability in Microsoft PowerPoint that lies in the way the software processes objects in memory. An attacker could exploit this bug by tricking the user into opening a specially crafted, malicious PowerPoint file, which would eventually grant them the ability to execute code remotely in the context of the current user. The Preview Pane is not an attack vector this vulnerability \u2014 the user must open the file in PowerPoint. \n \n[CVE-2018-8643](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8643>) is a remote code execution vulnerability that exists in the scripting engine handles objects in memory in Internet Explorer. An attacker could exploit this bug by tricking a user into visiting a specially crafted web page on Internet Explorer. Additionally, they could embed an ActiveX control marked \u201csafe for initialization\u201d in an application or Microsoft Office document that hosts the Internet Explorer rendering engine. If successful, the attacker could then corrupt memory in such a way that they could execute arbitrary code in the context of the current users. \n \nThe other important vulnerabilities in this release are: \n\n\n * [CVE-2018-8477](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8477>)\n * [CVE-2018-8514](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8514>)\n * [CVE-2018-8517](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8517>)\n * [CVE-2018-8580](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8580>)\n * [CVE-2018-8595](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8595>)\n * [CVE-2018-8596](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8596>)\n * [CVE-2018-8598](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8598>)\n * [CVE-2018-8599](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8599>)\n * [CVE-2018-8604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8604>)\n * [CVE-2018-8611](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611>)\n * [CVE-2018-8612](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8612>)\n * [CVE-2018-8614](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8614>)\n * [CVE-2018-8616](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8616>)\n * [CVE-2018-8621](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8621>)\n * [CVE-2018-8622](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8622>)\n * [CVE-2018-8627](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8627>)\n * [CVE-2018-8630](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8630>)\n * [CVE-2018-8635](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8635>)\n * [CVE-2018-8637](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8637>)\n * [CVE-2018-8638](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8638>)\n * [CVE-2018-8639](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8639>)\n * [CVE-2018-8643](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8643>)\n\n### Coverage \n\nIn response to these vulnerability disclosures, Talos is releasing the following SNORT\u24c7 rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org. \n \nSnort rules: 45142, 45143, 48509, 48510, 48513 - 48520, 48531 - 48534, 48559, 48562\n\n![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/ivPs31SzFMM)", "cvss3": {}, "published": "2018-12-11T10:35:00", "type": "talosblog", "title": "Microsoft Patch Tuesday \u2014 December 2018: Vulnerability disclosures and Snort coverage", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-8477", "CVE-2018-8514", "CVE-2018-8517", "CVE-2018-8540", "CVE-2018-8580", "CVE-2018-8583", "CVE-2018-8587", "CVE-2018-8590", "CVE-2018-8595", "CVE-2018-8596", "CVE-2018-8597", "CVE-2018-8598", "CVE-2018-8599", "CVE-2018-8604", "CVE-2018-8611", "CVE-2018-8612", "CVE-2018-8614", "CVE-2018-8616", "CVE-2018-8617", "CVE-2018-8618", "CVE-2018-8619", "CVE-2018-8621", "CVE-2018-8622", "CVE-2018-8624", "CVE-2018-8625", "CVE-2018-8626", "CVE-2018-8627", "CVE-2018-8628", "CVE-2018-8629", "CVE-2018-8630", "CVE-2018-8631", "CVE-2018-8634", "CVE-2018-8635", "CVE-2018-8636", "CVE-2018-8637", "CVE-2018-8638", "CVE-2018-8639", "CVE-2018-8643"], "modified": "2018-12-13T19:16:34", "id": "TALOSBLOG:E1235309A97B4CBFE2437713DD6742B8", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/ivPs31SzFMM/microsoft-patch-tuesday-december-2018.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "attackerkb": [{"lastseen": "2023-03-06T14:41:07", "description": "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka \u201cWin32k Elevation of Privilege Vulnerability.\u201d This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8641.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-12T00:00:00", "type": "attackerkb", "title": "CVE-2018-8639", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8639", "CVE-2018-8641"], "modified": "2020-07-24T00:00:00", "id": "AKB:AADC94FF-A101-411D-91A5-4F61F0BBF467", "href": "https://attackerkb.com/topics/vPXEi0iJ96/cve-2018-8639", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:12:28", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka \u201cWindows Kernel Elevation of Privilege Vulnerability.\u201d This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:03am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-12T00:00:00", "type": "attackerkb", "title": "CVE-2018-8611", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8611"], "modified": "2020-07-24T00:00:00", "id": "AKB:04EA1B54-D2F3-492C-8840-E61BDA5162E7", "href": "https://attackerkb.com/topics/O3LtWHuaM2/cve-2018-8611", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-11-03T07:11:28", "description": "Microsoft has patched a zero-day vulnerability actively being used against older versions of the Windows operating system, as part of its December Patch Tuesday updates.\n\nAccording to the software giant, the vulnerability ([CVE-2018-8611](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611>)) is an elevation-of-privilege (EoP) bug that affects Windows 7 through Server 2019. It has a CVSS rating of seven, classifying it as a high-severity flaw.\n\nThe EoP is triggered when the Windows kernel fails to properly handle objects in memory, according to Microsoft. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,\u201d wrote Microsoft in [its December Patch Tuesday](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611>) bulletin.\n\nHowever, \u201cthe attacker would first have to log onto the system then run a specially crafted application to take control of the affected system,\u201d said Chris Goettl, director of product management, security, Ivanti.\n\nIn addition to the zero-day bug, Microsoft patched nine critical vulnerabilities and 30 flaws rated important, impacting a range of Microsoft products from Internet Explorer, Edge, ChackraCore, Microsoft Windows, Office and Microsoft Office Services and Web Apps, and the .NET Framework.\n\nOne of these ([CVE-2018-8517](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8517>)) is noteworthy because it was publicly known ahead of the scheduled update released Tuesday, but not exploited, according to the security bulletin. The flaw is a .NET framework denial-of-service vulnerability.\n\n\u201cA remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application,\u201d wrote Microsoft. \u201cThe vulnerability can be exploited remotely, without authentication.\u201d\n\nFive of the nine critical vulnerabilities are tied to Microsoft\u2019s Chakra scripting engine, a JavaScript engine developed for the Edge web browser. Each of the flaws are memory-corruption bugs that would allow an adversary to execute arbitrary code during a user session, elevate user rights and ultimately take control of the affected system.\n\n\u201cBrowser and scripting engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser,\u201d advised Qualys [in its Patch Tuesday commentary](<https://blog.qualys.com/laws-of-vulnerabilities/2018/12/11/december-2018-patch-tuesday-39-vulns-workstation-patches-adobe-vulns>). \u201cThis includes multi-user servers that are used as remote desktops for users. Out of the 9 critical vulnerabilities, 6 can be exploited through browsers.\u201d\n\nAnother noteworthy remote code-execution bug [CVE-2018-8634](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8634>) (rated important) impacts Microsoft\u2019s text-to-speech engine.\n\n\u201cThis patch is interesting for a couple of different reasons. First, newer functionalities like text-to-speech have a somewhat unknown attack surface,\u201d wrote Dustin Childs, a certified information systems security professional with Zero Day Initiative, in an analysis.\n\n\u201cThis isn\u2019t the first text-to-speech related bug \u2013 [Android had one a few years ago](<https://threatpost.com/black-hat-2018-voice-authentication-is-broken-researchers-say/134926/>) \u2013 but it\u2019s certainly not often seen,\u201d he added. \u201cSecondly, Microsoft doesn\u2019t state a sample exploit scenario, but since generating speech requires an HTTP POST request to the speech service, it\u2019s possible this could be remotely accessible if your application is network facing. Either way, if you employ text-to-speech, don\u2019t overlook this patch.\u201d\n\nIn all, the 39 bugs patched by Microsoft represent a relatively low number of vulnerabilities to address in one month, especially when compared to [the 87 reported flaws reported by Adobe on Tuesday](<https://threatpost.com/adobe-december-2018-patch-tuesday/139792/>).\n", "cvss3": {}, "published": "2018-12-11T22:02:00", "type": "threatpost", "title": "Zero-Day Bug Patched by Microsoft, Part of December Patch TuesdZero-Day Bug Fixed by Microsoft in December Patch Tuesdayay", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-8517", "CVE-2018-8611", "CVE-2018-8634"], "modified": "2018-12-11T22:02:00", "id": "THREATPOST:2E654D55F3DCC64D0CE6111B5A74B86B", "href": "https://threatpost.com/zero-day-microsoft-december-patch-tuesday/139826/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-14T11:53:08", "description": "A just-patched vulnerability in the Windows operating system that was previously unknown up until last week is being actively exploited in the wild; it opens the door for full system takeover.\n\nDiscovered by Vasily Berdnikov and Boris Larin of Kaspersky Lab on St. Patrick\u2019s Day this year, the flaw (CVE-2019-0859) is a use-after-free issue in the Windows kernel that allows local privilege escalation (LPE). It\u2019s being used in advanced persistent threat (APT) campaigns, the researchers said, targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10).\n\nThe attackers are using the bug to establish persistent backdoors to targeted machines, gaining the ability to run arbitrary code in kernel mode. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nFortunately, [there\u2019s a patch](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0859>), which Microsoft pushed out in the most recent Patch Tuesday last week, so users should update their systems as soon as possible.\n\n## Improper Handling of Objects in Memory\n\nIn the win32k.sys kernel, the Function ID field is used to define the class of a window, such as \u201cScrollBar,\u201d \u201cMenu,\u201d \u201cDesktop\u201d and others. The bug allows an attacker to manipulate the process of creating a window by sending specially crafted data sets to the Function ID field.\n\n\u201cDuring execution, CreateWindowEx sends the message WM_NCCREATE to the window when it\u2019s first created,\u201d the researchers said in [an analysis](<https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/>) on Monday. \u201cBy using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure.\u201d\n\nDuring that WM_NCCREATE callback, the Function ID is set to 0, which allows an adversary to set extra data for the window. \u201cMore importantly, we were able to change the address for the window procedure that was executed immediately after our hook,\u201d researchers said. \u201cThe change of window procedure to the menu window procedure leads to the execution of xxxMenuWindowProc and the function initiates Function ID to FNID_MENU because the current message is equal to WM_NCCREATE. But the most important part is that the ability to manipulate extra data prior to setting Function ID to FNID_MENU can force the xxxMenuWindowProc function to stop initialization of the menu and return FALSE.\u201d\n\nBecause of that, sending of the NCCREATE message will be considered a failed operation, so the MENU-class window is not actually initialized, which allows an attacker to gain control over the address of freed-up memory block.\n\n## Exploitation\n\nAn attacker (who would need to already be logged into the system) can run a specially crafted application to exploit the vulnerability.\n\nIn the observed attacks, a malicious executable makes use of the legitimate PowerShell framework with a Base64-encoded command, which then fetches a second-stage PowerShell script from a Pastebin site. That in turn executes a third and final stage, also a PowerShell script, which unpacks lightweight shellcode.\n\n\u201cThe main goal of the shellcode is to make a trivial HTTP reverse shell,\u201d the researchers explained. \u201cThis helps the attacker gain full control over the victim\u2019s system.\u201d\n\nThe use of PowerShell, which is built into Windows, along with simple encoding techniques, helps [obfuscate malicious activity](<https://threatpost.com/powershell-obfuscation-ups-the-ante-on-antivirus/137403/>) and keep anti-virus detections at bay.\n\nThreatpost has reached out to Kaspersky Lab for additional details on the victimology of the campaigns.\n\n\u201cAt this time we don\u2019t have any information at that time regarding the target,\u201d the firm told Threatpost. \u201cWe have not seen activity of this group before and our researchers are currently investigating this attack to restore full kill chain. As soon as we will find the initial vector of attack we will share this information.\u201d\n\nThis is the fifth consecutive exploited LPE zero-day vulnerability discovered in Windows recently. The others are [CVE-2018-8453](<https://threatpost.com/fruityarmor-apt-exploits-yet-another-windows-graphics-kernel-flaw/138192/>), [CVE-2018-8589](<https://threatpost.com/microsoft-patches-zero-day-bug-in-win7-server-2008-and-2008-r2/139073/>), [CVE-2018-8611](<https://threatpost.com/zero-day-microsoft-december-patch-tuesday/139826/>) (a zero-day in the Windows Kernel Transaction Manager) and the [CVE-2019-0797](<https://threatpost.com/microsoft-patches-two-win32k-bugs-under-active-attack/142742/>) \u201cfourth horseman\u201d vulnerability. The latter was seen [being exploited in the wild](<https://threatpost.com/sandcat-fruityarmor-exploiting-microsoft-win32k/142751/>) by at least two threat actors, including a recently discovered APT group dubbed SandCat, and the FruityArmor group.\n\n**_Don\u2019t miss our free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/8845482382938181378?source=ART>)**_, \u201cData Security in the Cloud,\u201d on April 24 at 2 p.m. ET._**\n\n**_A panel of experts will join Threatpost senior editor Tara Seals to discuss _****_how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS._**\n", "cvss3": {}, "published": "2019-04-16T16:13:33", "type": "threatpost", "title": "Windows Zero-Day Emerges in Active Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-8453", "CVE-2018-8589", "CVE-2018-8611", "CVE-2019-0797", "CVE-2019-0859"], "modified": "2019-04-16T16:13:33", "id": "THREATPOST:2449B7C3317E847CB7244592BA73C2B8", "href": "https://threatpost.com/windows-zero-day-active-exploits/143820/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:43:11", "description": "<html><body><p>Description of the security update for the elevation of privilege vulnerabilities in Windows Embedded POSReady 2009 and Windows Embedded Standard 2009: December 11, 2018</p><h2>Summary</h2><div><div class=\"ng-scope\" style='box-sizing:inherit;outline:none;color:rgb(0, 0, 0);font-family:\"Segoe UI\", SegoeUI, \"Helvetica Neue\", Helvetica, Arial, sans-serif;font-size:15px;'><h2 class=\"c-heading-4 f-lean bold ng-binding\" style=\"box-sizing:inherit;margin-top:24px;margin-bottom:0px;font-size:24px;line-height:28px;padding:0px;\"></h2></div><div class=\"section-body ng-scope\" style='box-sizing:inherit;outline:none;color:rgb(0, 0, 0);font-family:\"Segoe UI\", SegoeUI, \"Helvetica Neue\", Helvetica, Arial, sans-serif;font-size:15px;'><div class=\"ng-scope\" data-grid=\"col-12\" style=\"box-sizing:border-box;outline:none;zoom:1;float:left;min-height:1px;width:868.281px;\"><div class=\"ng-isolate-scope\" data-grid=\"col-12\" style=\"box-sizing:border-box;outline:none;zoom:1;float:left;min-height:1px;width:868.281px;\"><div class=\"kb-summary-section section ng-scope\" style=\"box-sizing:inherit;outline:none;margin-bottom:12px;\">Windows elevation of privilege vulnerabilities exist in the following scenarios:<ul style=\"box-sizing:inherit;margin:0px 0px 16px 32px;padding:0px;list-style-position:initial;list-style-image:initial;\"><li style=\"box-sizing:inherit;margin-bottom:8px;margin-top:8px;\">When Windows incorrectly handles calls to Win32k.sys.</li><li style=\"box-sizing:inherit;margin-bottom:8px;margin-top:8px;\">When the Win32k component does not correctly handle objects in memory.</li><li style=\"box-sizing:inherit;margin-bottom:8px;margin-top:8px;\">When the Windows kernel mode driver does not correctly handle objects in memory.</li></ul>To learn more about these vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE).\u00a0<br style=\"box-sizing:inherit;\"/><ul class=\"sbody-free_list\" style=\"box-sizing:inherit;margin:0px 0px 16px 32px;padding:0px 20px;list-style-position:initial;list-style-image:initial;\"><li style=\"box-sizing:inherit;margin-bottom:8px;margin-top:8px;\"><a href=\"https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2018-8589\" id=\"kb-link-2\" style=\"box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0, 103, 184);\">CVE-2018-8589</a></li><li style=\"box-sizing:inherit;margin-bottom:8px;margin-top:8px;\"><a href=\"https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2018-8639\" id=\"kb-link-2\" style=\"box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0, 103, 184);\">CVE-2018-8639</a></li><li style=\"box-sizing:inherit;margin-bottom:8px;margin-top:8px;\"><a href=\"https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2018-8641\" id=\"kb-link-2\" style=\"box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0, 103, 184);\">CVE-2018-8641</a></li></ul></div></div></div></div></div><h2>How to get and install the update</h2><div><p class=\"MsoNormal\" style=\"margin:0.25in 0in 24pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-attachment:initial;background-origin:initial;background-clip:initial;\"><b><span style='font-size:11.5pt;font-family:\"Segoe UI\",sans-serif;color:black;'>Method 1: Windows Update</span></b></p><p class=\"MsoNormal\" style=\"margin:0.25in 0in 24pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-attachment:initial;background-origin:initial;background-clip:initial;\"><span style='font-size:11.5pt;font-family:\"Segoe UI\",sans-serif;color:black;'>This update is availablethrough Windows Update. When you turn on automatic updating, this update willbe downloaded and installed automatically. For more information about how toturn on automatic updating, see <a href=\"https://support.microsoft.com/help/12373/windows-update-faqx\"><span style=\"color:#0067B8;\">Windows Update: FAQ</span></a>.</span></p><p class=\"MsoNormal\" style=\"margin:0.25in 0in 24pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-attachment:initial;background-origin:initial;background-clip:initial;\"><b><span style='font-size:11.5pt;font-family:\"Segoe UI\",sans-serif;color:black;'>Method 2: Microsoft Update Catalog</span></b></p><p class=\"MsoNormal\" style=\"margin:0.25in 0in 24pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-attachment:initial;background-origin:initial;background-clip:initial;\"><span style='font-size:11.5pt;font-family:\"Segoe UI\",sans-serif;color:black;'>To get the standalonepackage for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/search.aspx?q=4473078\"><span style=\"color:#0067B8;\">Microsoft Update Catalog</span></a>\u00a0website.</span></p><p class=\"MsoNormal\"><b>Important</b></p><span style='font-size:11.5pt;font-family:\"Segoe UI\",sans-serif;color:black;'>If you install a language pack after you installthis update, you must reinstall this update. Therefore, we recommend that youinstall any language packs that you need before you install this update. Formore information, see\u00a0<a href=\"https://technet.microsoft.com/library/hh825699\"><span style=\"color:#0067B8;\">Addlanguage packs to Windows</span></a>.</span></div><h2>Update information</h2><div><div class=\"ng-scope\" style='box-sizing:inherit;outline:none;color:rgb(0, 0, 0);font-family:\"Segoe UI\", SegoeUI, \"Helvetica Neue\", Helvetica, Arial, sans-serif;font-size:15px;'><div class=\"ng-isolate-scope\" style=\"box-sizing:inherit;outline:none;margin-bottom:20px;\"><span style='color:rgb(34, 34, 34);font-family:\"Segoe UI\", \"Helvetica Neue\", Helvetica, Arial, Verdana;font-size:14px;font-weight:700;'>Security update deployment information</span></div></div><div class=\"ng-scope\" style='box-sizing:inherit;outline:none;color:rgb(0, 0, 0);font-family:\"Segoe UI\", SegoeUI, \"Helvetica Neue\", Helvetica, Arial, sans-serif;font-size:15px;'><div class=\"ng-isolate-scope\" style=\"box-sizing:inherit;outline:none;margin-bottom:20px;\"><section aria-hidden=\"false\" class=\"section ng-scope\" data-before=\"\" data-grid=\"col-12\" id=\"\" style=\"box-sizing:border-box;zoom:1;float:left;min-height:1px;width:868.281px;margin-bottom:12px;\"><div class=\"section-body ng-scope\" style=\"box-sizing:inherit;outline:none;\"><div class=\"ng-scope\" data-grid=\"col-12\" style=\"box-sizing:border-box;outline:none;zoom:1;float:left;min-height:1px;width:868.281px;\"><div class=\"ng-isolate-scope\" data-grid=\"col-12\" style=\"box-sizing:border-box;outline:none;zoom:1;float:left;min-height:1px;width:868.281px;\"><span class=\"ng-scope\" style=\"box-sizing:inherit;outline:none;\">For deployment details for this security update, go to the following article in the Microsoft Knowledge Base:\u00a0</span><br class=\"ng-scope\" style=\"box-sizing:inherit;\"/><div class=\"indent ng-scope\" style=\"box-sizing:inherit;outline:none;padding:8px 16px;\"><a href=\"https://support.microsoft.com/help/20181211\" id=\"kb-link-9\" style=\"box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0, 103, 184);\">Security update deployment information: December 11, 2018</a></div></div></div></div></section></div></div></div><h2>File information</h2><div><div></div><span><span><span><span><span><span style=\"font-weight:700;\">File hash information</span><br/></span></span></span></span></span><div><div class=\"faq-section ng-scope ng-isolate-scope\" style='box-sizing:inherit;outline:none;margin-bottom:24px;color:rgb(0, 0, 0);font-family:\"Segoe UI\", SegoeUI, \"Helvetica Neue\", Helvetica, Arial, sans-serif;font-size:15px;'><div class=\"faq-panel ng-scope ng-isolate-scope\" style=\"box-sizing:inherit;outline:none;\"><a aria-expanded=\"true\" class=\"link-expand bold\" data-bi-id=\"faq-panel-content\" href=\"https://support.microsoft.com/authoring/\" role=\"button\" style=\"box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0, 103, 184);display:inline-block;margin-bottom:5px;width:868.281px;\" title=\"File hash information\"><span class=\"link-expand-text ng-binding faq-panel-show\" id=\"\" style=\"box-sizing:inherit;outline:none;display:block;margin-left:27px;\"><b></b></span></a><div aria-hidden=\"false\" class=\"faq-panel-body ng-isolate-scope\" style=\"box-sizing:inherit;outline:none;margin-left:27px;\"><table class=\"ng-scope\" style=\"box-sizing:inherit;border-collapse:collapse;border-spacing:0px;border-width:2px;width:841.25px;max-width:100%;table-layout:fixed;\"><tbody style=\"box-sizing:inherit;\"><tr style=\"box-sizing:inherit;border-width:2px;border-color:rgb(187, 187, 187);padding:4px;border-top-style:none !important;\"><th style=\"box-sizing:inherit;padding:0px;\">File name</th><th style=\"box-sizing:inherit;padding:0px;\">SHA1 hash</th><th style=\"box-sizing:inherit;padding:0px;\">SHA256 hash</th></tr><tr style=\"box-sizing:inherit;border-width:2px;border-color:rgb(187, 187, 187);padding:4px;\"><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);background-color:rgb(242, 242, 242);\">WindowsXP-KB4473078-x86-Embedded-ENU.exe</td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\">2858CA4706ADD3D7AA39B20C931B2E1409EA90BE</td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\">F3986A262432F7AD31C0A6DB8706E08437377CB120D417A677CAD132BA946519</td></tr></tbody></table></div></div></div><span class=\"ng-scope\" style='box-sizing:inherit;font-weight:700;color:rgb(0, 0, 0);font-family:\"Segoe UI\", SegoeUI, \"Helvetica Neue\", Helvetica, Arial, sans-serif;font-size:15px;'>File information</span><br class=\"ng-scope\" style='box-sizing:inherit;color:rgb(0, 0, 0);font-family:\"Segoe UI\", SegoeUI, \"Helvetica Neue\", Helvetica, Arial, sans-serif;font-size:15px;'/><span class=\"ng-scope\" style='box-sizing:inherit;outline:none;color:rgb(0, 0, 0);font-family:\"Segoe UI\", SegoeUI, \"Helvetica Neue\", Helvetica, Arial, sans-serif;font-size:15px;'>The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.</span><br class=\"ng-scope\" style='box-sizing:inherit;color:rgb(0, 0, 0);font-family:\"Segoe UI\", SegoeUI, \"Helvetica Neue\", Helvetica, Arial, sans-serif;font-size:15px;'/><br class=\"ng-scope\" style='box-sizing:inherit;color:rgb(0, 0, 0);font-family:\"Segoe UI\", SegoeUI, \"Helvetica Neue\", Helvetica, Arial, sans-serif;font-size:15px;'/><span class=\"ng-scope\" style='box-sizing:inherit;font-weight:700;color:rgb(0, 0, 0);font-family:\"Segoe UI\", SegoeUI, \"Helvetica Neue\", Helvetica, Arial, sans-serif;font-size:15px;'>Windows XP file information</span><br class=\"ng-scope\" style='box-sizing:inherit;color:rgb(0, 0, 0);font-family:\"Segoe UI\", SegoeUI, \"Helvetica Neue\", Helvetica, Arial, sans-serif;font-size:15px;'/><div class=\"faq-section ng-scope ng-isolate-scope\" style='box-sizing:inherit;outline:none;margin-bottom:24px;color:rgb(0, 0, 0);font-family:\"Segoe UI\", SegoeUI, \"Helvetica Neue\", Helvetica, Arial, sans-serif;font-size:15px;'><div class=\"spacer-12-bottom\" style=\"box-sizing:inherit;outline:none;margin-bottom:12px !important;\"></div><div class=\"faq-panel ng-scope ng-isolate-scope\" style=\"box-sizing:inherit;outline:none;\"><a aria-expanded=\"true\" class=\"link-expand bold\" data-bi-id=\"faq-panel-content\" href=\"https://support.microsoft.com/authoring/\" role=\"button\" style=\"box-sizing:inherit;background-color:transparent;font-weight:600;text-decoration-line:none;color:rgb(0, 103, 184);display:inline-block;margin-bottom:5px;width:868.281px;\" title=\"For all supported x86-based versions\"><span class=\"link-expand-image\" style=\"box-sizing:inherit;outline:none;float:left;display:block;\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\" style='box-sizing:inherit;font-family:\"Dev Center MDL2 Assets\", \"Membership MDL2 Assets\";font-weight:normal;line-height:1;position:relative;top:1px;display:inline-block;vertical-align:baseline;float:left;color:rgb(92, 45, 145);font-size:12px;padding:2px 0px;'></span></span><span class=\"link-expand-text ng-binding faq-panel-show\" id=\"\" style=\"box-sizing:inherit;outline:none;display:block;margin-left:27px;\"><span><span><span><span><span><span><span>For all supported x86-based versions</span></span></span></span></span></span></span></span></a><div aria-hidden=\"false\" class=\"faq-panel-body ng-isolate-scope\" style=\"box-sizing:inherit;outline:none;margin-left:27px;\"><table class=\"table ng-scope\" style=\"box-sizing:inherit;border-collapse:collapse;border-spacing:0px;border-width:2px;width:841.25px;max-width:100%;table-layout:fixed;\"><tbody style=\"box-sizing:inherit;\"><tr style=\"box-sizing:inherit;border-width:2px;border-color:rgb(187, 187, 187);padding:4px;border-top-style:none !important;\"><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);background-color:rgb(242, 242, 242);\"><span class=\"sbody-strong\" style=\"box-sizing:inherit;font-weight:700;\">File name</span></td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\"><span class=\"sbody-strong\" style=\"box-sizing:inherit;font-weight:700;\">File version</span></td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\"><span class=\"sbody-strong\" style=\"box-sizing:inherit;font-weight:700;\">File size</span></td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\"><span class=\"sbody-strong\" style=\"box-sizing:inherit;font-weight:700;\">Date</span></td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\"><span class=\"sbody-strong\" style=\"box-sizing:inherit;font-weight:700;\">Time</span></td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\"><span class=\"sbody-strong\" style=\"box-sizing:inherit;font-weight:700;\">Platform</span></td></tr><tr style=\"box-sizing:inherit;border-width:2px;border-color:rgb(187, 187, 187);padding:4px;\"><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);background-color:rgb(242, 242, 242);\">Win32k.sys</td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\">5.1.2600.7610</td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\">1,914,240</td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\">13-Nov-2018</td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\">05:28</td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\">x86</td></tr><tr style=\"box-sizing:inherit;border-width:2px;border-color:rgb(187, 187, 187);padding:4px;\"><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);background-color:rgb(242, 242, 242);\">Updspapi.dll</td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\">6.3.13.0</td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\">382,840</td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\">01-Feb-2018</td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\">21:28</td><td style=\"box-sizing:inherit;padding:4px;border:1px solid rgb(208, 208, 208);\">x86</td></tr></tbody></table></div></div></div></div></div><h2>How to get help and support for this security update</h2><div><div aria-hidden=\"false\" class=\"faq-panel-body ng-isolate-scope\" style='color:rgb(0, 0, 0);font-family:\"Segoe UI\", SegoeUI, \"Helvetica Neue\", Helvetica, Arial, sans-serif;font-size:15px;box-sizing:inherit;outline:none;margin-left:27px;'><span class=\"ng-scope\" style=\"box-sizing:inherit;outline:none;\"><div class=\"kb-collapsible kb-collapsible-collapsed\" style=\"box-sizing:inherit;outline:none;\">Help for installing updates:\u00a0<a aria-live=\"assertive\" class=\"managed-link content-anchor-link\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://www.microsoft.com/safety/pc-security/updates.aspx\" style=\"color:rgb(0, 103, 184);box-sizing:inherit;background-color:transparent;text-decoration-line:none;\" tabindex=\"0\" target=\"_blank\">Protect yourself online</a>\u00a0<br style=\"box-sizing:inherit;\"/><br style=\"box-sizing:inherit;\"/>Help for protecting your Windows-based computer from viruses and malware:\u00a0<a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" style=\"color:rgb(0, 103, 184);box-sizing:inherit;background-color:transparent;text-decoration-line:none;\">Microsoft Secure</a>\u00a0<br style=\"box-sizing:inherit;\"/><br style=\"box-sizing:inherit;\"/>Local support according to your country:\u00a0<a href=\"https://www.microsoft.com/locale.aspx\" id=\"kb-link-18\" style=\"color:rgb(0, 103, 184);box-sizing:inherit;background-color:transparent;text-decoration-line:none;\">International Support</a></div></span></div></div></body></html>", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "mskb", "title": "Description of the security update for the elevation of privilege vulnerabilities in Windows Embedded POSReady 2009 and Windows Embedded Standard 2009: December 11, 2018", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8641", "CVE-2018-8589", "CVE-2018-8639"], "modified": "2018-12-11T18:01:24", "id": "KB4473078", "href": "https://support.microsoft.com/en-us/help/4473078/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-20T10:36:40", "description": "None\n**Applies to:** All Visual Studio 2015 Update 3 editions except Build Tools \n\n**Notice**In November 2020, the content of this article was updated to clarify the affected products, prerequisites, and restart requirements. Additionally, the update metadata in WSUS was revised to fix a Microsoft System Center Configuration Manager reporting bug. \n\n## Summary\n\nAn elevation of privilege vulnerability exists if the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector allows file creation in arbitrary locations. \n \nTo learn more about the vulnerability, go to [CVE-2018-8599](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8599>).\n\n## How to obtain and install the update \n\n### Visual Studio 2015 Update 3\n\n#### Method 1: Microsoft Download\n\nThe following file is available for download:![Download ](https://support.content.office.net/en-us/media/dea9ad89-e39c-09ee-0d36-67beddb48e26.png)[Download the hotfix package now.](<http://aka.ms/vs/14/release/4469516>)\n\n#### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=4469516>) website.\n\n### Remote Tools for Visual Studio 2015 Update 3\n\nTo download the updated Remote Tools for Visual Studio 2015 Update 3, go to the following Microsoft webpage:![Download ](https://support.content.office.net/en-us/media/dea9ad89-e39c-09ee-0d36-67beddb48e26.png)[Remote Tools for Visual Studio 2015 Update 3](<https://my.visualstudio.com/Downloads?q=visual%20studio%202015%20update%203%20remote%20tools&pgroup>)\n\n## More information\n\n### Prerequisites\n\nTo apply this security update, you must have both [Visual Studio 2015 Update 3](<https://aka.ms/vs/14/docs/2015_Update3>) and the subsequent [Cumulative Servicing Release KB 3165756](<https://aka.ms/vs/14/release/3165756>) installed. Typically, KB 3165756 is installed automatically when you install Visual Studio 2015 Update 3. However, in some cases, you have to install the two packages separately.\n\n### Restart requirement\n\nWe recommend that you close Visual Studio 2015 before you install this security update. Otherwise, you may have to restart the computer after you apply this security update if a file that is being updated is open or in use by Visual Studio.\n\n### Security update replacement information\n\nThis update replaces security update [4463110](<http://support.microsoft.com/kb/4463110>).\n\n### File hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nvs14-kb4469516.exe| 412C6B9349504BFE4C79C4DBECF3E1DE23FD095C| 09C9254CF45ABF6C17AB6FC2CC6B077C9D9393CB11B7F1BB700B29D10413302E \n \n## Installation verification\n\nTo check that this security update was applied correctly, follow these steps:\n\n 1. Open the Visual Studio 2015 folder.\n 2. Locate the DiagnosticHub.StandardCollector.Runtime.dll file.\n 3. Verify that the file version is equal to or greater than **14.0.27529**.\n\n## Information about protection, security, and support\n\n * Protect yourself online: [Windows Security support](<https://support.microsoft.com/hub/4099151>) \n\n * Learn how we guard against cyber threats: [Microsoft Security](<https://www.microsoft.com/security>) \n\n * Obtain localized support per your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>) \n\n * Get more information about the Visual Studio support policy: [Visual Studio Product Lifecycle and Servicing](<https://www.visualstudio.com/productinfo/vs-servicing-vs>).\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T08:00:00", "type": "mskb", "title": "Description of the security update for the elevation of privilege vulnerability in Visual Studio 2015 Update 3: December 11, 2018", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8599"], "modified": "2018-12-11T08:00:00", "id": "KB4469516", "href": "https://support.microsoft.com/en-us/help/4469516", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T22:42:53", "description": "<html><body><p>Resolves a vulnerability in Windows Embedded POSReady 2009 and Windows Embedded Standard 2009.</p><h2>Summary</h2><div class=\"kb-summary-section section\">An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory.<br/><br/>To learn more about the vulnerability, go to <a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2018-8595\" id=\"kb-link-2\" managed-link=\"\" target=\"_blank\"> CVE-2018-8595</a>.</div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/12373/windows-update-faqx\" id=\"kb-link-13\" managed-link=\"\" target=\"_blank\">Windows Update: FAQ</a>.</div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a data-content-id=\"\" data-content-type=\"\" href=\"http://catalog.update.microsoft.com/v7/site/search.aspx?q=4473077\" id=\"kb-link-14\" managed-link=\"\" target=\"_blank\">Microsoft Update Catalog</a> website.</div></div><p><strong class=\"sbody-strong\">Important\u00a0</strong>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/library/hh825699\" id=\"kb-link-5\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>.</p><h2>Deployment information</h2><p>For deployment details for this security update, go to the following article in the Microsoft Knowledge Base:</p><div class=\"indent\"><a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/20181211\" id=\"kb-link-9\" managed-link=\"\" target=\"_blank\">Security update deployment information: December 11, 2018</a></div><h2>More information</h2><div class=\"kb-moreinformation-section section\"><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></td></tr><tr><td faq-panel-body=\"\"><div class=\"kb-collapsible kb-collapsible-collapsed\"><span>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://www.microsoft.com/safety/pc-security/updates.aspx\" managed-link=\"\" target=\"_blank\">Protect yourself online</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" managed-link=\"\" target=\"_blank\">Microsoft Secure</a><br/><br/>Local support according to your country: <a data-content-id=\"\" data-content-type=\"\" href=\"https://www.microsoft.com/locale.aspx\" id=\"kb-link-18\" managed-link=\"\" target=\"_blank\">International Support</a></span></div><span> </span></td></tr></tbody></table><a class=\"bookmark\" id=\"fileinfo\"></a></div><h2>Windows Embedded POSReady 2009 and Windows Embedded Standard 2009 file information</h2><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\">File hash information</td></tr><tr><td faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>WindowsXP-KB4473077-x86-Embedded-ENU.exe</td><td>2472BFB0A1921BCCC30621166B26004B22203E63</td><td>7EB37A2E59E510095759A243202E66A2EDC4CA3C5879BA48B2F2BE87397552EE</td></tr></tbody></table></td></tr></tbody></table><p><br/><strong>File information</strong><br/><br/><span>The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and\u00a0times may change when you perform certain operations on the files.</span><br/><br/><strong>Windows XP file information</strong></p><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\">For all supported x86-based versions</td></tr><tr><td faq-panel-body=\"\"><table class=\"table\"><tbody><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td><td><strong class=\"sbody-strong\">SP requirement</strong></td><td><strong class=\"sbody-strong\">Service branch</strong></td></tr><tr><td>Gdiplus.dll</td><td>5.2.6002.24533</td><td>1,748,992</td><td>14-Nov-2018</td><td>21:31</td><td>x86</td><td>None</td><td>Not applicable</td></tr><tr><td>Gdiplus.man</td><td>Not applicable</td><td>398</td><td>14-Nov-2018</td><td>21:32</td><td>Not applicable</td><td>None</td><td>Not applicable</td></tr><tr><td>Gdiplus.man</td><td>Not applicable</td><td>608</td><td>14-Nov-2018</td><td>21:32</td><td>Not applicable</td><td>None</td><td>Not applicable</td></tr><tr><td>Gdi32.dll</td><td>5.1.2600.7610</td><td>289,280</td><td>14-Nov-2018</td><td>21:31</td><td>x86</td><td>SP3</td><td>SP3QFE</td></tr><tr><td>Gdiplus.dll</td><td>5.2.6002.24533</td><td>1,748,992</td><td>14-Nov-2018</td><td>21:31</td><td>x86</td><td>SP3</td><td>SP3QFE</td></tr><tr><td>Gdiplus.man</td><td>Not applicable</td><td>398</td><td>14-Nov-2018</td><td>21:32</td><td>Not applicable</td><td>SP3</td><td>SP3QFE</td></tr><tr><td>Gdiplus.man</td><td>Not applicable</td><td>608</td><td>14-Nov-2018</td><td>21:32</td><td>Not applicable</td><td>SP3</td><td>SP3QFE</td></tr><tr><td>Updspapi.dll</td><td>6.3.13.0</td><td>382,840</td><td>01-Feb-2018</td><td>21:28</td><td>x86</td><td>None</td><td>Not applicable</td></tr></tbody></table></td></tr></tbody></table><p>\u00a0</p></body></html>", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-12-11T00:00:00", "type": "mskb", "title": "Description of the security update for the information disclosure vulnerability in Windows Embedded POSReady 2009 and Windows Embedded Standard 2009: December 11, 2018", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8595"], "modified": "2018-12-11T17:56:37", "id": "KB4473077", "href": "https://support.microsoft.com/en-us/help/4473077/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-24T11:17:16", "description": "None\n**Note: **Because of minimal operations during the holidays and upcoming Western new year, there won\u2019t be any preview releases for the month of December 2018. Monthly servicing will resume with the January 2019 security releases.\n\n## Improvements and fixes\n\nThis security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:\n\n * Addresses an issue that may prevent the use of the **Seek Bar** in Windows Media Player when playing specific files. This issue does not affect normal playback.\n * Security updates to Microsoft Graphics Component, Windows Storage and Filesystems, Windows Wireless Networking, and Windows Kernel.\nFor more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n## Known issues in this update\n\nMicrosoft is not currently aware of any issues with this update. \n\n## How to get this update\n\nThis update is now available for installation through WSUS. To get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4471326>) website.**File information**For a list of the files that are provided in this update, download the [file information for update 4471326](<http://download.microsoft.com/download/5/4/B/54B651D0-4DD7-495E-88D8-6F564E30E4BC/4471326.csv>). \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T08:00:00", "type": "mskb", "title": "December 11, 2018\u2014KB4471326 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8641"], "modified": "2018-12-11T08:00:00", "id": "KB4471326", "href": "https://support.microsoft.com/en-us/help/4471326", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-24T11:17:12", "description": "None\n**Note: **Because of minimal operations during the holidays and upcoming Western new year, there won\u2019t be any preview releases for the month of December 2018. Monthly servicing will resume with the January 2019 security releases.\n\n## Improvements and fixes\n\nThis security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:\n\n * Addresses an issue that may prevent the use of the **Seek Bar** in Windows Media Player when playing specific files. This issue does not affect normal playback.\n * Security updates to Microsoft Graphics Component, Windows Storage and Filesystems, Windows Wireless Networking, and Windows Kernel.\nFor more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n## Known issues in this update\n\nMicrosoft is not currently aware of any issues with this update.\n\n## How to get this update\n\nThis update is now available for installation through WSUS. To get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4471319>) website.**File information**For a list of the files that are provided in this update, download the [file information for update 4471319](<http://download.microsoft.com/download/0/D/8/0D847926-96BF-4078-B913-29ED657D282F/4471319.csv>). \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T08:00:00", "type": "mskb", "title": "December 11, 2018\u2014KB4471319 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8641"], "modified": "2018-12-11T08:00:00", "id": "KB4471319", "href": "https://support.microsoft.com/en-us/help/4471319", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-24T11:17:17", "description": "None\n**Note: **Because of minimal operations during the holidays and upcoming Western new year, there won\u2019t be any preview releases for the month of December 2018. Monthly servicing will resume with the January 2019 security releases.\n\n## Improvements and fixes\n\nThis security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:\n\n * Addresses an issue that may prevent the use of the **Seek Bar** in Windows Media Player when playing specific files. This issue does not affect normal playback.\n * Security updates to Microsoft Graphics Component, Windows Storage and Filesystems, Windows Wireless Networking, and Windows Kernel.\nFor more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n## Known issues in this update\n\nMicrosoft is not currently aware of any issues with this update.\n\n## How to get this update\n\n**Before installing this update**Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. If you are using Windows Update, the latest SSU (KB3177467) will be offered to you automatically. To get the stand-alone package for the latest SSU, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update**This update is now available for installation through WSUS. To get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4471328>) website.**File information**For a list of the files that are provided in this update, download the [file information for update 4471328](<http://download.microsoft.com/download/F/2/5/F258BB59-6B91-479C-95E7-B2EE3CDD2A2E/4471328.csv>). \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T08:00:00", "type": "mskb", "title": "December 11, 2018\u2014KB4471328 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8641"], "modified": "2018-12-11T08:00:00", "id": "KB4471328", "href": "https://support.microsoft.com/en-us/help/4471328", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-24T11:17:14", "description": "None\n**Note: **Because of minimal operations during the holidays and upcoming Western new year, there won\u2019t be any preview releases for the month of December 2018. Monthly servicing will resume with the January 2019 security releases.\n\n## Improvements and fixes\n\nThis security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:\n\n * Addresses an issue that may prevent the use of the **Seek Bar** in Windows Media Player when playing specific files. This issue does not affect normal playback.\n * Security updates to Microsoft Graphics Component, Windows Storage and Filesystems, Windows Wireless Networking, and Windows Kernel.\nFor more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n## Known issues in this update\n\nMicrosoft is not currently aware of any issues with this update.\n\n## How to get this update\n\nThis update is now available for installation through WSUS. To get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4471322>) website.**File information**For a list of the files that are provided in this update, download the [file information for update 4471322](<http://download.microsoft.com/download/D/B/6/DB6D36EB-E1E2-41FE-94B5-C6F1AD94442D/4471322.csv>).\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T08:00:00", "type": "mskb", "title": "December 11, 2018\u2014KB4471322 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8641"], "modified": "2018-12-11T08:00:00", "id": "KB4471322", "href": "https://support.microsoft.com/en-us/help/4471322", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-03-17T02:35:22", "description": "An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges.\n\nAn attacker with unprivileged access to a vulnerable system could exploit this vulnerability.\n\nThe security update addresses the vulnerability by ensuring the Diagnostics Hub Standard Collector Service properly impersonates file operations.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8599"], "modified": "2019-10-08T07:00:00", "id": "MS:CVE-2018-8599", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8599", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-17T02:35:22", "description": "An information disclosure vulnerability exists when the Windows Remote Procedure Call (RPC) runtime improperly initializes objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user\u2019s system.\n\nTo exploit this vulnerability, an authenticated attacker could run a specially crafted application.\n\nThe update addresses the vulnerability by correcting how the Remote Procedure Call runtime initializes objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Windows Remote Procedure Call Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8514"], "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8514", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8514", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-17T02:35:22", "description": "A remote code execution vulnerability exists in Windows [Domain Name System (DNS)](<undefinedhttps://technet.microsoft.com/en-us/library/security/dn848375.aspx#DNS>) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.\n\nTo exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.\n\nThe update addresses the vulnerability by modifying how Windows DNS servers handle requests.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Windows DNS Server Heap Overflow Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8626"], "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8626", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8626", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-17T02:35:22", "description": "A Denial Of Service vulnerability exists when Connected User Experiences and Telemetry Service fails to validate certain function values. An attacker who successfully exploited this vulnerability could deny dependent security feature functionality.\n\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.\n\nThe security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service validates certain function values.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Connected User Experiences and Telemetry Service Denial of Service Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8612"], "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8612", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8612", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-03-17T02:35:22", "description": "An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user\u2019s system.\n\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Windows Kernel Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8477"], "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8477", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8477", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-17T02:35:22", "description": "An information disclosure vulnerability exists in Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. An attacker who successfully exploited this vulnerability could retrieve the memory address of a kernel object.\n\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.\n\nThe security update addresses the vulnerability by correcting how the Windows kernel handles memory addresses.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Win32k Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8637"], "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8637", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8637", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-17T02:35:22", "description": "An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user\u2019s system.\n\nAn authenticated attacker could exploit this vulnerability by running a specially crafted application.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Windows Kernel Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8621"], "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8621", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8621", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-17T02:35:22", "description": "An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user\u2019s system.\n\nThere are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n\nThe security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Windows GDI Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8596"], "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8596", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8596", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-17T02:35:22", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8611"], "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8611", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8611", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-17T02:35:22", "description": "An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user\u2019s system.\n\nThere are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n\nThe security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Windows GDI Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8595"], "modified": "2019-01-04T08:00:00", "id": "MS:CVE-2018-8595", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8595", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-17T02:35:22", "description": "A remote code execution vulnerability exists in Windows where Microsoft text-to-speech fails to properly handle objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nThe security update addresses the vulnerability by correcting how the Microsoft text-to-speech handles objects in the memory.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Microsoft Text-To-Speech Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8634"], "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8634", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8634", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-17T02:35:22", "description": "An information disclosure vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user\u2019s system.\n\nAn authenticated attacker could exploit this vulnerability by running a specially crafted application.\n\nThe update addresses the vulnerability by correcting how DirectX handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "DirectX Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8638"], "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8638", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8638", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-17T02:35:22", "description": "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nThe update addresses this vulnerability by correcting how Win32k handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Win32k Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8639"], "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8639", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8639", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-17T02:35:22", "description": "An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nThe update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Win32k Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8641"], "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8641", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8641", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-17T02:35:22", "description": "An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user\u2019s system.\n\nAn authenticated attacker could exploit this vulnerability by running a specially crafted application.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Windows Kernel Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8622"], "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8622", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8622", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-17T02:35:22", "description": "A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding.\n\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to cause a target system to stop responding.\n\nThe update addresses the vulnerability by correcting how Windows handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-11T08:00:00", "type": "mscve", "title": "Windows Denial of Service Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8649"], "modified": "2018-12-11T08:00:00", "id": "MS:CVE-2018-8649", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8649", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}], "symantec": [{"lastseen": "2021-06-08T19:04:57", "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. An attackers may exploit this issue to gain elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Visual Studio 2015 Update 3 \n * Microsoft Visual Studio 2017 15.9 \n * Microsoft Visual Studio 2017 \n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows CVE-2018-8599 Local Privilege Escalation Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8599"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106094", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106094", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:43", "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. A local attacker can leverage this issue to disclose sensitive information that may aid in further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows CVE-2018-8514 Local Information Disclosure Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8514"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106079", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106079", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:42", "description": "### Description\n\nMicrosoft Windows is prone to a heap-based buffer-overflow vulnerability. Successfully exploiting this issue may allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**To limit the consequences of successful exploits, run the server in a closed or restricted environment.** \nTo limit the consequences of a successful exploit, run vulnerable applications with the least amount of privileges required for functionality\n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows DNS Server CVE-2018-8626 Heap Buffer Overflow Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8626"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106076", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106076", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:42", "description": "### Description\n\nMicrosoft Windows is prone to a local denial-of-service vulnerability. An attacker can exploit this issue to restart the affected system, denying service to legitimate users.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows CVE-2018-8612 Local Denial of Service Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8612"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106087", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106087", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:42", "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows Kernel CVE-2018-8477 Local Information Disclosure Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8477"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106081", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106081", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:43", "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information, bypass certain security restrictions and perform unauthorized actions. Successful exploits may lead to other attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows Kernel 'Win32k.sys' CVE-2018-8637 Information Disclosure Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8637"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106095", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106095", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:42", "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2012 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows Kernel CVE-2018-8621 Local Information Disclosure Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8621"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106085", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106085", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:43", "description": "### Description\n\nMicrosoft Windows is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity such as unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows GDI Component CVE-2018-8596 Information Disclosure Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8596"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106086", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106086", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:42", "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. An attacker can exploit this issue to execute arbitrary code with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for 64-bit Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows Kernel CVE-2018-8611 Local Privilege Escalation Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8611"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106082", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106082", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:43", "description": "### Description\n\nMicrosoft Windows is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity such as unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows GDI Component CVE-2018-8595 Information Disclosure Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8595"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106083", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106083", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:43", "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successfully exploiting this issue may result in the execution of arbitrary code in the context of the affected system. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows Text-To-Speech CVE-2018-8634 Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8634"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106078", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106078", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:43", "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. A local attacker can leverage this issue to disclose sensitive information that may aid in further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows DirectX CVE-2018-8638 Local Information Disclosure Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8638"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106089", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106089", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:43", "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability that occurs in the Windows kernel. A local attacker can exploit this issue to execute arbitrary code in kernel mode with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows Kernel 'Win32k.sys' CVE-2018-8639 Local Privilege Escalation Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8639"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106093", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106093", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:42", "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability that occurs in the Windows kernel. A local attacker can exploit this issue to execute arbitrary code in kernel mode with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows Kernel 'Win32k.sys' CVE-2018-8641 Local Privilege Escalation Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8641"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106090", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106090", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:43", "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows Kernel CVE-2018-8622 Local Information Disclosure Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8622"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106088", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106088", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:05:43", "description": "### Description\n\nMicrosoft Windows is prone to a local denial-of-service vulnerability. An attacker can exploit this issue to restart the affected system, denying service to legitimate users.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-12-11T00:00:00", "type": "symantec", "title": "Microsoft Windows CVE-2018-8649 Local Denial of Service Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-8649"], "modified": "2018-12-11T00:00:00", "id": "SMNTC-106091", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106091", "cvss": {"score": 0.0, "vector": "NONE"}}], "cert": [{"lastseen": "2021-09-28T17:50:03", "description": "### Overview\n\nMicrosoft Windows DNS servers are vulnerable to heap overflow attacks, enabling unauthenticated attackers to send malicious requests to affected servers.\n\n### Description\n\n[**CWE-122: Heap-based Buffer Overflow**](<https://cwe.mitre.org/data/definitions/122.html>) \\- CVE-2018-8626\n\nMicrosoft Windows Domain Name System (DNS) servers are vulnerable to heap overflow attacks. [Microsoft acknowledges](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626>) that \"an attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account.\" This remote code execution vulnerability exists in Windows DNS servers when they fail to properly handle requests. \n \n--- \n \n### Impact\n\nWindows servers that are configured as DNS servers are at risk from this vulnerability. A successful attack could allow the execution of arbitrary code. [Symantec also notes](<https://www.symantec.com/security-center/vulnerabilities/writeup/106076>) that an unsuccessful attack results in a denial-of-service. \n \n--- \n \n### Solution\n\n**Apply an update** \n \nApply the security update available from [Microsoft](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626>). \n \n--- \n \n### Vendor Information\n\n531281\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Affected\n\nUpdated: January 04, 2019 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 9.7 | AV:N/AC:L/Au:N/C:C/I:C/A:P \nTemporal | 9.7 | E:ND/RL:ND/RC:ND \nEnvironmental | 9.7 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626>\n * <https://cwe.mitre.org/data/definitions/122.html>\n * <https://www.symantec.com/security-center/vulnerabilities/writeup/106076>\n * <https://www.us-cert.gov/ncas/current-activity/2018/12/11/Microsoft-Releases-December-2018-Security-Updates>\n\n### Acknowledgements\n\nThanks to Mitch Adair from Microsoft for reporting this vulnerability.\n\nThis document was written by Eric Hatleback.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2018-8626](<http://web.nvd.nist.gov/vuln/detail/CVE-2018-8626>) \n---|--- \n**Date Public:** | 2018-11-12 \n**Date First Published:** | 2019-01-04 \n**Date Last Updated: ** | 2019-01-04 18:01 UTC \n**Document Revision: ** | 13 \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-01-04T00:00:00", "type": "cert", "title": "Microsoft Windows DNS servers are vulnerable to heap overflow", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8626"], "modified": "2019-01-04T18:01:00", "id": "VU:531281", "href": "https://www.kb.cert.org/vuls/id/531281", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-28T17:50:02", "description": "### Overview\n\nThe Microsoft Windows Kernel Transaction Manager (KTM) is vulnerable to a race condition because it fails to properly handle objects in memory, which can result in local privilege escalation.\n\n### Description\n\n[**CWE-362**](<https://cwe.mitre.org/data/definitions/362.html>)**: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')** \\- CVE-2018-8611\n\nAccording to [Microsoft](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611>), the Windows kernel fails \"to properly handle objects in memory\". A successful attacker could run arbitrary code in kernel mode, and then \"install programs; view, change, or delete data; or create new accounts with full user rights.\" \n \n--- \n \n### Impact\n\nAfter logging into the system, an attacker could run a maliciously crafted application to exploit the race condition. They could then elevate their local privileges, create user accounts, install new programs, or change, view, or delete data. \n \n[Kaspersky experts](<https://usa.kaspersky.com/blog/cve-2018-8611-detected/16833/>) state that \"the exploit can also be used to escape the sandbox in modern Web browsers, including Chrome and Edge.\" \n \n--- \n \n### Solution\n\n**Apply an update** \n \nThis issue is addressed in the [Microsoft update for CVE-2018-8611.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611>) \n \n--- \n \n### Vendor Information\n\n289907\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Affected\n\nUpdated: January 04, 2019 \n\n**Statement Date: December 11, 2018**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611>\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 6 | AV:L/AC:H/Au:S/C:C/I:C/A:C \nTemporal | 5 | E:F/RL:OF/RC:C \nEnvironmental | 5.0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611>\n * <https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/>\n * <https://usa.kaspersky.com/blog/cve-2018-8611-detected/16833/>\n * <https://www.us-cert.gov/ncas/current-activity/2018/12/11/Microsoft-Releases-December-2018-Security-Updates>\n * <https://cwe.mitre.org/data/definitions/362.html>\n\n### Acknowledgements\n\nThanks to researchers Boris Larin and Igor Soumenkov from Kaspersky Lab for reporting this vulnerability to Microsoft.\n\nThis document was written by Madison Oliver.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2018-8611](<http://web.nvd.nist.gov/vuln/detail/CVE-2018-8611>) \n---|--- \n**Date Public:** | 2018-11-12 \n**Date First Published:** | 2019-01-04 \n**Date Last Updated: ** | 2019-01-24 17:58 UTC \n**Document Revision: ** | 21 \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-01-04T00:00:00", "type": "cert", "title": "Microsoft Windows Kernel Transaction Manager (KTM) is vulnerable to a race condition", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8611"], "modified": "2019-01-24T17:58:00", "id": "VU:289907", "href": "https://www.kb.cert.org/vuls/id/289907", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T15:30:32", "description": "An information disclosure vulnerability exist in the GDI component of Microsoft Windows. The vulnerability is due to an improper disclosure of the contents of the memory. Successful exploitation would allow the attacker to gain sensitive information that may help in further attacks.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-02-11T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Graphics Device Interface Information Disclosure (CVE-2018-8596)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8596"], "modified": "2019-02-27T00:00:00", "id": "CPAI-2019-0151", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-17T11:23:18", "description": "An information disclosure vulnerability exists in the Graphics Device Interface (GDI) component of Microsoft Windows. The vulnerability is due to improperly disclosing memory content. Successful exploitation could result in disclosure of information which could be used to further compromise the target system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-02-11T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Graphics Device Interface EMR_HEADER Information Disclosure (CVE-2018-8595)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8595"], "modified": "2019-02-27T00:00:00", "id": "CPAI-2019-0156", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-17T15:33:29", "description": "A memory corruption vulnerability exists in Microsoft Edge. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Edge Memory Corruption (CVE-2018-8634)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8634"], "modified": "2018-12-11T00:00:00", "id": "CPAI-2018-1120", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:25:13", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Win32k Elevation of Privilege (CVE-2018-8639)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8639"], "modified": "2018-12-11T00:00:00", "id": "CPAI-2018-1231", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2022-01-31T21:40:33", "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of emf files in the gdiplus library. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-12-19T00:00:00", "type": "zdi", "title": "Microsoft Windows gdiplus bParseWin32Metafile Out-Of-Bounds Read Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8596"], "modified": "2018-12-19T00:00:00", "id": "ZDI-18-1429", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-1429/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-31T21:40:55", "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within processing of EMF files within PlayEnhMetaFile. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-12-13T00:00:00", "type": "zdi", "title": "Microsoft Windows gd132full PlayEnhMetaFile Out-Of-Bounds Read Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8596"], "modified": "2018-12-13T00:00:00", "id": "ZDI-18-1404", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-1404/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-31T21:40:33", "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of emf files in the gdiplus library. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-12-19T00:00:00", "type": "zdi", "title": "Microsoft Windows gdiplus GdipGetWinMetaFileBitsEx Out-Of-Bounds Read Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8595"], "modified": "2018-12-19T00:00:00", "id": "ZDI-18-1430", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-1430/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-31T21:41:05", "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EmfMetafileHeader records. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-12-13T00:00:00", "type": "zdi", "title": "Microsoft Excel gdiplus EMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8595"], "modified": "2018-12-13T00:00:00", "id": "ZDI-18-1403", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-1403/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "A privilege escalation vulnerability exists when the Windows kernel fails to properly handle objects in memory.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-24T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Kernel Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8611"], "modified": "2022-05-24T00:00:00", "id": "CISA-KEV-CVE-2018-8611", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:40:42", "description": "[![microsoft security patch updates](https://thehackernews.com/images/-VeZ4MhNZt3o/XBDIIMYWBCI/AAAAAAAAy0o/o-EfIwtZp8UDbUNjE10rWKhQSt3py5tTQCLcBGAs/s728-e100/microsoft-security-patch-updates.jpg)](<https://thehackernews.com/images/-VeZ4MhNZt3o/XBDIIMYWBCI/AAAAAAAAy0o/o-EfIwtZp8UDbUNjE10rWKhQSt3py5tTQCLcBGAs/s728-e100/microsoft-security-patch-updates.jpg>)\n\nMicrosoft today, on its year-end December Patch Tuesday, released security updates to patch a total 39 vulnerabilities its Windows operating systems and applications\u201410 of which are rated as critical and other important in severity. \n \nOne of the security vulnerabilities patched by the tech giant this month is listed as publicly known at the time of release, and one is a zero-day reported as being actively exploited in the wild by multiple hacking groups, including FruityArmor and SandCat APTs. \n \nDiscovered and reported by security researchers at Kaspersky, the zero-day attack exploits an elevation-of-privilege (EoP) bug in the Windows Kernel (ntoskrnl.exe) that could allow malicious programs to execute arbitrary code with higher privileges on the targeted systems. \n \nThe vulnerability, tracked as [CVE-2018-8611](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611>) and classified important in severity, resides in the Kernel Transaction Manager, which occurs due to improper processing of transacted file operations in kernel mode. \n \nThe flaw affects almost all versions of Windows operating system\u2014Windows 7 through Server 2019. \n \n\n\n> \"This vulnerability successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox,\" [Kaspersky](<https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/>) said. \n \n\"Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers.\"\n\n \nThis is the third zero-day vulnerability Microsoft has back-to-back patched in three consecutive months through its regular monthly patch update to address a Win32K elevation of privilege bug. \n \nAnother important bug is a publicly known vulnerability, tracked as [CVE-2018-8517](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8517>), which is a denial-of-service issue in web applications built with the .NET Framework that exists due to improper handling of special web requests. \n \n\n\n> \"The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application,\" Microsoft explains.\n\n \nThe flaw was publicly disclosed, but Microsoft found no evidence of active exploitation of this vulnerability. \n \nIn addition to the zero-day and publicly known vulnerabilities, Microsoft patched 10 critical and 29 important vulnerabilities impacting a range of its products, including Windows, Edge, Internet Explorer, ChackraCore, Office and Microsoft Office Services and Web Apps, and the .NET Framework. \n \nBesides its own products, Microsoft's December 2018 Patch Tuesday also includes a [security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180031>) for a recently-disclosed [zero-day flaw in Adobe Flash Player](<https://thehackernews.com/2018/12/flash-player-vulnerability.html>), which was also actively being exploited by a state-sponsored cyber-espionage group. \n \nUsers and system administrators are strongly recommended to apply the latest security patches as soon as possible to keep hackers and cybercriminals away from taking control of their systems. \n \nFor installing the latest security patch updates, head on to Settings \u2192 Update & Security \u2192 Windows Update \u2192 Check for updates, on your computer system or you can install the updates manually.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-12T08:48:00", "type": "thn", "title": "Microsoft Issues Patch for Windows Zero-Day Flaw Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8517", "CVE-2018-8611"], "modified": "2018-12-12T08:49:52", "id": "THN:F34754C92EBDDF21C3F920DF7E64971E", "href": "https://thehackernews.com/2018/12/microsoft-patch-updates.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-06-24T11:52:53", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/12/07085538/abstract-digital-990x400.jpeg)\n\nExploit kits are not as widespread as they used to be. In the past, they relied on the use of already patched vulnerabilities. Newer and more secure web browsers with automatic updates simply do not allow known vulnerabilities to be exploited. It was very different back in the heyday of Adobe Flash because it's just a plugin for a web browser, meaning that even if the user has an up-to-date browser, there's a non-zero chance that Adobe Flash may still be vulnerable to 1-day exploits. Now that Adobe Flash is about to reach its end-of-life date at the end of this year, it is disabled by default in all web browser and has pretty much been replaced with open standards such as HTML5, WebGL, WebAssembly. The decline of exploit kits can be linked to the decline of Adobe Flash, but exploit kits have not disappeared completely. They have adapted and switched to target users of Internet Explorer without the latest security updates installed.\n\nMicrosoft Edge replaced Internet Explorer as a default web browser with the release of Windows 10 in 2015, but Internet Explorer is still installed for backward compatibility on machines running Windows 10 and it has remained a default web browser for Windows 7/8/8.1. The switch to Microsoft Edge development also meant that Internet Explorer would no longer be actively developed and would only receive vulnerability patches without general security improvements. Still, somehow, Internet Explorer remains a relatively popular web browser. According to [NetMarketShare](<https://netmarketshare.com/?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22browser%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22browsersDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222020-04%22%2C%22dateEnd%22%3A%222020-04%22%2C%22segments%22%3A%22-1000%22%7D>), as of April 2020 Internet Explorer is used on 5.45% of desktop computers (for comparison, Firefox accounts for 7.25%, Safari 3.94%, Edge 7.76%). Despite the security of Internet Explorer being five years behind that of its modern counterparts, it supports a number of legacy script engines. [CVE-2018-8174](<https://securelist.com/delving-deep-into-vbscript-analysis-of-cve-2018-8174-exploitation/86333/>) is a vulnerability in a legacy VBScript engine that was originally discovered in the wild as an exploited zero-day. The majority of exploit kits quickly adopted it as their primary exploit.\n\nSince the discovery of [CVE-2018-8174](<https://securelist.com/delving-deep-into-vbscript-analysis-of-cve-2018-8174-exploitation/86333/>) a few more vulnerabilities for Internet Explorer have been discovered as in-the-wild zero-days: CVE-2018-8653, CVE-2019-1367, CVE-2019-1429, and CVE-2020-0674. All of them exploited another legacy component of Internet Explorer \u2013 a [JScript](<https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html>) engine. It felt like it was just a matter of time until exploit kits adopted these new exploits.\n\nExploit kits still play a role in today's threat landscape and continue to evolve. For this blogpost I studied and analyzed the evolution of one of the most sophisticated exploit kits out there \u2013 Magnitude EK \u2013 for a whole year.\n\nThis blogpost in a nutshell:\n\n * Magnitude EK continues to deliver ransomware to Asia Pacific (APAC) countries via malvertising\n * Study of the exploit kit's activity over a period of 12 months shows that Magnitude EK is actively maintained and undergoes continuous development\n * In February this year Magnitude EK switched to an exploit for the more recent vulnerability CVE-2019-1367 in Internet Explorer (originally discovered as an exploited zero-day in the wild)\n * Magnitude EK uses a previously unknown elevation of privilege exploit for CVE-2018-8641 developed by a prolific exploit writer\n\n## Introduction\n\nMagnitude EK is one of the longest-standing exploit kits. It was on offer in underground forums from [2013](<https://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html>) and later became a private exploit kit. As well as a change of actors, the exploit kit has switched its focus to deliver ransomware to users from specific [Asia Pacific](<https://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-now-targeting-korea-with-magniber-ransomware/>) (APAC) countries via malvertising.\n\n_Active attacks by Magnitude EK in 2019 according to Kaspersky Security Network (KSN) ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/23085939/sl_magnitude_exploit_kit_01-en-2019.png>))_\n\n_Active attacks by Magnitude EK in 2020 according to Kaspersky Security Network (KSN) ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/23090011/sl_magnitude_exploit_kit_02-en-2020.png>))_\n\nOur statistic shows that this campaign continues to target APAC countries to this day and during the year in question Magnitude EK always used its own ransomware as a final payload.\n\n### Infection vector\n\nLike the majority of exploit kits out there, in 2019 Magnitude EK used [CVE-2018-8174](<https://securelist.com/delving-deep-into-vbscript-analysis-of-cve-2018-8174-exploitation/86333/>). However, the attackers behind Magnitude EK were one of the first to adopt the much newer vulnerability [CVE-2019-1367](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367>) and they have been using it as their primary exploit since February 11, 2020. As was the case with CVE-2018-8174, they didn't develop their own exploit for CVE-2019-1367, instead reusing the original zero-day and modifying it with their own shellcode and obfuscation.\n\nCVE-2019-1367 is a Use-After-Free vulnerability due to a garbage collector not tracking a value that was not rooted in the legacy JavaScript engine jscript.dll. By default, Internet Explorer 11 uses Jscript9.dll, but it's still possible to execute the script using the legacy engine by enabling compatibility mode with Internet Explorer 7/8. This can be done with the following script attributes:\n \n \n <meta http-equiv=\"x-ua-compatible\" content=\"IE=EmulateIE8\" />\n <script language=\"JScript.Compact\">\u2026</script>\n \n <meta http-equiv=\"x-ua-compatible\" content=\"IE=EmulateIE8\" />\n <script language=\"JScript.Encode\">\u2026</script>\n\nThe original exploit uses JScript.Compact, a special profile defined for [embedded devices](<https://www.ecma-international.org/publications/files/ECMA-ST-WITHDRAWN/Ecma-327.pdf>). But JScript.Encode is much more interesting because it was developed by Microsoft to protect scripts and prevent source code from being copied. This script attribute can execute scripts encoded with Microsoft Script Encoder (screnc.exe) and it also disables script debugging. Basically, it's a DRM for JavaScript. Magnitude EK changed from its original exploit to take advantage of this feature.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/23085029/sl_magnitude_exploit_kit_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/23085029/sl_magnitude_exploit_kit_01.png>)\n\n**_Exploit packed with JScript.Encode technique_**\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/23085053/sl_magnitude_exploit_kit_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/23085053/sl_magnitude_exploit_kit_02.png>)\n\n**_Unpacked exploit. Shellcode, names and some strings are obfuscated_**\n\n## Shellcode\n\nTheir shellcodes piqued my interest. They use a huge number of different shellcode encoders, from the classical Metasploit shikata_ga_nai encoder and DotNetToJScript to a variety of custom encoders and stagers.\n\nIt was also impossible not to notice the changes happening to their main shellcode responsible for launching the ransomware payload. The attackers are fine-tuning their arsenal on a regular basis.\n\nMagnitude EK has existed since at least 2013, but below you can see just the changes to payload/shellcode that occurred over the period of one year (June 2019 to June 2020). During this period we observed attacks happening almost every day.\n\n**Timeline of shellcode/payload changes**\n\nDate | Description \n---|--- \nJune 2019 | Shellcode downloads a payload that's decrypted with a custom xor-based algorithm. All strings are assembled on stack and to change payload the URL shellcode needs to be recompiled. The payload is a PE module. The module export function name is hardcoded to \"GrfeFVGRe\". The payload is executed in an Internet Explorer process. It contains an elevation of privilege exploit with support for x86 and x64 versions of Windows and an encrypted ransomware payload. After elevation of privilege it injects the ransomware payload to other processes, spawns the wuapp.exe process and injects there as well. If process creation fails, it also runs the ransomware from the current process. \nJuly 20, 2019 | Payload module export function name is auto-generated. \nNovember 11, 2019 | Shellcode tries to inject the payload to other processes. If API function Process32First fails, it spawns the process wuapp.exe from Windows directory and injects the payload there. The injection method is WriteProcessMemory + CreateRemoteThread.\n\nThe payload is ransomware without elevation of privilege. The payload module export function name is hardcoded again, but now to \"lssrcdxhg\". \nNovember 20, 2019 | Looks like they messed up the folder with shellcodes; in some attacks they use a shellcode from June, and later the same day they start to use their November shellcode with the new hardcoded export name \"by5eftgdbfgsq323\". \nNovember 23, 2019 | They start to use the elevation of privilege exploit again, but now they also check the integrity level of the process. If it's a low integrity process, then they execute the payload with the exploit in the current process; if that's not the case, then it's injected into other processes. The process is no longer created from shellcode, but it's still created from the payload. The payload module export name is hardcoded to \"gv65eytervsawer2\". \nJanuary 17, 2020 | It looks like the attackers had a short holiday at the beginning of the year. The shellcode remains the same, but the payload module export function name is hardcoded to \"i4eg65tgq3f4\". The payload changed a bit. The name of the created process is now assembled on stack. The name of the process also changed \u2013 it no longer spawns a wuapp.exe, but instead launches the calculator calc.exe and injects the ransomware payload there. \nJanuary 27, 2020 | The payload is no longer a PE module but plain shellcode. The payload consists of ransomware without elevation of privilege. \nFebruary 4, 2020 | The payload is a PE module again, but once again the export name is auto-generated. \nFebruary 10, 2020 | The shellcode comes with two URLs for different payloads. The shellcode checks the integrity level and depending on process integrity level, it executes the elevation of privilege payload or uses the ransomware payload straightaway. All strings and function imports in the exploit are now obfuscated. The payload does not spawn a new process, and only injects to others. \nFebruary 11, 2020 | Magnitude EK starts using CVE-2019-1367 as its primary exploit. The attackers use the shellcode from January 27, 2020, but they have modified it to check for the name of a particular process. If the process exists, they don't execute the payload from Internet Explorer. The process name is \"ASDSvc\" (AhnLab, Inc.). \nFebruary 17, 2020 | The attackers switch to the shellcode from February 10, 2020, but the payload module export function name is hardcoded to \"xs324qsawezzse\". \nFebruary 28, 2020 | Shellcode encryption is removed. The payload module export function name is hardcoded to \"sawd6vf3y5\". \nMarch 1, 2020 | Strings are no longer stored on stack. \nMarch 6, 2020 | Back to the shellcode from February 17, 2020. \nMarch 10, 2020 | The attackers add some functionality implemented after February 17, 2020: payload encryption is removed and strings are no longer stored on stack. The payload module export function name is still hardcoded to \"xs324qsawezzse\". \nMarch 16, 2020 | Functionality added so as not to inject into a particular process (explorer.exe). The injection method is also changed to NtCreateSection + NtMapViewOfSection + RtlCreateUserThread. \nApril 2, 2020 | The attackers add some functionality similar to that used in November 2019. They check the integrity level of a process and if it's a low integrity process, they execute the payload from the current process. If that's not the case, they inject it to other processes (other than explorer.exe) and at the end create a new process and inject it there as well. The created processes are C:\\Program Files\\Windows Media Player\\wmlaunch.exe or C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe depending on whether it's a WOW64 process or not. \nApril 4, 2020 | Shellcode updated to use a new injection technique: NtQueueApcThread. The shellcode also comes with a URL for a ransomware payload without elevation of privilege. The shellcode checks the integrity level and if it's a low integrity process, the shellcode calls ExitProcess(). Use of the hardcoded export name \"xs324qsawezzse\" is also stopped. \nApril 7, 2020 | Back to the shellcode from April 2, 2020. \nMay 5, 2020 | Previously the attackers adjusted their injection method, but now they revert back to injection via the WriteProcessMemory + CreateRemoteThread technique. \nMay 6, 2020 | They continue to make changes to the code injection method. From now on they use NtCreateThreadEx. \n \n \n\n## Elevation of privilege exploit\n\nThe elevation of privilege exploit used by Magnitude EK is quite interesting. When I saw it for the first time, I wasn't able to recognize this particular exploit. It exploited a vulnerability in the win32k kernel driver and closer analysis revealed that this particular vulnerability was fixed in December 2018. According to Microsoft, only two win32k-related elevation of privilege vulnerabilities were fixed that month \u2013 CVE-2018-8639 and CVE-2018-8641. Microsoft previously shared more information with us about CVE-2018-8639, so we can say with some certainty that the encountered exploit uses vulnerability CVE-2018-8641. The exploit has huge code similarities with another zero-day that we had found previously \u2013 [CVE-2019-0859](<https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/>). Based on these similarities, we attribute this exploit to the prolific exploit writer known as \"Volodya\", \"Volodimir\" or \"BuggiCorp\". Volodya is famous for selling zero-day exploits to both APT groups and criminals. In the past, Volodya advertised his services at exploit(dot)in, the same underground forum where Magnitude EK was once advertised. We don't currently know if the exploit for CVE-2018-8641 was initially used as a zero-day exploit or it was developed as a 1-day exploit through patch diffing. It's also important to note that a public exploit for CVE-2018-8641 also exists, but it's incorrectly designated to CVE-2018-8639 and it exploits the vulnerability in another fashion, meaning there are two completely different exploits for the same vulnerability.\n\n## Ransomware\n\nMagnitude EK uses its own ransomware as its final payload. The ransomware comes with a temporary encryption key and list of domain names and the attackers change them frequently. Files are encrypted with the use of Microsoft CryptoAPI and the attackers use Microsoft Enhanced RSA and AES Cryptographic Provider (PROV_RSA_AES). The initialization vector (IV) is generated pseudo randomly for each file and a 0x100 byte long blob with encrypted IV is appended to the end of the file. The ransomware doesn't encrypt the files located in common folders such as documents and settings, appdata, local settings, sample music, tor browser, etc. Before encryption, the extensions of files are checked against a hash table of allowed file extensions that contains 715 entries. A ransom note is left in each folder with encrypted files and at the end a notepad.exe process is created to display the ransom note. To hide the origin of the executed process, the ransomware uses one of two techniques: \"wmic process call create\" or \"pcalua.exe \u2013a \u2026 -c \u2026\". After encryption the ransomware also attempts to delete backups of the files with the \"wmic shadowcopy delete\" command that is executed with a UAC-bypass.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/23085326/sl_magnitude_exploit_kit_03-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/23085326/sl_magnitude_exploit_kit_03-1.png>)\n\n_**Example of Magnitude EK ransom note**_\n\nThe core of the ransomware did not undergo many changes throughout the year. If we compare old samples with more recent versions, there are only a few notable changes:\n\n * In older versions, immediately at launch the payload gets the default UI language of the operating system using the GetSystemDefaultUILanguage API function and compares the returned value against a couple of hardcoded language IDs (e.g. zh-HK - Hong Kong S.A.R., zh-MO - Macao S.A.R., zh-CN - People's Republic of China, zh-SG - Singapore, zh-TW - Taiwan, ko-KR - Korea, ms-BN - Brunei Darussalam, ms-MY - Malaysia). If the language ID doesn't match, then ExitProcess() will be executed. In newer versions, the check for the language ID was removed.\n * In older versions, the ransomware deletes file backups with the command \"cmd.exe /c \"%SystemRoot%\\system32\\wbem\\wmic shadowcopy delete\" via UAC-bypass in eventvwr.exe. In the newer version, the command is obfuscated with caret character insertion \"cmd.exe /c \"%SystemRoot%\\system32\\wbem\\wmic ^s^h^a^d^o^w^c^o^p^y^ ^d^e^l^e^t^e\" and executed via UAC-bypass in CompMgmtLauncher.exe.\n\n## Conclusions\n\nThe total volume of attacks performed by exploit kits has decreased, but they still exist, are still active, and still pose a threat, and therefore need to be treated seriously. Magnitude is not the only active exploit kit and we see other exploit kits that are also switching to newer exploits for Internet Explorer. We recommend installing security updates, migrating to a newer operating system (make sure you stay up to date with Windows 10 builds) and also not using Internet Explorer as your web browser. Throughout the entire Magnitude EK campaign we have detected the use of Internet Explorer exploits with the verdict PDM:Exploit.Win32.Generic.", "cvss3": {}, "published": "2020-06-24T10:00:16", "type": "securelist", "title": "Magnitude exploit kit \u2013 evolution", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-8174", "CVE-2018-8639", "CVE-2018-8641", "CVE-2018-8653", "CVE-2019-0859", "CVE-2019-1367", "CVE-2019-1429", "CVE-2020-0674"], "modified": "2020-06-24T10:00:16", "id": "SECURELIST:78C1216872C5187377E9C874AEDF73FC", "href": "https://securelist.com/magnitude-exploit-kit-evolution/97436/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-12-12T09:42:58", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/06/20090401/abstract_digital-990x400.jpg)\n\n## Executive summary\n\nIn October 2018, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis led us to uncover a zero-day vulnerability in ntoskrnl.exe. We reported it to Microsoft on October 29, 2018. The company confirmed the vulnerability and assigned it [CVE-2018-8611](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611>). Microsoft just released a patch, part of its December update, crediting Kaspersky Lab researchers **Boris Larin** ([Oct0xor](<https://twitter.com/oct0xor>)) and **Igor Soumenkov** ([2igosha](<https://twitter.com/2igosha>)) with the discovery.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/12/12085448/181211-zeroday-4-300x138.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/12/12085448/181211-zeroday-4.png>)\n\nThis is the third consecutive exploited Local Privilege Escalation vulnerability in Windows we discovered this autumn using our technologies. Unlike the previously reported vulnerabilities in win32k.sys ([CVE-2018-8589](<https://securelist.com/a-new-exploit-for-zero-day-vulnerability-cve-2018-8589/88845/>) and [CVE-2018-8453](<https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/>)), CVE-2018-8611 is an especially dangerous threat - a vulnerability in the Kernel Transaction Manager driver. It can also be used to escape the sandbox in modern web browsers, including Chrome and Edge, since syscall filtering mitigations do not apply to ntoskrnl.exe system calls.\n\nJust like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently. In addition to this zero-day and CHAINSHOT, SandCat also uses the FinFisher / FinSpy framework.\n\nKaspersky Lab products detected this exploit proactively through the following technologies:\n\n 1. Behavioral detection engine and Automatic Exploit Prevention for endpoint products\n 2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)\n\nKaspersky Lab verdicts for the artifacts used in this and related attacks are:\n\n * HEUR:Exploit.Win32.Generic\n * HEUR:Trojan.Win32.Generic\n * PDM:Exploit.Win32.Generic\n\n## Brief details - CVE-2018-8611 vulnerability\n\nCVE-2018-8611 is a race condition that is present in the [Kernel Transaction Manager](<https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/using-kernel-transaction-manager>) due to improper processing of transacted file operations in kernel mode.\n\nThis vulnerability successfully bypasses modern process mitigation policies, such as [Win32k System call Filtering](<https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-_process_mitigation_system_call_disable_policy>) that is used, among others, in the Microsoft Edge Sandbox and the [Win32k Lockdown Policy](<https://docs.google.com/document/d/1gJDlk-9xkh6_8M_awrczWCaUuyr0Zd2TKjNBCiPO_G4/edit>) employed in the Google Chrome Sandbox. Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers.\n\nWe have found multiple builds of exploit for this vulnerability. The latest build includes changes to reflect the latest versions of the Windows OS.\n\n[![Check for the newest at the moment Windows 10 Redstone 4 Build 17133](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/12/11144155/181211-zeroday-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/12/11144155/181211-zeroday-1.png>)\n\nA check for the latest build at the time of discovery: Windows 10 Redstone 4 Build 17133\n\nSimilarly to CHAINSHOT, this exploit heavily relies on the use of C++ exception handling mechanisms with custom error codes.\n\nTo abuse this vulnerability exploit first creates a named pipe and opens it for read and write. Then it creates a pair of new [transaction manager objects](<https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/transaction-manager-objects>), [resource manager objects](<https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/resource-manager-objects>), [transaction objects](<https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/transaction-objects>) and creates a big number of [enlistment objects](<https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/enlistment-objects>) for what we will call \"Transaction #2\". Enlistment is a special object that is used for association between a transaction and a resource manager. When the transaction state changes associated resource manager is notified by the KTM. After that it creates one more enlistment object only now it does so for \"Transaction #1\" and commits all the changes made during this transaction. \nAfter all the initial preparations have been made exploit proceeds to the second part of vulnerability trigger. It creates multiple threads and binds them to a single CPU core. One of created threads calls [NtQueryInformationResourceManager](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-ntqueryinformationresourcemanager>) in a loop, while second thread tries to execute [NtRecoverResourceManager](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-ntrecoverresourcemanager>) once. But the vulnerability itself is triggered in the third thread. This thread uses a trick of execution [NtQueryInformationThread](<https://docs.microsoft.com/en-us/windows/desktop/api/winternl/nf-winternl-ntqueryinformationthread>) to obtain information on the latest executed syscall for the second thread. Successful execution of [NtRecoverResourceManager](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-ntrecoverresourcemanager>) will mean that race condition has occurred and further execution of [WriteFile](<https://docs.microsoft.com/en-us/windows/desktop/api/fileapi/nf-fileapi-writefile>) on previously created named pipe will lead to memory corruption.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/12/11144225/181211-zeroday-3.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/12/11144225/181211-zeroday-3.png>)\n\n \nProof of concept: execution of WriteFile with buffer set to 0x41\n\nAs always, we provided Microsoft with a proof of concept for this vulnerability, along with source code. And it was later shared through Microsoft Active Protections Program (**MAPP**).\n\nMore information about SandCat, FruityArmor and CVE-2018-8611 is available to customers of Kaspersky Intelligence Reports. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)", "cvss3": {}, "published": "2018-12-12T08:00:24", "type": "securelist", "title": "Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-8453", "CVE-2018-8589", "CVE-2018-8611"], "modified": "2018-12-12T08:00:24", "id": "SECURELIST:3813D41319B88396F5995A4071DFA47F", "href": "https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-13T10:48:33", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/07/09154119/abstraction_2-990x400.jpg)\n\nIn February 2019, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. We reported it to Microsoft on February 22, 2019. The company confirmed the vulnerability and assigned it [CVE-2019-0797](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0797>). Microsoft have just released a patch, crediting Kaspersky Lab researchers **Vasiliy Berdnikov** and **Boris Larin** with the discovery:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/13093326/CVE-2019-0797_MS.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/13093326/CVE-2019-0797_MS.png>)\n\nThis is the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows we have discovered recently using our technologies. Just like with [CVE-2018-8589](<https://securelist.com/a-new-exploit-for-zero-day-vulnerability-cve-2018-8589/88845/>), we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently. In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.\n\nKaspersky Lab products detected this exploit proactively through the following technologies:\n\n 1. Behavioral detection engine and Automatic Exploit Prevention for endpoint products;\n 2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA).\n\nKaspersky Lab verdicts for the artifacts used in this and related attacks are:\n\n * HEUR:Exploit.Win32.Generic\n * HEUR:Trojan.Win32.Generic\n * PDM:Exploit.Win32.Generic\n\n## Brief technical details \u2013 CVE-2019-0797\n\nCVE-2019-0797 is a race condition that is present in the win32k driver due to a lack of proper synchronization between undocumented syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection. The vulnerable code can be observed below on screenshots made on an up-to-date system during initial analysis:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/12130958/190312-cve2019-0797-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/12130958/190312-cve2019-0797-1.png>)\n\nSnippet of NtDCompositionDiscardFrame syscall (Windows 8.1)\n\nOn this screenshot with the simplified logic of the NtDCompositionDiscardFrame syscall you can see that this code acquires a lock that is related to frame operations in the structure DirectComposition::CConnection and tries to find a frame that corresponds to a given id and will eventually call a free on it. The problem with this can be observed on the second screenshot:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/12131015/190312-cve2019-0797-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/12131015/190312-cve2019-0797-2.png>)\n\nSnippet of NtDCompositionDestroyConnection syscall inner function (Windows 8.1)\n\nOn this screenshot with the simplified logic of the function DiscardAllCompositionFrames that is called from within the NtDCompositionDestroyConnection syscall you can see that it does not acquire the necessary lock and calls the function DiscardAllCompositionFrames that will release all allocated frames. The problem lies in the fact that when the syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection are executed simultaneously, the function DiscardAllCompositionFrames may be executed at a time when the NtDCompositionDiscardFrame syscall is already looking for a frame to release or has already found it. This condition leads to a use-after-free scenario.\n\nInterestingly, this is the third race condition zero-day exploit used by the same group in addition to CVE-2018-8589 and [CVE-2018-8611](<https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/>).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/12131035/190312-cve2019-0797-3.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/12131035/190312-cve2019-0797-3.png>)\n\nStop execution if module file name contains substring \"chrome.exe\"\n\nThe exploit that was found in the wild was targeting 64-bit operating systems in the range from Windows 8 to Windows 10 build 15063. The exploitation process for all those operating systems does not differ greatly and is performed using heap spraying palettes and accelerator tables with the use of GdiSharedHandleTable and gSharedInfo to leak their kernel addresses. In exploitation of Windows 10 build 14393 and higher windows are used instead of palettes. Besides that, that exploit performs a check on whether it's running from Google Chrome and stops execution if it is because vulnerability CVE-2019-0797 can't be exploited within a sandbox.", "cvss3": {}, "published": "2019-03-13T10:00:52", "type": "securelist", "title": "The fourth horseman: CVE-2019-0797 vulnerability", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-8589", "CVE-2018-8611", "CVE-2019-0797"], "modified": "2019-03-13T10:00:52", "id": "SECURELIST:63F08CF43123326EE123EADFF8681D0D", "href": "https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-04-15T11:55:18", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/07/09154119/abstraction_2-990x400.jpg)\n\nIn March 2019, our automatic Exploit Prevention (EP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. It was the fifth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have discovered in recent months using our technologies. The previous ones were:\n\n * [Zero-day exploit (CVE-2018-8453) used in targeted attacks](<https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/>)\n * [A new exploit for zero-day vulnerability CVE-2018-8589](<https://securelist.com/a-new-exploit-for-zero-day-vulnerability-cve-2018-8589/88845/>)\n * [Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)](<https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/>)\n * [The fourth horseman: CVE-2019-0797 vulnerability](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>)\n\nOn March 17, 2019 we reported our discovery to Microsoft; the company confirmed the vulnerability and assigned it CVE-2019-0859. Microsoft have [just released a patch](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0859>), part of its update, crediting Kaspersky Lab researchers **Vasiliy Berdnikov **and **Boris Larin**.\n\n## Technical details\n\nCVE-2019-0859 is a Use-After-Free vulnerability that is presented in the CreateWindowEx function. During execution CreateWindowEx sends the message WM_NCCREATE to the window when it's first created. By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure.\n\nIn win32k.sys all windows are presented by the tagWND structure which has an \"fnid\" field also known as Function ID. The field is used to define the class of a window; all windows are divided into classes such as ScrollBar, Menu, Desktop and many others. We [have already written](<https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/>) about Function ID related bugs.\n\nDuring the WM_NCCREATE callback, the Function ID of a window is set to 0 and this allowed us to set extra data for the window from inside our hook. More importantly, we were able to change the address for the window procedure that was executed immediately after our hook. The change of window procedure to the menu window procedure leads to the execution of xxxMenuWindowProc and the function initiates Function ID to FNID_MENU because the current message is equal to WM_NCCREATE. But the most important part is that the ability to manipulate extra data prior to setting Function ID to FNID_MENU can force the xxxMenuWindowProc function to stop initialization of the menu and return FALSE. Because of that, sending of the NCCREATE message will be considered a failed operation and CreateWindowEx function will stop execution with a call to FreeWindow. Because our MENU-class window was not actually initialized, it allows us to gain control over the address of the memory block that is freed.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/04/12151014/190412-ceg-4633-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/04/12151014/190412-ceg-4633-1.png>)\n\n**_win32k!xxxFreeWindow+0x1344 on up-to-date Windows 7 SP1 x64_**\n\nThe exploit we found in the wild was targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10) and exploited the vulnerability using the well-known HMValidateHandle technique to bypass ASLR.\n\nAfter a successful exploitation, the exploit executed PowerShell with a Base64 encoded command. The main aim of this command was to download a second-stage script from https//pastebin.com. The second stage PowerShell executes the final third stage, which is also a PowerShell script.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/04/12151031/190412-ceg-4633-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/04/12151031/190412-ceg-4633-2.png>)\n\n**_Third stage PowerShell script_**\n\nThe third script is very simple and does the following:\n\n * Unpacks shellcode\n * Allocates executable memory\n * Copies shellcode to allocated memory\n * Calls CreateThread to execute shellcode\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/04/12151049/190412-ceg-4633-3.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/04/12151049/190412-ceg-4633-3.png>)\n\n**_Shellcode from PowerShell script_**\n\nThe main goal of the shellcode is to make a trivial HTTP reverse shell. This helps the attacker gain full control over the victim's system.\n\nKaspersky Lab products detected this exploit proactively through the following technologies:\n\n 1. Behavioral detection engine and Exploit Prevention for endpoint products;\n 2. Advanced Sandboxing and Anti-Malware engine of the Kaspersky Anti Targeted Attack (KATA) platform.\n\nKaspersky Lab verdicts for the artifacts used in this and related attacks are:\n\n * HEUR:Exploit.Win32.Generic\n * HEUR:Trojan.Win32.Generic\n * PDM:Exploit.Win32.Generic", "cvss3": {}, "published": "2019-04-15T10:00:56", "type": "securelist", "title": "New zero-day vulnerability CVE-2019-0859 in win32k.sys", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-8453", "CVE-2018-8589", "CVE-2018-8611", "CVE-2019-0797", "CVE-2019-0859"], "modified": "2019-04-15T10:00:56", "id": "SECURELIST:52185495AADEC0E6183185DE5799E6B5", "href": "https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-09-03T13:05:29", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22101624/malware_SL_pic3-990x400.jpg)\n\n**[IT threat evolution Q2 2020. PC statistics](<https://securelist.com/it-threat-evolution-q2-2020-pc-statistics/98292/>) \n[IT threat evolution Q2 2020. Mobile statistics](<https://securelist.com/it-threat-evolution-q2-2020-mobile-statistics/98337/>)**\n\n## Targeted attacks\n\n### PhantomLance: hiding in plain sight\n\nIn April, we reported the results of our investigation into a [mobile spyware campaign that we call 'PhantomLance'](<https://securelist.com/apt-phantomlance/96772/>). The campaign involved a backdoor Trojan that the attackers distributed via dozens of apps in Google Play and elsewhere.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24151032/sl_malware_report_q2_2020_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24151032/sl_malware_report_q2_2020_01.png>)\n\n[Dr Web first reported the malware in July 2019](<https://news.drweb.com/show/?i=13349&c=0&p=0>), but we decided to investigate because the Trojan was more sophisticated than most malware for stealing money or displaying ads. The spyware is able to gather geo-location data, call logs and contacts; and can monitor SMS activity. The malware can also collect information about the device and the apps installed on it.\n\nThe earliest registered PhantomLance domain we found dates back to December 2015. We found dozens of related samples that had been appearing in the wild since 2016 and one of the latest samples was published in November last year. We informed Google about the malware, and Google removed it soon after. We observed around 300 attacks targeting specific Android devices, mainly in Southeast Asia.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24151134/sl_malware_report_q2_2020_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24151134/sl_malware_report_q2_2020_02.png>)\n\nDuring our investigation, we discovered various overlaps with reported OceanLotus APT campaigns, including code similarities with a previous Android campaign, as well as macOS backdoors, infrastructure overlaps with Windows backdoors and a few cross-platform characteristics.\n\n### Naikon's Aria\n\nThe Naikon APT is a well-established threat actor in the APAC region. Kaspersky first [reported](<https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/>) and then [fully described](<https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/>) the group in 2015. Even when the group shut down much of its successful offensive activity, Naikon maintained several splinter campaigns.\n\nResearchers at Check Point recently published their [write-up](<https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/>) on Naikon resources and activities related to "Aria-Body", which we detected in 2017 and reported in 2018. To supplement their research findings, we published a summary of our June 2018 report, "[Naikon's New AR Backdoor Deployment to Southeast Asia](<https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/>)", which aligns with the Check Point report.\n\nAR is a set of backdoors with compilation dates between January 2017 and February 2018. Much of this code operates in memory, injected by other loader components without touching disk, making it very difficult to detect. We trace portions of this codebase back to "xsFunction" EXE and DLL modules used in Naikon operations going back to 2012. It's probably that the new backdoor, and related activity, is an extension of, or a merger with, the group's "Paradir Operation". In the past, the group targeted communications and sensitive information from executive and legislative offices, law enforcement, government administrative, military and intelligence organizations within Southeast Asia. In many cases we have seen that these systems also were targeted previously with PlugX and other malware.\n\nThe group has evolved since 2015, although it continues to focus on the same targets. We identified at least a half a dozen individual variants from 2017 and 2018.\n\nYou can read our report [here](<https://securelist.com/naikons-aria/96899/>).\n\n### COMpfun authors spoof visa application with HTTP status-based Trojan\n\nLast October, we observed malware that we call Reductor, with strong code similarities to COMpfun, which [infected files on the fly to compromise TLS traffic](<https://securelist.com/compfun-successor-reductor/93633/>). The attackers behind Reductor have continued to develop their code. More recently, the [Kaspersky Threat Attribution Engine](<https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool?redef=1&THRU&reseller=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______>) revealed a new Trojan with strong code similarities to COMpfun.\n\nThe [new malware](<https://securelist.com/compfun-http-status-based-trojan/96874/>), like its predecessor, targeted diplomatic bodies in Europe. To lure their victims, the attackers used spoofed visa applications that contain malware that acts as a first-stage dropper. This in turn downloads the main payload, which logs the target's location, gathers host- and network-related data, performs keylogging and takes screenshots. The Trojan also monitors USB devices and can infect them in order to spread further, and receives commands from the C2 server in the form of HTTP status codes.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24151332/sl_malware_report_q2_202003.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24151332/sl_malware_report_q2_202003.jpg>)\n\nIt's not entirely clear which threat actor is behind COMpfun. However, based mostly on the victims targeted by the malware, we associate it, with medium-to-low confidence, with the Turla APT.\n\n### Mind the [air] gap\n\nIn June, we published our report on the latest tools and TTPs (Tactics Techniques and Procedures) of [Cycldek](<https://securelist.com/cycldek-bridging-the-air-gap/97157/>) (aka Goblin Panda, APT 27 and Conimes), a threat actor that has targeted governments in Southeast Asia since 2013.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24151458/sl_malware_report_q2_2020_04.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24151458/sl_malware_report_q2_2020_04.png>)\n\nMost of the attacks we have seen since 2018 start with phishing emails that contain politically themed, booby-trapped RTF documents that exploit known vulnerabilities. Once the target computer has been compromised, the attackers install malware called NewCore RAT. There are two variants. The first, BlueCore, appears to have been deployed against diplomatic and government targets in Vietnam; while the second, RedCore, was first deployed in Vietnam before being found in Laos.\n\nBot variants download additional tools, including a custom backdoor, a tool for stealing cookies and a tool that steals passwords from Chromium-based browser databases. The most striking of these tools is USBCulprit, which relies on USB media to exfiltrate data from victims' computers. This may suggest that Cycldek is trying to reach air-gapped networks in compromised environments or relies on a physical presence for the same purpose. The malware is implanted as a side-loaded DLL of legitimate, signed applications.\n\n### Looking at big threats using code similarity\n\nIn June, we announced the release of [KTAE](<https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool>) (Kaspersky Threat Attribution Engine). KTAE was initially developed as an internal threat hunting tool by the Global Research and Analysis Team at Kaspersky and was instrumental in our investigations into the [LightSpy](<https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/>), [TajMahal](<https://securelist.com/project-tajmahal/90240/>), [Dtrack](<https://securelist.com/my-name-is-dtrack/93338/>), [ShadowHammer](<https://securelist.com/operation-shadowhammer/89992/>) and [ShadowPad](<https://securelist.com/shadowpad-in-corporate-networks/81432/>) campaigns.\n\nHere's how it works in a nutshell. We extract from a suspicious file something that we call 'genotypes' \u2013 short fragments of code selected using our proprietary algorithm \u2013 and compare it with more than 60,000 objects of targeted attacks from our database, using a wide range of characteristics. Based on the code similarities, KTAE calculates a reputational score and highlights the possible origin and author, with a short description and links to both private and public resources, outlining the previous campaigns.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24151820/sl_malware_report_q2_2020_05.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24151820/sl_malware_report_q2_2020_05.jpg>)\n\nSubscribers to our [APT intelligence reports](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting?redef=1&THRU&reseller=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______>) can see a dedicated report on the TTPs used by the identified threat actor, as well as further response steps.\n\nKTAE is designed to be deployed on a customer's network, with updates provided via USB, to ensure confidentiality. In addition to the threat intelligence available 'out of the box', customers can create their own database and fill it with malware samples found by in-house analysts. In this way, KTAE will learn to attribute malware analogous to those in the customer's database while keeping this information confidential. There's also an API (application programming interface) to connect the engine to other systems, including a third-party SOC (security operations center).\n\nCode similarity can only provide pointers; and attackers can set false flags that can trick even the most advanced threat hunting tools \u2013 [the 'attribution hell' surrounding Olympic Destroyer](<https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/>) provided an object lesson in how this can happen. The purpose of tools such as KTAE is to point experts in the right direction and to test likely scenarios.\n\nYou can find out more about the development of KTAE in this [post](<https://securelist.com/big-threats-using-code-similarity-part-1/97239/>) by Costin Raiu, Director of the Global Research and Analysis Team and this [product demonstration](<https://www.brighttalk.com/webcast/15591/414427?utm_source=kdaily&utm_medium=blog&utm_campaign=gl_great-kitchen_ay0073&utm_content=link&utm_term=gl_kdaily_organic_73kst6nfgfeyywq>).\n\n### SixLittleMonkeys\n\nEarlier this year, we observed a Trojan injected into the spooler system process memory of a computer belonging to a diplomatic body. The malware is implemented like an API using an enterprise-grade programming style \u2013 something that is quite rare and is mostly used by advanced threat actors. We attribute this campaign to a threat actor called SixLittleMonkeys (aka Microcin) because of the re-use of C2 infrastructure, code similarities and focus on diplomatic targets in Central Asia.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24151946/sl_malware_report_q2_2020_06.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24151946/sl_malware_report_q2_2020_06.png>)\n\nThis threat actor uses steganography to deliver malicious modules and configuration data from a legitimate public resource, in this case from the legitimate public image hosting service cloudinary.com:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24152032/sl_malware_report_q2_2020_07.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24152032/sl_malware_report_q2_2020_07.png>)\n\nYou can read our full report [here](<https://securelist.com/microcin-is-here/97353/>).\n\n## Other malware\n\n### Loncom packer: from backdoors to Cobalt Strike\n\nIn March, we reported the [distribution of Mokes and Buerak malware under the guise of a security certificate update](<https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/>). Following publication of that report, we conducted a [detailed analysis of the malware associated with this campaign](<https://securelist.com/loncom-packer-from-backdoors-to-cobalt-strike/96465/>). All of the malware uses legitimate NSIS software for packing and loading shellcode, and the Microsoft Crypto API for decrypting the final payload.\n\nBesides Mokes and Buerak, which we mentioned in the previous article, we noticed packed specimens of DarkVNC and Sodin (aka REvil and Sodinokibi). The former is a backdoor used to control an infected machine via the VNC protocol; the latter is a ransomware family. However, the most striking find was the Cobalt Strike utility, which is used both by legal pen-testers and by various APT groups. The command center of the sample that contained Cobalt Strike had previously been seen distributing CactusTorch, a utility for running shellcode present in Cobalt Strike modules, and the same Cobalt Strike packed with a different packer.\n\n### xHelper: the Trojan matryoshka\n\nThe [xHelper](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>) Trojan remains as active as ever. The most notable feature of this Trojan is its persistence on an Android device: once it gets onto a phone, it's able to survive even if it's deleted or the device is restored to factory settings.\n\nThe architecture of the latest version resembles a Russian nesting doll (or 'matryoshka'). The infection starts by tricking a victim into downloading a fake app \u2013 in the case of the version we analyzed, an app that masquerades as a popular cleaner and speed-up utility. Following installation, it is listed as an installed app in the system settings, but otherwise disappears from the victim's view \u2013 there's no icon and it doesn't show up in search results. The payload, which is decrypted in the background, fingerprints the victim's phone and sends the data to a remote server. It then unpacks a dropper-within-a-dropper-within-a-dropper (hence the matryoshka analogy). The malicious files are stored sequentially in the app's data folder, to which other programs do not have access. This mechanism allows the malware authors to obscure the trail and use malicious modules that are known to security solutions.\n\nThe final downloader in the sequence, called Leech, is responsible for installing the Triada Trojan, whose chief feature is a set of exploits for obtaining root privileges on the victim's device. This allows the Trojan to install malicious files directly in the system partition. Normally this is mounted at system startup and is read-only. However, once the Trojan has obtained root access, it remounts the system partition in write mode and modifies the system such that the user is unable to remove the malicious files, even after a factory reset.\n\nSimply deleting xHelper isn't enough to clean the device. If you have 'recovery' mode set up on the device, you can try to extract the 'libc.so' file from the original firmware and replace the infected one with it, before removing all malware from the system partition. However, it's simpler and more reliable to completely re-flash the phone. If the firmware of the device contains pre-installed malware capable of downloading and installing programs, even re-flashing will be pointless. In that case, it's worth considering an alternative firmware for the device.\n\n### Spike in RDP brute-force attacks\n\nThe huge increase in remote working due to the COVID-19 pandemic has had a direct impact on cybersecurity and the threat landscape. Alongside the higher volume of corporate traffic, the use of third-party services for data exchange and employees working on home computers (, IT security teams also have to grapple with the increased use of remote access tools, including the Microsoft RDP (Remote Desktop Protocol).\n\nRDP, used to connect remotely to someone else's desktop, is used by telecommuters and IT support staff to troubleshoot problems. A successful RDP attack provides a cybercriminal with remote access to the target computer with the same permissions enjoyed by the person whose computer it is.\n\nIn the two months prior to our report (i.e. March and April), we observed a [huge increase in attempts to brute-force passwords for RDP accounts](<https://securelist.com/remote-spring-the-rise-of-rdp-bruteforce-attacks/96820/>). The numbers rose from 100,000 to 150,000 per day in January and February to nearly a million per day at the beginning of March.\n\n_Growth in the number of attacks by the Bruteforce.Generic.RDP family, February\u2013April 2019 (_[download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/29113731/rdp-stats-all.png>)_)_\n\nSince attacks on remote infrastructure will undoubtedly continue, it's important for anyone using RDP to protect their systems. This includes the following.\n\n * Use strong passwords.\n * Make RDP available only through a corporate VPN.\n * Use [NLA](<https://en.wikipedia.org/wiki/Network_Level_Authentication>) (Network Level Authentication).\n * Enable two-factor authentication.\n * If you don't use RDP, disable it and close port 3389.\n * Use a reliable security solution.\n\nEven if you use a different remote access protocol, you shouldn't relax. At the end of last year, Kaspersky experts [found 37 vulnerabilities](<https://www.kaspersky.com/blog/vnc-vulnerabilities/31462/>) in various clients that connected via the VNC protocol, which, like RDP, is used for remote access.\n\n### Gaming during the COVID-19 pandemic\n\nOnline gamers face various threats, including malware in pirated copies, mods and cheats, [phishing and other scams](<https://www.kaspersky.com/blog/steam-scam/11317/>) when buying or exchanging in-game items and dangers associated with [buying accounts](<https://www.kaspersky.com/blog/whats-wrong-with-cheap-game-keys/35682/>).\n\nThe COVID-19 pandemic has led to a marked increase in player activity. For one thing, the sales of games have increased:\n\n_Growth in game sales in the week of March 16-22. Source: gamesindustry.biz (_[_download_](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/05133642/sl_cyber_criminals_play_01-en-rost-prodazh-igr-na-nedele-s-16-po-22-marta-istochnik-gamesindustrybiz.png>))\n\nThe amount of time spent playing has also increased:\n\n_Growth in game sales in the week of March 16-22. Source: gamesindustry.biz (_[_download_](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/05133642/sl_cyber_criminals_play_01-en-rost-prodazh-igr-na-nedele-s-16-po-22-marta-istochnik-gamesindustrybiz.png>))\n\nThis hasn't gone unnoticed by cybercriminals. With the connection of work computers to home networks, and, conversely, the entry of home devices into work networks that are often poorly prepared for this, attacks on players are becoming not only a way to get to an individual user's wallet but also a way to access the corporate infrastructure. Cybercriminals are actively hunting for vulnerabilities that they can exploit to compromise systems. For example, in the first five months of this year alone, the number of vulnerabilities discovered on Steam exceeded those discovered in any of the previous years.\n\n_Vulnerabilities discovered in Steam. Source: __cve.mitre.org (_[_download_](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/58/2020/06/05152351/sl_cyber_criminals_play_03-ru-kolichestvo-uyazvimostej-obnaruzhennyh-v-steam-2014-2020-gg-istochnik-cvemitreorg.png>))\n\nOf course, cybercriminals also exploit human vulnerabilities \u2013 hence the increase in phishing scams:\n\n_An increase in the number of hits on phishing Steam-related topics relative to February 2020. Source: KSN (_[_download_](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/05133814/sl_cyber_criminals_play_04-en-uvelichenie-chisla-srabatyvanij-na-fishing-steam-tematiki-otnositelno-fevralya-2020-goda.png>))\n\nAnd the increase in detections on sites with names exploiting the theme of games:\n\n_The number of web attacks using game subjects during the period from January to May 2020. Source: KSN (_[_download_](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/05133856/sl_cyber_criminals_play_05-kolichestvo-veb-atak-ispolzuyushih-igrovuyu-tematiku-v-period-s-yanvarya-po-maj-2020-goda-1.png>))\n\nData from KSN (Kaspersky Security Network) indicate that attackers focus most on _Minecraft_, followed by _CS: GO_ and _Witcher_:\n\n_The number of attacks using the theme of an online game, January-May 2020. Source: KSN (_[_download_](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/16125113/05-lost.png>)_)_\n\nYou can read more about this in our full [report](<https://securelist.com/do-cybercriminals-play-cyber-games-during-quarantine/97241/>).\n\n### Rovnix bootkit back in business\n\nIn mid-April, our threat monitoring systems detected an attempt by cybercriminals to exploit the COVID-19 pandemic to distribute the Rovnix [bootkit](<https://encyclopedia.kaspersky.com/glossary/bootkit/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). The infected file, which has an EXE or RAR extension, is called (in Russian) 'on the new initiative of the World Bank in connection with the coronavirus pandemic'. The file is a self-extracting archive that contains 'easymule.exe' and '1211.doc'.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24152419/sl_malware_report_q2_2020_08.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/24152419/sl_malware_report_q2_2020_08.png>)\n\nThe file includes the Rovnix bootkit.\n\nRovnix is well-known and the source code published some time ago. And there's nothing new about cybercriminals exploiting the current pandemic to distribute malware. However, Rovnix has been updated with a [UAC](<https://en.wikipedia.org/wiki/User_Account_Control>) (User Account Control) bypass tool, allowing the malware to escalate its privileges without displaying a UAC request. It also uses [DLL hijacking](<https://encyclopedia.kaspersky.com/glossary/dll-hijacking/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) to camouflage itself in the system.\n\nThis version also delivers a loader that is unusual for this malware. Once the malware is installed, the C2 can send commands to control the infected computer, including recording sound from the microphone and sending the audio file to the cybercriminals, turning off or restarting the computer.\n\nOur analysis of this version makes it clear that even well-known threats like Rovnix can throw up surprises when the source code goes public. Freed from the need to develop their own protection-bypassing tools from scratch, cybercriminals can pay more attention to the capabilities of their own malware and add their own 'goodies' to the source code \u2013 in this case, UAC bypass.\n\nYou can read our full analysis [here](<https://securelist.com/oh-what-a-boot-iful-mornin/97365/>).\n\n### Web skimming with Google Analytics\n\nWeb skimming is a common method of stealing the data of online shoppers. Cybercriminals inject malicious code into a target website to harvest the data entered by consumers. They gain access to the compromised site by brute-forcing an administrator account password, exploiting vulnerabilities in the CMS (content management system) or one of its third-party plugins, or by injecting malicious code into an incorrectly coded input form.\n\nOne way to prevent this is to try to block the exfiltration of the harvested data using a Content Security Policy (CSP) \u2013 a technical header that lists all services with the right to collect information on a particular site or page. If the service used by the cybercriminals is not listed in the header, they will not be able to withdraw any information they harvest.\n\nSome attackers are using Google Analytics to work around this. Most online providers today carefully monitor visitor statistics; and the most convenient tool for doing this is Google Analytics. The service, which allows data collection based on many parameters, is [currently used by around 29 million sites](<https://trends.builtwith.com/analytics/Google-Analytics>). So, there's a strong likelihood that data transfer to Google Analytics is allowed in the CSP header of an online store. To collect website statistics, all you have to do is configure tracking parameters and add a tracking code to your pages. As far as the service is concerned, if you are able to add this code, you are the legitimate owner of the site. So, the malicious script injected by the attacker can collect user data and then, using their own tracking code, send it through the Google Analytics Measurement Protocol directly to their account.\n\nTo prevent these issues, webmasters should do the following:\n\n * Adopt a strict CMS access policy that restricts user rights to a minimum.\n * Install CMS components from trusted sources only.\n * Create strong passwords for all administrator accounts.\n * Apply updates to all software.\n * Filter user-entered data and query parameters, to prevent third-party code injection.\n * For e-commerce sites, use PCI DSS-compliant payment gateways.\n\nConsumers should use a reliable security solution \u2013 one that detects malicious scripts on payment sites.\n\nYou can read more about this method [here](<https://securelist.com/web-skimming-with-google-analytics/97414/>).\n\n### The Magnitude Exploit Kit\n\nExploit kits are not as widespread as they used to be. In the past, they sought to exploit vulnerabilities that had already been patched. However, newer and more secure web browsers with automatic updates simply prevent this. The decline in the use of Adobe Flash Player has also reduced the opportunities for cybercriminals. Adobe Flash Player is a browser plug-in: so even if the browser was up-to-date, there was a possibility that Adobe Flash was still vulnerable to known exploits. The [end of life date for Adobe Flash is fast approaching](<https://www.adobe.com/products/flashplayer/end-of-life.html>). It is disabled by default in all web browsers and has pretty much been replaced with open standards such as HTML5, WebGL, and WebAssembly.\n\nNevertheless, exploit kits have not disappeared completely. They have adapted and switched to target people running Internet Explorer that haven't installed the latest security updates.\n\nAlthough Edge replaced Internet Explorer as the default web browser with the release of Windows 10, Internet Explorer is still installed for backward compatibility on machines running Windows 10; and has remained the default web browser for Windows 7, 8 and 8.1. The switch to Microsoft Edge development also meant that Internet Explorer would no longer be actively developed and would only receive vulnerability patches without general security improvements. Notwithstanding this, Internet Explorer remains a relatively popular web browser. According to [NetMarketShare](<https://netmarketshare.com/?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22browser%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22browsersDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222020-04%22%2C%22dateEnd%22%3A%222020-04%22%2C%22segments%22%3A%22-1000%22%7D>), as of April 2020, Internet Explorer is used on 5.45% of desktop computers (for comparison, Firefox accounts for 7.25%, Safari 3.94% and Edge 7.76%).\n\nDespite the security of Internet Explorer being five years behind that of its modern counterparts, it supports a number of legacy script engines. [CVE-2018-8174](<https://securelist.com/delving-deep-into-vbscript-analysis-of-cve-2018-8174-exploitation/86333/>) is a vulnerability in a legacy VBScript engine that was originally discovered in the wild as an exploited zero-day. The majority of exploit kits quickly adopted it as their primary exploit. Since its discovery, a few more vulnerabilities for Internet Explorer have been discovered as in-the-wild zero-days \u2013 CVE-2018-8653, CVE-2019-1367, CVE-2019-1429 and CVE-2020-0674. All of them exploited another legacy component of Internet Explorer \u2013 a [JScript](<https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html>) engine. It felt like it was just a matter of time until exploit kits adopted these new exploits.\n\nExploit kits still play a role in today's threat landscape and continue to evolve. We recently analyzed the evolution of one of the most sophisticated exploit kits out there \u2013 the Magnitude Exploit Kit \u2013 for a whole year. We discovered that this exploit kit continues to deliver ransomware to Asia Pacific (APAC) countries via malvertising. Study of the exploit kit's activity over a period of 12 months showed that the Magnitude Exploit Kit is actively maintained and undergoes continuous development. In February this year, the exploit kit switched to an exploit for the most recent vulnerability in Internet Explorer \u2013 CVE-2019-1367 \u2013 originally discovered as an exploited zero-day in the wild. Magnitude Exploit Kit also uses a previously unknown elevation of privilege exploit for CVE-2018-8641, developed by a prolific exploit writer.\n\nYou can read more about our findings [here](<https://securelist.com/magnitude-exploit-kit-evolution/97436/>).\n\nWhile the total volume of attacks performed using exploit kits has decreased, it's clear that they still exist, remain active, and continue to pose a threat. Magnitude is not the only active exploit kit and we see other exploit kits that are also switching to newer exploits for Internet Explorer. We recommend that people install security updates, migrate to a supported operating system (and make sure you stay up-to-date with Windows 10 builds) and also replace Internet Explorer as their web browser.", "cvss3": {}, "published": "2020-09-03T10:00:20", "type": "securelist", "title": "IT threat evolution Q2 2020", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-8174", "CVE-2018-8641", "CVE-2018-8653", "CVE-2019-1367", "CVE-2019-1429", "CVE-2020-0674"], "modified": "2020-09-03T10:00:20", "id": "SECURELIST:7286FDD05AF03323AEA8EDD25DF1604F", "href": "https://securelist.com/it-threat-evolution-q2-2020/98230/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2019-01-30T08:50:47", "description": "![Microsoft and Adobe Logos](https://blog.qualys.com/wp-content/uploads/2018/03/ms-adobe-300x184.jpg)This month\u2019s Patch Tuesday addresses 39 vulnerabilities, with 9 of them labeled as Critical. Out of the Criticals, most are browser-related, with the rest including Windows, and .net Framework. A Privilege Escalation vulnerability exists in Windows kernel which has been exploited in wild. Adobe also patched 9 Critical and Important vulnerabilities this month for Adobe Acrobat and Reader.\n\nOn the basis of volume and severity this Patch Tuesday is light in weight.\n\n### Workstation Patches\n\nBrowser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. Out of the 9 vulnerabilities, 6 can be exploited through browsers.\n\n### Active Attacks on Win32k Privilege Escalation\n\nMicrosoft has reported that there are active attacks detected against CVE-2018-8611. Microsoft has ranked this patch as Important. It is important to prioritize Windows kernel patching.\n\n### Adobe Patches and Mitigations\n\nAdobe released nine patches for Acrobat/Reader, with 6 rated as critical and 3 as important. In early December, Adobe also released out-of-band patches for [Adobe Flash](<https://helpx.adobe.com/security/products/flash-player/apsb18-42.html>). CVE-2018-15982 is rated as critical and has been exploited in wild. CVE-2018-15983 is labeled as important.", "cvss3": {}, "published": "2018-12-11T19:21:42", "type": "qualysblog", "title": "December 2018 Patch Tuesday \u2013 39 Vulns, Workstation Patches, Adobe Vulns", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-15982", "CVE-2018-15983", "CVE-2018-8611"], "modified": "2018-12-11T19:21:42", "id": "QUALYSBLOG:6AC221B6FC3416AF7787F326F79DCBE1", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2018/12/11/december-2018-patch-tuesday-39-vulns-workstation-patches-adobe-vulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "krebs": [{"lastseen": "2019-01-04T10:25:10", "description": "**Adobe** and **Microsoft** each released updates today to tackle critical security weaknesses in their software. Microsoft's December patch batch is relatively light, addressing more than three dozen vulnerabilities in **Windows** and related applications. Adobe has issued security fixes for its **Acrobat** and **PDF Reader** products, and has a patch for yet another zero-day flaw in **Flash Player** that is already being exploited in the wild.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2014/07/brokenwindows.png)At least nine of the bugs in the Microsoft patches address flaws the company deems \"critical,\" meaning they can be exploited by malware or ne'er-do-wells to install malicious software with little or no help from users, save for perhaps browsing to a hacked or booby-trapped site.\n\nMicrosoft patched a zero-day flaw that is already being exploited ([CVE-2018-8611](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611>)) and allows an attacker to elevate his privileges on a host system. The weakness, which is present on all supported versions of Windows, is tagged with the less severe \"important\" rating by Microsoft mainly because it requires an attacker to be logged on to the system first.\n\nAccording to security firm **Rapid7**, other notable vulnerabilities this month are in **Internet Explore**r ([CVE-2018-8631](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8631>)) and **Edge** ([CVE-2018-8624](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8624>)), both of which Microsoft considers most likely to be exploited. Similarly, [CVE-2018-8628](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8628>) is flaw in all supported versions of **PowerPoint** which is also likely to be used by attackers.\n\nIt generally can't hurt for Windows users to wait a day or two after Microsoft releases monthly security updates before installing the fixes; occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out. Also, it\u2019s a good idea to get in the habit of backing up your data _before_ installing Windows updates.\n\n**Windows 10** likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn\u2019t make it easy for Windows 10 users to change this setting, [but it is possible](<https://www.howtogeek.com/224471/how-to-prevent-windows-10-from-automatically-downloading-updates/>). For all other Windows OS users, if you\u2019d rather be alerted to new updates when they\u2019re available so you can choose when to install them, there\u2019s a setting for that in **Windows Update**.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2013/02/brokenflash-a.png)For its part, Adobe's got new versions of Adobe Reader and Adobe Acrobat that plug [dozens of security holes](<https://helpx.adobe.com/security/products/acrobat/apsb18-41.html>) in the programs. Also, last week Adobe [issued an emergency patch](<https://helpx.adobe.com/security/products/flash-player/apsb18-42.html>) to fix a zero-day flaw in Flash Player that bad guys are now using in active attacks.\n\nFortunately, the most popular Web browser by a long shot -- **Google Chrome** -- auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it (Microsoft also bundles Flash with IE/Edge and updates it whenever Windows systems install monthly updates). By the summer of 2019 Google will [make Chrome users go into their settings to enable it](<https://nakedsecurity.sophos.com/2018/09/03/chrome-flash-is-almost-almost-almost-dead/>) every time they want to run it.\n\nFirefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are [here](<https://support.mozilla.org/en-US/kb/disable-or-remove-add-ons>). Adobe will stop supporting Flash at the end of 2020.\n\nAs always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there\u2019s a good chance other readers have experienced the same and may even chime in here with some helpful tips.\n\nFurther reading:\n\n[Ask Woody's summary](<https://www.askwoody.com/category/microsoft-windows-patches-security/>).\n\n[Ghacks writeup on December 2018 Patch Tuesday](<https://www.ghacks.net/2018/12/11/microsoft-windows-security-updates-december-2018-release-overview/>).\n\n[Qualys's take](<https://blog.qualys.com/laws-of-vulnerabilities/2018/12/11/december-2018-patch-tuesday-39-vulns-workstation-patches-adobe-vulns>).\n\n[Ivanti Patch Tuesday Webinar, 11 a.m. ET, Dec. 12.](<https://go.ivanti.com/Webinar-December-Patch-Tuesday-121218.html?_ga=2.109927045.1052735492.1544216575-700294194.1518543969>)", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-11T21:05:41", "type": "krebs", "title": "Patch Tuesday, December 2018 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8611", "CVE-2018-8624", "CVE-2018-8628", "CVE-2018-8631"], "modified": "2018-12-11T21:05:41", "id": "KREBS:806855EDF30AAF031028DA4405D90B39", "href": "https://krebsonsecurity.com/2018/12/patch-tuesday-december-2018-edition/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-01-13T02:27:43", "description": "**Microsoft** today released updates to plug more than 80 security holes in its **Windows** operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft's most-dire "critical" rating, meaning they could be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2020/08/windowsec.png)\n\nMost concerning of this month's batch is probably a critical bug ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) in Microsoft's default anti-malware suite -- **Windows Defender** -- that is seeing active exploitation. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it's not entirely clear how this is being exploited.\n\nBut **Kevin Breen**, director of research at **Immersive Labs**, says depending on the vector the flaw could be trivial to exploit.\n\n"It could be as simple as sending a file," he said. "The user doesn't need to interact with anything, as Defender will access it as soon as it is placed on the system."\n\nFortunately, this bug is probably already patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle.\n\nBreen called attention to another critical vulnerability this month -- [CVE-2020-1660](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1660>) -- which is a remote code execution flaw in nearly every version of Windows that earned a [CVSS score](<https://www.first.org/cvss/>) of 8.8 (10 is the most dangerous).\n\n"They classify this vulnerability as 'low' in complexity, meaning an attack could be easy to reproduce," Breen said. "However, they also note that it\u2019s 'less likely' to be exploited, which seems counterintuitive. Without full context of this vulnerability, we have to rely on Microsoft to make the decision for us."\n\nCVE-2020-1660 is actually just one of five bugs in a core Microsoft service called **Remote Procedure Call** (RPC), which is responsible for a lot of heavy lifting in Windows. Some of the more memorable computer worms of the last decade spread automatically by exploiting RPC vulnerabilities.\n\n**Allan Liska**, senior security architect at **Recorded Future**, said while it is concerning that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC -- [CVE-2019-1409](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1409>) and [CVE-2018-8514](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8514>) -- were not widely exploited.\n\nThe remaining 70 or so flaws patched this month earned Microsoft's less-dire "important" ratings, which is not to say they're much less of a security concern. Case in point: [CVE-2021-1709](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1709>), which is an "elevation of privilege" flaw in Windows 8 through 10 and Windows Server 2008 through 2019.\n\n"Unfortunately, this type of vulnerability is often quickly exploited by attackers," Liska said. "For example, [CVE-2019-1458](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1458>) was announced on December 10th of 2019, and by December 19th an attacker was seen selling an exploit for the vulnerability on underground markets. So, while CVE-2021-1709 is only rated as [an information exposure flaw] by Microsoft it should be prioritized for patching."\n\n**Trend Micro's ZDI Initiative** pointed out another flaw marked "important" -- [CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>), an elevation of privilege bug in Windows 8, 10 and some Windows Server 2012 and 2019 that was publicly disclosed by ZDI prior to today.\n\n"It was also discovered by Google likely because this patch corrects a bug introduced by a previous patch," ZDI's **Dustin Childs** said. "The previous CVE was being exploited in the wild, so it\u2019s within reason to think this CVE will be actively exploited as well.\u201d\n\nSeparately, Adobe released security updates to tackle at least eight vulnerabilities [across a range of products](<https://blogs.adobe.com/psirt/?p=1960>), including **Adobe Photoshop** and **Illustrator**. There are no **Flash Player** updates because Adobe retired the browser plugin in December (hallelujah!), and Microsoft's update cycle from last month removed the program from Microsoft's browsers.\n\nWindows 10 users should be aware that the operating system will download updates and install them all at once on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you have ample opportunity to back up your files and/or system, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nPlease back up your system before applying any of these updates. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. You never know when a patch roll-up will bork your system or possibly damage important files. For those seeking more flexible and full-featured backup options (including incremental backups), [Acronis](<https://www.acronis.com/en-us/products/true-image/>) and [Macrium](<https://www.macrium.com/>) are two that I've used previously and are worth a look.\n\nThat said, there don't appear to be any major issues cropping up yet with this month's update batch. But before you apply updates consider paying a visit to [AskWoody.com](<https://www.askwoody.com/category/microsoft-windows-patches-security/>), which usually has the skinny on any reports about problematic patches.\n\nAs always, if you experience glitches or issues installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-13T01:32:20", "type": "krebs", "title": "Microsoft Patch Tuesday, January 2021 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8514", "CVE-2019-1409", "CVE-2019-1458", "CVE-2020-1660", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1660", "CVE-2021-1709"], "modified": "2021-01-13T01:32:20", "id": "KREBS:B3F20C0C41C613971FDADBAE93382CDF", "href": "https://krebsonsecurity.com/2021/01/microsoft-patch-tuesday-january-2021-edition/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}