Microsoft Windows - CiSetFileCache TOCTOU Incomplete Fix Exploit
2018-04-17T00:00:00
ID 1337DAY-ID-30190 Type zdt Reporter Google Security Research Modified 2018-04-17T00:00:00
Description
Exploit for windows platform in category dos / poc
Windows: CiSetFileCache TOCTOU CVE-2017-11830 Incomplete Fix
Platform: Windows 10 1709 (including Win10S)
Class: Security Feature Bypass
Summary:
The fix for CVE-2017-11830 is insufficient to prevent a normal user application adding a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to circumventing Device Guard policies.
Description:
The previous issue I reported was due to not checking for write access on the target file handle when setting the cache. This allows a user application to abuse a TOCTOU and rewrite the file after the hash has been generated for the file. The only changed code seems to be below:
FILE_OBJECT target_file;
ObReferenceObjectByHandle(FileHandle, 0, *IoFileObjectType, &target_file);
if (target_file->SharedWrite) {
return STATUS_SHARING_VIOLATION;
}
if (target_file->WriteAccess) { ← Additional check for the file being opened for write.
if ((PsGetProcessProtection(PsGetCurrentProcess()) & 7) != ProtectedProcessLight)
return STATUS_SHARING_VIOLATION;
}
The fix was to add a check that the target file passed isn’t writable. This combined with the check for FILE_SHARE_WRITE should mean the user can’t hold on to a writable file handle. However, when the file handle is converted to a file object with ObReferenceObjectByHandle the desired access is 0, which means we can pass a handle with any granted access including SYNCHRONIZE or READ_CONTROL, which do not respect file sharing. So we can still exploit this issue by doing the following:
1. Open the file for write access.
2. Reopen another handle to the file for SYNCHRONIZE access. This works as this access right can be used regardless of the sharing mode.
3. Set cached signing level through the handle opened in 2.
4. Wait for oplock, rewrite file using handle opened in 1. Release oplock.
Proof of Concept:
I’ve provided a PoC as a C# project. It will allow you to “cache sign” an arbitrary executable. If you want to test this on a locked down system such as Win10S you’ll need to sign the PoC (and the NtApitDotNet.dll assembly) so it’ll run. Or use it via one of my .NET based DG bypasses, in that case you can call the PoC_CacheSignature.Exploit.Run method directly. It copies notepad to a file, attempts to verify it but uses an oplock to rewrite the contents of the file with the untrusted file before it can set the kernel EA.
1) Compile the C# project. It will need to grab the NtApiDotNet v1.1.7 package from NuGet to work.
2) Execute the PoC passing the path to an unsigned file and to the output “cache signed” file, e.g. poc unsigned.exe output.exe
3) You should see it print the signing level, if successful.
4) You should not be able to execute the unsigned file, bypassing the security policy enforcement.
NOTE: If it prints an exception then the exploit failed. The opened catalog files seemed to be cached for some unknown period of time after use so if the catalog file I’m using for a timing signal is already open then the oplock is never broken. Just rerun the poc which will pick a different catalog file to use. Also the output file must be on to a NTFS volume with the USN Change Journal enabled as that’s relied upon by the signature level cache code. Best to do it to the boot drive as that ensures everything should work correctly.
Expected Result:
Access denied or at least an error setting the cached signing level.
Observed Result:
The signing level cache is applied to the file with no further verification. You can now execute the file as if it was signed.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44466.zip
# 0day.today [2018-04-17] #
{"sourceData": "Windows: CiSetFileCache TOCTOU CVE-2017-11830 Incomplete Fix\r\nPlatform: Windows 10 1709 (including Win10S)\r\nClass: Security Feature Bypass\r\n \r\nSummary:\r\nThe fix for CVE-2017-11830 is insufficient to prevent a normal user application adding a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to circumventing Device Guard policies.\r\n \r\nDescription:\r\nThe previous issue I reported was due to not checking for write access on the target file handle when setting the cache. This allows a user application to abuse a TOCTOU and rewrite the file after the hash has been generated for the file. The only changed code seems to be below:\r\n \r\nFILE_OBJECT target_file;\r\nObReferenceObjectByHandle(FileHandle, 0, *IoFileObjectType, &target_file); \r\nif (target_file->SharedWrite) {\r\n return STATUS_SHARING_VIOLATION;\r\n}\r\n \r\nif (target_file->WriteAccess) { \u2190 Additional check for the file being opened for write.\r\n if ((PsGetProcessProtection(PsGetCurrentProcess()) & 7) != ProtectedProcessLight)\r\n return STATUS_SHARING_VIOLATION;\r\n}\r\n \r\nThe fix was to add a check that the target file passed isn\u2019t writable. This combined with the check for FILE_SHARE_WRITE should mean the user can\u2019t hold on to a writable file handle. However, when the file handle is converted to a file object with ObReferenceObjectByHandle the desired access is 0, which means we can pass a handle with any granted access including SYNCHRONIZE or READ_CONTROL, which do not respect file sharing. So we can still exploit this issue by doing the following:\r\n \r\n1. Open the file for write access.\r\n2. Reopen another handle to the file for SYNCHRONIZE access. This works as this access right can be used regardless of the sharing mode.\r\n3. Set cached signing level through the handle opened in 2.\r\n4. Wait for oplock, rewrite file using handle opened in 1. Release oplock.\r\n \r\nProof of Concept:\r\n \r\nI\u2019ve provided a PoC as a C# project. It will allow you to \u201ccache sign\u201d an arbitrary executable. If you want to test this on a locked down system such as Win10S you\u2019ll need to sign the PoC (and the NtApitDotNet.dll assembly) so it\u2019ll run. Or use it via one of my .NET based DG bypasses, in that case you can call the PoC_CacheSignature.Exploit.Run method directly. It copies notepad to a file, attempts to verify it but uses an oplock to rewrite the contents of the file with the untrusted file before it can set the kernel EA.\r\n \r\n1) Compile the C# project. It will need to grab the NtApiDotNet v1.1.7 package from NuGet to work.\r\n2) Execute the PoC passing the path to an unsigned file and to the output \u201ccache signed\u201d file, e.g. poc unsigned.exe output.exe\r\n3) You should see it print the signing level, if successful.\r\n4) You should not be able to execute the unsigned file, bypassing the security policy enforcement.\r\n \r\nNOTE: If it prints an exception then the exploit failed. The opened catalog files seemed to be cached for some unknown period of time after use so if the catalog file I\u2019m using for a timing signal is already open then the oplock is never broken. Just rerun the poc which will pick a different catalog file to use. Also the output file must be on to a NTFS volume with the USN Change Journal enabled as that\u2019s relied upon by the signature level cache code. Best to do it to the boot drive as that ensures everything should work correctly.\r\n \r\nExpected Result:\r\nAccess denied or at least an error setting the cached signing level.\r\n \r\nObserved Result:\r\nThe signing level cache is applied to the file with no further verification. You can now execute the file as if it was signed.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44466.zip\n\n# 0day.today [2018-04-17] #", "history": [], "description": "Exploit for windows platform in category dos / poc", "sourceHref": "https://0day.today/exploit/30190", "reporter": "Google Security Research", "href": "https://0day.today/exploit/description/30190", "type": "zdt", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "12bcdc9618bb65697d472b7dced54673"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "b0d3d3a91f21189719037cf41ad6dbfa"}, {"key": "href", "hash": "02c745b238dfbfd1a9ad98a13d4d22f3"}, {"key": "modified", "hash": "cf1c6d50ae83a0edccae6c26d1c8b228"}, {"key": "published", "hash": "cf1c6d50ae83a0edccae6c26d1c8b228"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "81a8aed471c1b3b06ec573646a85f0f9"}, {"key": "sourceData", "hash": "7fd614a73c2950c9dbe0dbb0c5a9fd14"}, {"key": "sourceHref", "hash": "29bec760fc8972def2d30f092d616eb3"}, {"key": "title", "hash": "95b325b52eea8ff56384503f66b265f7"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "viewCount": 3, "references": [], "lastseen": "2018-04-17T21:49:36", "published": "2018-04-17T00:00:00", "objectVersion": "1.3", "cvelist": ["CVE-2018-0966"], "id": "1337DAY-ID-30190", "hash": "dabee93f237660faa5fbbbaa74845433a32e5dce97f2518801747b34f164bd0f", "modified": "2018-04-17T00:00:00", "title": "Microsoft Windows - CiSetFileCache TOCTOU Incomplete Fix Exploit", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 5.0, "vector": "NONE", "modified": "2018-04-17T21:49:36"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-0966"]}, {"type": "symantec", "idList": ["SMNTC-103622"]}, {"type": "exploitdb", "idList": ["EDB-ID:44466"]}, {"type": "kaspersky", "idList": ["KLA11221"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813073", "OPENVAS:1361412562310813080", "OPENVAS:1361412562310813072", "OPENVAS:1361412562310813078", "OPENVAS:1361412562310813079"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_APR_4093109.NASL", "SMB_NT_MS18_APR_4093119.NASL", "SMB_NT_MS18_APR_4093107.NASL", "SMB_NT_MS18_APR_4093111.NASL", "SMB_NT_MS18_APR_4093112.NASL"]}, {"type": "talosblog", "idList": ["TALOSBLOG:76829FABFE02C32CB6E07FE9D9A8F09B"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:CA6E4ACCDF2EEC642B7D6E90848F2DB0"]}], "modified": "2018-04-17T21:49:36"}, "vulnersScore": 5.0}}
{"cve": [{"lastseen": "2019-10-04T12:25:48", "bulletinFamily": "NVD", "description": "A security feature bypass exists when Device Guard incorrectly validates an untrusted file, aka \"Device Guard Security Feature Bypass Vulnerability.\" This affects Windows Server 2016, Windows 10, Windows 10 Servers.", "modified": "2019-10-03T00:03:00", "id": "CVE-2018-0966", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0966", "published": "2018-04-12T01:29:00", "title": "CVE-2018-0966", "type": "cve", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}], "symantec": [{"lastseen": "2018-04-11T07:17:19", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Windows is prone to a remote security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits. \n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights. \n\n**Do not accept or execute files from untrusted or unknown sources.** \nUsers should be cautious when installing and running application from untrusted sources. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2018-04-10T00:00:00", "published": "2018-04-10T00:00:00", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/103622", "id": "SMNTC-103622", "type": "symantec", "title": "Microsoft Windows Device Guard CVE-2018-0966 Remote Security Bypass Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2018-05-24T14:15:03", "bulletinFamily": "exploit", "description": "Microsoft Windows - 'CiSetFileCache' TOCTOU Incomplete Fix. CVE-2018-0966. Dos exploit for Windows platform", "modified": "2018-04-16T00:00:00", "published": "2018-04-16T00:00:00", "id": "EDB-ID:44466", "href": "https://www.exploit-db.com/exploits/44466/", "type": "exploitdb", "title": "Microsoft Windows - 'CiSetFileCache' TOCTOU Incomplete Fix", "sourceData": "Windows: CiSetFileCache TOCTOU CVE-2017-11830 Incomplete Fix\r\nPlatform: Windows 10 1709 (including Win10S)\r\nClass: Security Feature Bypass\r\n\r\nSummary:\r\nThe fix for CVE-2017-11830 is insufficient to prevent a normal user application adding a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to circumventing Device Guard policies.\r\n\r\nDescription:\r\nThe previous issue I reported was due to not checking for write access on the target file handle when setting the cache. This allows a user application to abuse a TOCTOU and rewrite the file after the hash has been generated for the file. The only changed code seems to be below:\r\n\r\nFILE_OBJECT target_file;\r\nObReferenceObjectByHandle(FileHandle, 0, *IoFileObjectType, &target_file); \r\nif (target_file->SharedWrite) {\r\n return STATUS_SHARING_VIOLATION;\r\n}\r\n\r\nif (target_file->WriteAccess) { \u2190 Additional check for the file being opened for write.\r\n if ((PsGetProcessProtection(PsGetCurrentProcess()) & 7) != ProtectedProcessLight)\r\n return STATUS_SHARING_VIOLATION;\r\n}\r\n\r\nThe fix was to add a check that the target file passed isn\u2019t writable. This combined with the check for FILE_SHARE_WRITE should mean the user can\u2019t hold on to a writable file handle. However, when the file handle is converted to a file object with ObReferenceObjectByHandle the desired access is 0, which means we can pass a handle with any granted access including SYNCHRONIZE or READ_CONTROL, which do not respect file sharing. So we can still exploit this issue by doing the following:\r\n\r\n1. Open the file for write access.\r\n2. Reopen another handle to the file for SYNCHRONIZE access. This works as this access right can be used regardless of the sharing mode.\r\n3. Set cached signing level through the handle opened in 2.\r\n4. Wait for oplock, rewrite file using handle opened in 1. Release oplock.\r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C# project. It will allow you to \u201ccache sign\u201d an arbitrary executable. If you want to test this on a locked down system such as Win10S you\u2019ll need to sign the PoC (and the NtApitDotNet.dll assembly) so it\u2019ll run. Or use it via one of my .NET based DG bypasses, in that case you can call the PoC_CacheSignature.Exploit.Run method directly. It copies notepad to a file, attempts to verify it but uses an oplock to rewrite the contents of the file with the untrusted file before it can set the kernel EA.\r\n\r\n1) Compile the C# project. It will need to grab the NtApiDotNet v1.1.7 package from NuGet to work.\r\n2) Execute the PoC passing the path to an unsigned file and to the output \u201ccache signed\u201d file, e.g. poc unsigned.exe output.exe\r\n3) You should see it print the signing level, if successful.\r\n4) You should not be able to execute the unsigned file, bypassing the security policy enforcement.\r\n\r\nNOTE: If it prints an exception then the exploit failed. The opened catalog files seemed to be cached for some unknown period of time after use so if the catalog file I\u2019m using for a timing signal is already open then the oplock is never broken. Just rerun the poc which will pick a different catalog file to use. Also the output file must be on to a NTFS volume with the USN Change Journal enabled as that\u2019s relied upon by the signature level cache code. Best to do it to the boot drive as that ensures everything should work correctly.\r\n\r\nExpected Result:\r\nAccess denied or at least an error setting the cached signing level.\r\n\r\nObserved Result:\r\nThe signing level cache is applied to the file with no further verification. You can now execute the file as if it was signed.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44466.zip", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44466/"}], "kaspersky": [{"lastseen": "2019-03-21T00:15:29", "bulletinFamily": "info", "description": "### *Detect date*:\n04/10/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Windows . Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, obtain sensitive information, cause denial of service and possibly to bypass security restrictions.\n\n### *Affected products*:\nWindows 10 Version 1511 for 32-bit Systems \nWindows 10 Version 1511 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1709 for 64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nWindows Defender \nWindows Intune Endpoint Protection \nWindows RT 8.1 \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 \nWindows Server 2012 (Server Core installation) \nWindows Server 2012 R2 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2016 \nWindows Server 2016 (Server Core installation) \nWindows Server, version 1709 (Server Core Installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-0887](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0887>) \n[CVE-2018-0890](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0890>) \n[CVE-2018-0956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0956>) \n[CVE-2018-0957](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0957>) \n[CVE-2018-0960](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0960>) \n[CVE-2018-0963](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0963>) \n[CVE-2018-0964](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0964>) \n[CVE-2018-0966](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0966>) \n[CVE-2018-0967](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0967>) \n[CVE-2018-0968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0968>) \n[CVE-2018-0969](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0969>) \n[CVE-2018-0970](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0970>) \n[CVE-2018-0971](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0971>) \n[CVE-2018-0972](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0972>) \n[CVE-2018-0973](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0973>) \n[CVE-2018-0974](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0974>) \n[CVE-2018-0975](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0975>) \n[CVE-2018-0976](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0976>) \n[CVE-2018-1003](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1003>) \n[CVE-2018-1004](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1004>) \n[CVE-2018-1008](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1008>) \n[CVE-2018-1009](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1009>) \n[CVE-2018-1010](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1010>) \n[CVE-2018-1012](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1012>) \n[CVE-2018-1013](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1013>) \n[CVE-2018-1015](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1015>) \n[CVE-2018-1016](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1016>) \n[CVE-2018-8116](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8116>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2018-0887](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0887>)2.1Critical \n[CVE-2018-0890](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0890>)3.5Critical \n[CVE-2018-0956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0956>)7.8Critical \n[CVE-2018-0957](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0957>)1.9Critical \n[CVE-2018-0960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0960>)2.1Critical \n[CVE-2018-0963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0963>)4.6Critical \n[CVE-2018-0964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0964>)1.9Critical \n[CVE-2018-0966](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0966>)2.1Critical \n[CVE-2018-0967](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0967>)6.3Critical \n[CVE-2018-0968](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0968>)2.1Critical \n[CVE-2018-0969](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0969>)2.1Critical \n[CVE-2018-0970](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0970>)2.1Critical \n[CVE-2018-0971](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0971>)2.1Critical \n[CVE-2018-0972](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0972>)2.1Critical \n[CVE-2018-0973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0973>)2.1Critical \n[CVE-2018-0974](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0974>)2.1Critical \n[CVE-2018-0975](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0975>)2.1Critical \n[CVE-2018-0976](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0976>)3.5Critical \n[CVE-2018-1003](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1003>)9.3Critical \n[CVE-2018-1004](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1004>)9.3Critical \n[CVE-2018-1008](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1008>)6.9Critical \n[CVE-2018-1009](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1009>)7.2Critical \n[CVE-2018-1010](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1010>)9.3Critical \n[CVE-2018-1012](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1012>)9.3Critical \n[CVE-2018-1013](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1013>)9.3Critical \n[CVE-2018-1015](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1015>)9.3Critical \n[CVE-2018-1016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1016>)9.3Critical \n[CVE-2018-8116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8116>)2.1Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4093112](<http://support.microsoft.com/kb/4093112>) \n[4103727](<http://support.microsoft.com/kb/4103727>) \n[4093114](<http://support.microsoft.com/kb/4093114>) \n[4093478](<http://support.microsoft.com/kb/4093478>) \n[4093224](<http://support.microsoft.com/kb/4093224>) \n[4093111](<http://support.microsoft.com/kb/4093111>) \n[4093107](<http://support.microsoft.com/kb/4093107>) \n[4093227](<http://support.microsoft.com/kb/4093227>) \n[4093223](<http://support.microsoft.com/kb/4093223>) \n[4093108](<http://support.microsoft.com/kb/4093108>) \n[4093109](<http://support.microsoft.com/kb/4093109>) \n[4093119](<http://support.microsoft.com/kb/4093119>) \n[4093118](<http://support.microsoft.com/kb/4093118>) \n[4093115](<http://support.microsoft.com/kb/4093115>) \n[4093122](<http://support.microsoft.com/kb/4093122>) \n[4093123](<http://support.microsoft.com/kb/4093123>) \n[4093257](<http://support.microsoft.com/kb/4093257>) \n[4091756](<http://support.microsoft.com/kb/4091756>) \n[4284835](<http://support.microsoft.com/kb/4284835>)", "modified": "2019-03-07T00:00:00", "published": "2018-04-10T00:00:00", "id": "KLA11221", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11221", "title": "\r KLA11221Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:33:16", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4093107", "modified": "2019-05-03T00:00:00", "published": "2018-04-11T00:00:00", "id": "OPENVAS:1361412562310813073", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813073", "title": "Microsoft Windows Multiple Vulnerabilities (KB4093107)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4093107)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813073\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-0870\", \"CVE-2018-0887\", \"CVE-2018-8116\", \"CVE-2018-0890\",\n \"CVE-2018-0892\", \"CVE-2018-0956\", \"CVE-2018-0957\", \"CVE-2018-0960\",\n \"CVE-2018-0963\", \"CVE-2018-0964\", \"CVE-2018-0966\", \"CVE-2018-0967\",\n \"CVE-2018-0968\", \"CVE-2018-0969\", \"CVE-2018-0970\", \"CVE-2018-0971\",\n \"CVE-2018-0972\", \"CVE-2018-0973\", \"CVE-2018-0974\", \"CVE-2018-0975\",\n \"CVE-2018-0976\", \"CVE-2018-0979\", \"CVE-2018-0980\", \"CVE-2018-0981\",\n \"CVE-2018-0987\", \"CVE-2018-0988\", \"CVE-2018-0989\", \"CVE-2018-0990\",\n \"CVE-2018-0991\", \"CVE-2018-0993\", \"CVE-2018-0994\", \"CVE-2018-0995\",\n \"CVE-2018-0996\", \"CVE-2018-0997\", \"CVE-2018-0998\", \"CVE-2018-1000\",\n \"CVE-2018-1001\", \"CVE-2018-1009\", \"CVE-2018-1010\", \"CVE-2018-1012\",\n \"CVE-2018-1013\", \"CVE-2018-1015\", \"CVE-2018-1016\", \"CVE-2018-1018\",\n \"CVE-2018-1020\", \"CVE-2018-1023\", \"CVE-2018-1003\", \"CVE-2018-1004\",\n \"CVE-2018-1008\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-11 09:08:45 +0530 (Wed, 11 Apr 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4093107)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4093107\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Scripting engine improperly handles objects in memory in Internet Explorer.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - Microsoft Edge PDF Reader improperly handles objects in memory.\n\n - Windows kernel fails to properly initialize a memory address.\n\n - An error in Windows Adobe Type Manager Font Driver (ATMFD.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - A Kernel Address Space Layout Randomization (ASLR) bypass error in windows.\n\n - An error in Windows SNMP Service handles malformed SNMP traps.\n\n - A security feature bypass exists when Device Guard incorrectly validates an\n untrusted file.\n\n - Windows Hyper-V on a host operating system fails to properly validate input\n from an authenticated user on a guest operating system.\n\n - Windows Kernel improperly handles objects in memory.\n\n - Microsoft browsers improperly access objects in memory.\n\n - VBScript engine improperly handles objects in memory.\n\n - Microsoft Edge improperly handles objects in memory.\n\n - An error when Active Directory incorrectly applies Network Isolation settings.\n\n - An error in Remote Desktop Protocol (RDP).\n\n - An error in the HTTP 2.\n\n - An error in Microsoft JET Database Engine.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to conduct arbitrary code execution, disclose sensitive information, escalate\n privileges, bypass security and cause denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4093107\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.1028\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.15063.0 - 11.0.15063.1028\");\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:15", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4093119", "modified": "2019-05-03T00:00:00", "published": "2018-04-11T00:00:00", "id": "OPENVAS:1361412562310813080", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813080", "title": "Microsoft Windows Multiple Vulnerabilities (KB4093119)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4093119)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813080\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-0870\", \"CVE-2018-0887\", \"CVE-2018-8116\", \"CVE-2018-0890\",\n \"CVE-2018-0892\", \"CVE-2018-0956\", \"CVE-2018-0957\", \"CVE-2018-0960\",\n \"CVE-2018-0963\", \"CVE-2018-0966\", \"CVE-2018-0967\", \"CVE-2018-0968\",\n \"CVE-2018-0969\", \"CVE-2018-0970\", \"CVE-2018-0971\", \"CVE-2018-0972\",\n \"CVE-2018-0973\", \"CVE-2018-0974\", \"CVE-2018-0975\", \"CVE-2018-0976\",\n \"CVE-2018-0979\", \"CVE-2018-0980\", \"CVE-2018-0981\", \"CVE-2018-0987\",\n \"CVE-2018-0988\", \"CVE-2018-0989\", \"CVE-2018-0990\", \"CVE-2018-0991\",\n \"CVE-2018-0993\", \"CVE-2018-0994\", \"CVE-2018-0995\", \"CVE-2018-0996\",\n \"CVE-2018-0997\", \"CVE-2018-0998\", \"CVE-2018-1000\", \"CVE-2018-1001\",\n \"CVE-2018-1009\", \"CVE-2018-1010\", \"CVE-2018-1012\", \"CVE-2018-1013\",\n \"CVE-2018-1015\", \"CVE-2018-1016\", \"CVE-2018-1018\", \"CVE-2018-1020\",\n \"CVE-2018-1023\", \"CVE-2018-1003\", \"CVE-2018-1004\", \"CVE-2018-1008\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-11 10:50:56 +0530 (Wed, 11 Apr 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4093119)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4093119\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - Scripting engine handles objects in memory in Internet Explorer.\n\n - Microsoft Edge PDF Reader improperly handles objects in memory.\n\n - Windows kernel fails to properly initialize a memory address.\n\n - An error in Windows Adobe Type Manager Font Driver (ATMFD).\n\n - Chakra scripting engine handles objects in memory in Microsoft Edge.\n\n - A Kernel Address Space Layout Randomization (ASLR) bypass error in windows.\n\n - Windows SNMP Service improperly handles malformed SNMP traps.\n\n - A security feature bypass exists when Device Guard incorrectly validates an\n untrusted file.\n\n - Microsoft browsers improperly access objects in memory.\n\n - Windows kernel improperly handles objects in memory.\n\n - VBScript engine improperly handles objects in memory.\n\n - Microsoft Edge improperly handles objects in memory.\n\n - An error when Active Directory incorrectly applies Network Isolation settings.\n\n - An error in Remote Desktop Protocol (RDP).\n\n - An error in the HTTP 2.\n\n - Windows Hyper-V on a host operating system fails to properly validate\n input from an authenticated user on a guest operating system.\n\n - An error in the Microsoft JET Database Engine.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to conduct arbitrary code execution, disclose sensitive information, escalate\n privileges, bypass security and cause denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1607 x32/x64\n\n Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4093119\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.2188\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.14393.0 - 11.0.14393.2188\");\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:14", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4093112", "modified": "2019-05-03T00:00:00", "published": "2018-04-11T00:00:00", "id": "OPENVAS:1361412562310813079", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813079", "title": "Microsoft Windows Multiple Vulnerabilities (KB4093112)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4093112)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813079\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-0870\", \"CVE-2018-8116\", \"CVE-2018-0887\", \"CVE-2018-0890\",\n \"CVE-2018-0892\", \"CVE-2018-0956\", \"CVE-2018-0957\", \"CVE-2018-0960\",\n \"CVE-2018-0963\", \"CVE-2018-0964\", \"CVE-2018-0966\", \"CVE-2018-0967\",\n \"CVE-2018-0968\", \"CVE-2018-0969\", \"CVE-2018-0970\", \"CVE-2018-0971\",\n \"CVE-2018-0972\", \"CVE-2018-0973\", \"CVE-2018-0974\", \"CVE-2018-0975\",\n \"CVE-2018-0976\", \"CVE-2018-0979\", \"CVE-2018-0980\", \"CVE-2018-0981\",\n \"CVE-2018-0987\", \"CVE-2018-0988\", \"CVE-2018-0989\", \"CVE-2018-0990\",\n \"CVE-2018-0991\", \"CVE-2018-0993\", \"CVE-2018-0994\", \"CVE-2018-0995\",\n \"CVE-2018-0996\", \"CVE-2018-0997\", \"CVE-2018-0998\", \"CVE-2018-1000\",\n \"CVE-2018-1001\", \"CVE-2018-1009\", \"CVE-2018-1010\", \"CVE-2018-1012\",\n \"CVE-2018-1013\", \"CVE-2018-1015\", \"CVE-2018-1016\", \"CVE-2018-1018\",\n \"CVE-2018-1019\", \"CVE-2018-1020\", \"CVE-2018-1023\", \"CVE-2018-1003\",\n \"CVE-2018-1004\", \"CVE-2018-1008\", \"CVE-2018-1035\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-11 10:41:02 +0530 (Wed, 11 Apr 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4093112)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4093112\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Scripting engine handles objects in memory in Internet Explorer.\n\n - Windows font library improperly handles specially crafted embedded\n fonts.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Microsoft Edge PDF Reader improperly handles objects in memory.\n\n - Windows kernel fails to properly initialize a memory address.\n\n - An error in Windows Adobe Type Manager Font Driver (ATMFD).\n\n - A Kernel Address Space Layout Randomization (ASLR) bypass error.\n\n - Windows SNMP Service improperly handles malformed SNMP traps.\n\n - A security feature bypass exists when Device Guard incorrectly validates an\n untrusted file.\n\n - Windows Hyper-V on a host operating system fails to properly validate\n input from an authenticated user on a guest operating system.\n\n - Windows Kernel improperly handles objects in memory.\n\n - VBScript engine improperly handles objects in memory.\n\n - Microsoft Edge improperly handles objects in memory.\n\n - An error when Active Directory incorrectly applies Network Isolation settings.\n\n - An error in Remote Desktop Protocol (RDP).\n\n - An error in the HTTP 2.\n\n - An error in Microsoft JET Database Engine.\n\n - A security bypass error related to Device Guard.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to conduct arbitrary code execution, disclose sensitive information, escalate\n privileges, bypass security and cause denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"Windows 10 Version 1709 for 32-bit Systems\n\n Windows 10 Version 1709 for 64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4093112\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.16299.0\", test_version2:\"11.0.16299.370\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.16299.0 - 11.0.16299.370\");\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:13", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4093109", "modified": "2019-05-03T00:00:00", "published": "2018-04-11T00:00:00", "id": "OPENVAS:1361412562310813072", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813072", "title": "Microsoft Windows Multiple Vulnerabilities (KB4093109)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4093109)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813072\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-0870\", \"CVE-2018-0887\", \"CVE-2018-8116\", \"CVE-2018-0892\",\n \"CVE-2018-0956\", \"CVE-2018-0957\", \"CVE-2018-0960\", \"CVE-2018-0966\",\n \"CVE-2018-0967\", \"CVE-2018-0968\", \"CVE-2018-0969\", \"CVE-2018-0970\",\n \"CVE-2018-0971\", \"CVE-2018-0972\", \"CVE-2018-0973\", \"CVE-2018-0974\",\n \"CVE-2018-0975\", \"CVE-2018-0976\", \"CVE-2018-0979\", \"CVE-2018-0980\",\n \"CVE-2018-0981\", \"CVE-2018-0987\", \"CVE-2018-0988\", \"CVE-2018-0989\",\n \"CVE-2018-0990\", \"CVE-2018-0991\", \"CVE-2018-0993\", \"CVE-2018-0994\",\n \"CVE-2018-0995\", \"CVE-2018-0996\", \"CVE-2018-0997\", \"CVE-2018-1000\",\n \"CVE-2018-1001\", \"CVE-2018-1010\", \"CVE-2018-1012\", \"CVE-2018-1013\",\n \"CVE-2018-1015\", \"CVE-2018-1016\", \"CVE-2018-1018\", \"CVE-2018-1020\",\n \"CVE-2018-1023\", \"CVE-2018-1003\", \"CVE-2018-1004\", \"CVE-2018-1008\",\n \"CVE-2018-1009\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-11 08:56:10 +0530 (Wed, 11 Apr 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4093109)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4093109\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows kernel fails to properly initialize a memory address.\n\n - Scripting engine does not properly handle objects in memory in Internet Explorer.\n\n - An error in Windows Adobe Type Manager Font Driver (ATMFD).\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - A Kernel Address Space Layout Randomization (ASLR) bypass error in windows.\n\n - Windows SNMP Service improperly handles malformed SNMP traps.\n\n - A security feature bypass exists when Device Guard incorrectly validates an\n untrusted file.\n\n - Microsoft browsers improperly access objects in memory.\n\n - Windows kernel improperly handles objects in memory and incorrectly maps kernel\n memory.\n\n - VBScript engine improperly handles objects in memory.\n\n - An error in Remote Desktop Protocol (RDP).\n\n - Windows Hyper-V on a host operating system fails to properly validate\n input from an authenticated user on a guest operating system.\n\n - An error in the Microsoft JET Database Engine.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to conduct arbitrary code execution, disclose sensitive information and bypass\n security restrictions.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1511 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4093109\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.1539\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.10586 - 11.0.10586.1539\");\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:11", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4093111", "modified": "2019-05-03T00:00:00", "published": "2018-04-11T00:00:00", "id": "OPENVAS:1361412562310813078", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813078", "title": "Microsoft Windows Multiple Vulnerabilities (KB4093111)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4093111)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813078\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-0870\", \"CVE-2018-0887\", \"CVE-2018-8116\", \"CVE-2018-0956\",\n \"CVE-2018-0957\", \"CVE-2018-0960\", \"CVE-2018-0966\", \"CVE-2018-0967\",\n \"CVE-2018-0968\", \"CVE-2018-0969\", \"CVE-2018-0970\", \"CVE-2018-0971\",\n \"CVE-2018-0972\", \"CVE-2018-0973\", \"CVE-2018-0974\", \"CVE-2018-0975\",\n \"CVE-2018-0976\", \"CVE-2018-0979\", \"CVE-2018-0980\", \"CVE-2018-0981\",\n \"CVE-2018-0987\", \"CVE-2018-0988\", \"CVE-2018-0989\", \"CVE-2018-0990\",\n \"CVE-2018-0991\", \"CVE-2018-0993\", \"CVE-2018-0994\", \"CVE-2018-0995\",\n \"CVE-2018-0996\", \"CVE-2018-0997\", \"CVE-2018-1000\", \"CVE-2018-1001\",\n \"CVE-2018-1009\", \"CVE-2018-1010\", \"CVE-2018-1012\", \"CVE-2018-1013\",\n \"CVE-2018-1015\", \"CVE-2018-1016\", \"CVE-2018-1018\", \"CVE-2018-1020\",\n \"CVE-2018-1023\", \"CVE-2018-1003\", \"CVE-2018-1004\", \"CVE-2018-1008\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-11 10:29:16 +0530 (Wed, 11 Apr 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4093111)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4093111\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows kernel fails to properly initialize a memory address.\n\n - Scripting engine does not properly handle objects in memory in Internet Explorer.\n\n - An error in Windows Adobe Type Manager Font Driver (ATMFD).\n\n - Scripting engine handles objects in memory in Internet Explorer.\n\n - Chakra scripting engine handles objects in memory in Microsoft Edge.\n\n - A Kernel Address Space Layout Randomization (ASLR) bypass error in windows.\n\n - Windows SNMP Service improperly handles malformed SNMP traps.\n\n - A security feature bypass exists when Device Guard incorrectly validates an\n untrusted file.\n\n - Microsoft browsers improperly access objects in memory.\n\n - Windows kernel improperly handles objects in memory.\n\n - VBScript engine improperly handles objects in memory.\n\n - An error in Remote Desktop Protocol (RDP).\n\n - An error in HTTP 2.\n\n - Windows Hyper-V on a host operating system fails to properly validate\n input from an authenticated user on a guest operating system.\n\n - An error in in the Microsoft JET Database Engine.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to conduct arbitrary code execution, disclose sensitive information, escalate\n privileges, bypass security and cause denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"Windows 10 for 32-bit Systems\n\n Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4093111\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.17830\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.10240.0 - 11.0.10240.17830\");\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-11-09T11:37:18", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4093109.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-0966)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-0956)\n\n - An elevation of privilege vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute arbitrary code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1008)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-0979, CVE-2018-0980,\n CVE-2018-0990, CVE-2018-0993, CVE-2018-0994,\n CVE-2018-0995)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-0957)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-0987)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-0887)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0870,\n CVE-2018-0991, CVE-2018-0997, CVE-2018-1018,\n CVE-2018-1020)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-1023)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0960)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2018-0968,\n CVE-2018-0969, CVE-2018-0970, CVE-2018-0971,\n CVE-2018-0972, CVE-2018-0973, CVE-2018-0974,\n CVE-2018-0975)\n\n - A denial of service vulnerability exists in the way that\n Windows handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. Note that the denial\n of service condition would not allow an attacker to\n execute code or to elevate user privileges. However, the\n denial of service condition could prevent authorized\n users from using system resources. The security update\n addresses the vulnerability by correcting how Windows\n handles objects in memory. (CVE-2018-8116)\n\n - A denial of service vulnerability exists in the way that\n Windows SNMP Service handles malformed SNMP traps. An\n attacker who successfully exploited the vulnerability\n could cause a target system to stop responding. Note\n that the denial of service condition would not allow an\n attacker to execute code or to elevate user privileges.\n However, the denial of service condition could prevent\n authorized users from using system resources. The\n security update addresses the vulnerability by\n correcting how Windows SNMP Service processes SNMP\n traps. (CVE-2018-0967)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-1004)\n\n - An information disclosure vulnerability exists in the\n way that the scripting engine handles objects in memory\n in Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could provide an\n attacker with information to further compromise the\n user", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_APR_4093109.NASL", "href": "https://www.tenable.com/plugins/nessus/108961", "published": "2018-04-10T00:00:00", "title": "KB4093109: Windows 10 Version 1511 April 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108961);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\n \"CVE-2018-0870\",\n \"CVE-2018-0887\",\n \"CVE-2018-0892\",\n \"CVE-2018-0956\",\n \"CVE-2018-0957\",\n \"CVE-2018-0960\",\n \"CVE-2018-0966\",\n \"CVE-2018-0967\",\n \"CVE-2018-0968\",\n \"CVE-2018-0969\",\n \"CVE-2018-0970\",\n \"CVE-2018-0971\",\n \"CVE-2018-0972\",\n \"CVE-2018-0973\",\n \"CVE-2018-0974\",\n \"CVE-2018-0975\",\n \"CVE-2018-0976\",\n \"CVE-2018-0979\",\n \"CVE-2018-0980\",\n \"CVE-2018-0981\",\n \"CVE-2018-0987\",\n \"CVE-2018-0988\",\n \"CVE-2018-0989\",\n \"CVE-2018-0990\",\n \"CVE-2018-0991\",\n \"CVE-2018-0993\",\n \"CVE-2018-0994\",\n \"CVE-2018-0995\",\n \"CVE-2018-0996\",\n \"CVE-2018-0997\",\n \"CVE-2018-1000\",\n \"CVE-2018-1001\",\n \"CVE-2018-1003\",\n \"CVE-2018-1004\",\n \"CVE-2018-1008\",\n \"CVE-2018-1009\",\n \"CVE-2018-1010\",\n \"CVE-2018-1012\",\n \"CVE-2018-1013\",\n \"CVE-2018-1015\",\n \"CVE-2018-1016\",\n \"CVE-2018-1018\",\n \"CVE-2018-1020\",\n \"CVE-2018-1023\",\n \"CVE-2018-8116\"\n );\n script_xref(name:\"MSKB\", value:\"4093109\");\n script_xref(name:\"MSFT\", value:\"MS18-4093109\");\n\n script_name(english:\"KB4093109: Windows 10 Version 1511 April 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4093109.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-0966)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-0956)\n\n - An elevation of privilege vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute arbitrary code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1008)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-0979, CVE-2018-0980,\n CVE-2018-0990, CVE-2018-0993, CVE-2018-0994,\n CVE-2018-0995)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-0957)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-0987)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-0887)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0870,\n CVE-2018-0991, CVE-2018-0997, CVE-2018-1018,\n CVE-2018-1020)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-1023)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0960)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2018-0968,\n CVE-2018-0969, CVE-2018-0970, CVE-2018-0971,\n CVE-2018-0972, CVE-2018-0973, CVE-2018-0974,\n CVE-2018-0975)\n\n - A denial of service vulnerability exists in the way that\n Windows handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. Note that the denial\n of service condition would not allow an attacker to\n execute code or to elevate user privileges. However, the\n denial of service condition could prevent authorized\n users from using system resources. The security update\n addresses the vulnerability by correcting how Windows\n handles objects in memory. (CVE-2018-8116)\n\n - A denial of service vulnerability exists in the way that\n Windows SNMP Service handles malformed SNMP traps. An\n attacker who successfully exploited the vulnerability\n could cause a target system to stop responding. Note\n that the denial of service condition would not allow an\n attacker to execute code or to elevate user privileges.\n However, the denial of service condition could prevent\n authorized users from using system resources. The\n security update addresses the vulnerability by\n correcting how Windows SNMP Service processes SNMP\n traps. (CVE-2018-0967)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-1004)\n\n - An information disclosure vulnerability exists in the\n way that the scripting engine handles objects in memory\n in Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could provide an\n attacker with information to further compromise the\n user's computer or data. (CVE-2018-0981, CVE-2018-0989,\n CVE-2018-1000)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-1003)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2018-0976)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1010,\n CVE-2018-1012, CVE-2018-1013, CVE-2018-1015,\n CVE-2018-1016)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0892)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles objects in memory and\n incorrectly maps kernel memory. (CVE-2018-1009)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-0988, CVE-2018-0996, CVE-2018-1001)\");\n # https://support.microsoft.com/en-us/help/4093109/windows-10-update-kb4093109\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?67fe3f7a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4093109.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1016\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-04\";\nkbs = make_list('4093109');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date:\"04_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4093109])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-09T11:37:19", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4093119.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles objects in memory and\n incorrectly maps kernel memory. (CVE-2018-1009)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-0966)\n\n - A denial of service vulnerability exists in the way that\n Windows SNMP Service handles malformed SNMP traps. An\n attacker who successfully exploited the vulnerability\n could cause a target system to stop responding. Note\n that the denial of service condition would not allow an\n attacker to execute code or to elevate user privileges.\n However, the denial of service condition could prevent\n authorized users from using system resources. The\n security update addresses the vulnerability by\n correcting how Windows SNMP Service processes SNMP\n traps. (CVE-2018-0967)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0960)\n\n - An elevation of privilege vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute arbitrary code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1008)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0892)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-0957)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-0987)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-1003)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-0963)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2018-0976)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-0988, CVE-2018-0996, CVE-2018-1001)\n\n - A security feature bypass vulnerability exists when\n Active Directory incorrectly applies Network Isolation\n settings. (CVE-2018-0890)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1010,\n CVE-2018-1012, CVE-2018-1013, CVE-2018-1015,\n CVE-2018-1016)\n\n - An information disclosure vulnerability exists in the\n way that the scripting engine handles objects in memory\n in Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could provide an\n attacker with information to further compromise the\n user", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_APR_4093119.NASL", "href": "https://www.tenable.com/plugins/nessus/108967", "published": "2018-04-10T00:00:00", "title": "KB4093119: Windows 10 Version 1607 and Windows Server 2016 April 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108967);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\n \"CVE-2018-0870\",\n \"CVE-2018-0887\",\n \"CVE-2018-0890\",\n \"CVE-2018-0892\",\n \"CVE-2018-0956\",\n \"CVE-2018-0957\",\n \"CVE-2018-0960\",\n \"CVE-2018-0963\",\n \"CVE-2018-0966\",\n \"CVE-2018-0967\",\n \"CVE-2018-0968\",\n \"CVE-2018-0969\",\n \"CVE-2018-0970\",\n \"CVE-2018-0971\",\n \"CVE-2018-0972\",\n \"CVE-2018-0973\",\n \"CVE-2018-0974\",\n \"CVE-2018-0975\",\n \"CVE-2018-0976\",\n \"CVE-2018-0979\",\n \"CVE-2018-0980\",\n \"CVE-2018-0981\",\n \"CVE-2018-0987\",\n \"CVE-2018-0988\",\n \"CVE-2018-0989\",\n \"CVE-2018-0990\",\n \"CVE-2018-0991\",\n \"CVE-2018-0993\",\n \"CVE-2018-0994\",\n \"CVE-2018-0995\",\n \"CVE-2018-0996\",\n \"CVE-2018-0997\",\n \"CVE-2018-0998\",\n \"CVE-2018-1000\",\n \"CVE-2018-1001\",\n \"CVE-2018-1003\",\n \"CVE-2018-1004\",\n \"CVE-2018-1008\",\n \"CVE-2018-1009\",\n \"CVE-2018-1010\",\n \"CVE-2018-1012\",\n \"CVE-2018-1013\",\n \"CVE-2018-1015\",\n \"CVE-2018-1016\",\n \"CVE-2018-1018\",\n \"CVE-2018-1020\",\n \"CVE-2018-1023\",\n \"CVE-2018-8116\",\n \"CVE-2018-8142\"\n );\n script_xref(name:\"MSKB\", value:\"4093119\");\n script_xref(name:\"MSFT\", value:\"MS18-4093119\");\n\n script_name(english:\"KB4093119: Windows 10 Version 1607 and Windows Server 2016 April 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4093119.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles objects in memory and\n incorrectly maps kernel memory. (CVE-2018-1009)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-0966)\n\n - A denial of service vulnerability exists in the way that\n Windows SNMP Service handles malformed SNMP traps. An\n attacker who successfully exploited the vulnerability\n could cause a target system to stop responding. Note\n that the denial of service condition would not allow an\n attacker to execute code or to elevate user privileges.\n However, the denial of service condition could prevent\n authorized users from using system resources. The\n security update addresses the vulnerability by\n correcting how Windows SNMP Service processes SNMP\n traps. (CVE-2018-0967)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0960)\n\n - An elevation of privilege vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute arbitrary code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1008)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0892)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-0957)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-0987)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-1003)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-0963)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2018-0976)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-0988, CVE-2018-0996, CVE-2018-1001)\n\n - A security feature bypass vulnerability exists when\n Active Directory incorrectly applies Network Isolation\n settings. (CVE-2018-0890)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1010,\n CVE-2018-1012, CVE-2018-1013, CVE-2018-1015,\n CVE-2018-1016)\n\n - An information disclosure vulnerability exists in the\n way that the scripting engine handles objects in memory\n in Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could provide an\n attacker with information to further compromise the\n user's computer or data. (CVE-2018-0981, CVE-2018-0989,\n CVE-2018-1000)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0870,\n CVE-2018-0991, CVE-2018-0997, CVE-2018-1018,\n CVE-2018-1020)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge PDF Reader improperly handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-0998)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-1023)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2018-0968,\n CVE-2018-0969, CVE-2018-0970, CVE-2018-0971,\n CVE-2018-0972, CVE-2018-0973, CVE-2018-0974,\n CVE-2018-0975)\n\n - A denial of service vulnerability exists in the way that\n Windows handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. Note that the denial\n of service condition would not allow an attacker to\n execute code or to elevate user privileges. However, the\n denial of service condition could prevent authorized\n users from using system resources. The security update\n addresses the vulnerability by correcting how Windows\n handles objects in memory. (CVE-2018-8116)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-1004)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-0979, CVE-2018-0980,\n CVE-2018-0990, CVE-2018-0993, CVE-2018-0994,\n CVE-2018-0995)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-0956)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-0887)\");\n # https://support.microsoft.com/en-us/help/4093119/windows-10-update-kb4093119\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2553c1b5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4093119.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1016\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-04\";\nkbs = make_list('4093119');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"04_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4093119])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-09T11:37:18", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4093111.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-0966)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-0887)\n\n - An elevation of privilege vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute arbitrary code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1008)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-0979, CVE-2018-0980,\n CVE-2018-0990, CVE-2018-0993, CVE-2018-0994,\n CVE-2018-0995)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-0957)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-0987)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-1003)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0870,\n CVE-2018-0991, CVE-2018-0997, CVE-2018-1018,\n CVE-2018-1020)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-1023)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles objects in memory and\n incorrectly maps kernel memory. (CVE-2018-1009)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2018-0968,\n CVE-2018-0969, CVE-2018-0970, CVE-2018-0971,\n CVE-2018-0972, CVE-2018-0973, CVE-2018-0974,\n CVE-2018-0975)\n\n - A denial of service vulnerability exists in the way that\n Windows handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. Note that the denial\n of service condition would not allow an attacker to\n execute code or to elevate user privileges. However, the\n denial of service condition could prevent authorized\n users from using system resources. The security update\n addresses the vulnerability by correcting how Windows\n handles objects in memory. (CVE-2018-8116)\n\n - A denial of service vulnerability exists in the way that\n Windows SNMP Service handles malformed SNMP traps. An\n attacker who successfully exploited the vulnerability\n could cause a target system to stop responding. Note\n that the denial of service condition would not allow an\n attacker to execute code or to elevate user privileges.\n However, the denial of service condition could prevent\n authorized users from using system resources. The\n security update addresses the vulnerability by\n correcting how Windows SNMP Service processes SNMP\n traps. (CVE-2018-0967)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-1004)\n\n - An information disclosure vulnerability exists in the\n way that the scripting engine handles objects in memory\n in Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could provide an\n attacker with information to further compromise the\n user", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_APR_4093111.NASL", "href": "https://www.tenable.com/plugins/nessus/108963", "published": "2018-04-10T00:00:00", "title": "KB4093111: Windows 10 April 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108963);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\n \"CVE-2018-0870\",\n \"CVE-2018-0887\",\n \"CVE-2018-0956\",\n \"CVE-2018-0957\",\n \"CVE-2018-0960\",\n \"CVE-2018-0966\",\n \"CVE-2018-0967\",\n \"CVE-2018-0968\",\n \"CVE-2018-0969\",\n \"CVE-2018-0970\",\n \"CVE-2018-0971\",\n \"CVE-2018-0972\",\n \"CVE-2018-0973\",\n \"CVE-2018-0974\",\n \"CVE-2018-0975\",\n \"CVE-2018-0976\",\n \"CVE-2018-0979\",\n \"CVE-2018-0980\",\n \"CVE-2018-0981\",\n \"CVE-2018-0987\",\n \"CVE-2018-0988\",\n \"CVE-2018-0989\",\n \"CVE-2018-0990\",\n \"CVE-2018-0991\",\n \"CVE-2018-0993\",\n \"CVE-2018-0994\",\n \"CVE-2018-0995\",\n \"CVE-2018-0996\",\n \"CVE-2018-0997\",\n \"CVE-2018-1000\",\n \"CVE-2018-1001\",\n \"CVE-2018-1003\",\n \"CVE-2018-1004\",\n \"CVE-2018-1008\",\n \"CVE-2018-1009\",\n \"CVE-2018-1010\",\n \"CVE-2018-1012\",\n \"CVE-2018-1013\",\n \"CVE-2018-1015\",\n \"CVE-2018-1016\",\n \"CVE-2018-1018\",\n \"CVE-2018-1020\",\n \"CVE-2018-1023\",\n \"CVE-2018-8116\"\n );\n script_xref(name:\"MSKB\", value:\"4093111\");\n script_xref(name:\"MSFT\", value:\"MS18-4093111\");\n\n script_name(english:\"KB4093111: Windows 10 April 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4093111.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-0966)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-0887)\n\n - An elevation of privilege vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute arbitrary code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1008)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-0979, CVE-2018-0980,\n CVE-2018-0990, CVE-2018-0993, CVE-2018-0994,\n CVE-2018-0995)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-0957)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-0987)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-1003)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0870,\n CVE-2018-0991, CVE-2018-0997, CVE-2018-1018,\n CVE-2018-1020)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-1023)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles objects in memory and\n incorrectly maps kernel memory. (CVE-2018-1009)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2018-0968,\n CVE-2018-0969, CVE-2018-0970, CVE-2018-0971,\n CVE-2018-0972, CVE-2018-0973, CVE-2018-0974,\n CVE-2018-0975)\n\n - A denial of service vulnerability exists in the way that\n Windows handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. Note that the denial\n of service condition would not allow an attacker to\n execute code or to elevate user privileges. However, the\n denial of service condition could prevent authorized\n users from using system resources. The security update\n addresses the vulnerability by correcting how Windows\n handles objects in memory. (CVE-2018-8116)\n\n - A denial of service vulnerability exists in the way that\n Windows SNMP Service handles malformed SNMP traps. An\n attacker who successfully exploited the vulnerability\n could cause a target system to stop responding. Note\n that the denial of service condition would not allow an\n attacker to execute code or to elevate user privileges.\n However, the denial of service condition could prevent\n authorized users from using system resources. The\n security update addresses the vulnerability by\n correcting how Windows SNMP Service processes SNMP\n traps. (CVE-2018-0967)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-1004)\n\n - An information disclosure vulnerability exists in the\n way that the scripting engine handles objects in memory\n in Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could provide an\n attacker with information to further compromise the\n user's computer or data. (CVE-2018-0981, CVE-2018-0989,\n CVE-2018-1000)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0960)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2018-0976)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1010,\n CVE-2018-1012, CVE-2018-1013, CVE-2018-1015,\n CVE-2018-1016)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-0956)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-0988, CVE-2018-0996, CVE-2018-1001)\");\n # https://support.microsoft.com/en-us/help/4093111/windows-10-update-kb4093111\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?09eb0963\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4093111.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1016\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-04\";\nkbs = make_list('4093111');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"04_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4093111])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-09T11:37:18", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4093107.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles objects in memory and\n incorrectly maps kernel memory. (CVE-2018-1009)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-0966)\n\n - A denial of service vulnerability exists in the way that\n Windows SNMP Service handles malformed SNMP traps. An\n attacker who successfully exploited the vulnerability\n could cause a target system to stop responding. Note\n that the denial of service condition would not allow an\n attacker to execute code or to elevate user privileges.\n However, the denial of service condition could prevent\n authorized users from using system resources. The\n security update addresses the vulnerability by\n correcting how Windows SNMP Service processes SNMP\n traps. (CVE-2018-0967)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0960)\n\n - An elevation of privilege vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute arbitrary code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1008)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-0987)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-1003)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-0963)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2018-0976)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-0988, CVE-2018-0996, CVE-2018-1001)\n\n - A security feature bypass vulnerability exists when\n Active Directory incorrectly applies Network Isolation\n settings. (CVE-2018-0890)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1010,\n CVE-2018-1012, CVE-2018-1013, CVE-2018-1015,\n CVE-2018-1016)\n\n - An information disclosure vulnerability exists in the\n way that the scripting engine handles objects in memory\n in Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could provide an\n attacker with information to further compromise the\n user", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_APR_4093107.NASL", "href": "https://www.tenable.com/plugins/nessus/108960", "published": "2018-04-10T00:00:00", "title": "KB4093107: Windows 10 Version 1703 April 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108960);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\n \"CVE-2018-0870\",\n \"CVE-2018-0887\",\n \"CVE-2018-0890\",\n \"CVE-2018-0892\",\n \"CVE-2018-0956\",\n \"CVE-2018-0957\",\n \"CVE-2018-0960\",\n \"CVE-2018-0963\",\n \"CVE-2018-0964\",\n \"CVE-2018-0966\",\n \"CVE-2018-0967\",\n \"CVE-2018-0968\",\n \"CVE-2018-0969\",\n \"CVE-2018-0970\",\n \"CVE-2018-0971\",\n \"CVE-2018-0972\",\n \"CVE-2018-0973\",\n \"CVE-2018-0974\",\n \"CVE-2018-0975\",\n \"CVE-2018-0976\",\n \"CVE-2018-0979\",\n \"CVE-2018-0980\",\n \"CVE-2018-0981\",\n \"CVE-2018-0987\",\n \"CVE-2018-0988\",\n \"CVE-2018-0989\",\n \"CVE-2018-0990\",\n \"CVE-2018-0991\",\n \"CVE-2018-0993\",\n \"CVE-2018-0994\",\n \"CVE-2018-0995\",\n \"CVE-2018-0996\",\n \"CVE-2018-0997\",\n \"CVE-2018-0998\",\n \"CVE-2018-1000\",\n \"CVE-2018-1001\",\n \"CVE-2018-1003\",\n \"CVE-2018-1004\",\n \"CVE-2018-1008\",\n \"CVE-2018-1009\",\n \"CVE-2018-1010\",\n \"CVE-2018-1012\",\n \"CVE-2018-1013\",\n \"CVE-2018-1015\",\n \"CVE-2018-1016\",\n \"CVE-2018-1018\",\n \"CVE-2018-1020\",\n \"CVE-2018-1023\",\n \"CVE-2018-8116\",\n \"CVE-2018-8142\"\n );\n script_xref(name:\"MSKB\", value:\"4093107\");\n script_xref(name:\"MSFT\", value:\"MS18-4093107\");\n\n script_name(english:\"KB4093107: Windows 10 Version 1703 April 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4093107.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles objects in memory and\n incorrectly maps kernel memory. (CVE-2018-1009)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-0966)\n\n - A denial of service vulnerability exists in the way that\n Windows SNMP Service handles malformed SNMP traps. An\n attacker who successfully exploited the vulnerability\n could cause a target system to stop responding. Note\n that the denial of service condition would not allow an\n attacker to execute code or to elevate user privileges.\n However, the denial of service condition could prevent\n authorized users from using system resources. The\n security update addresses the vulnerability by\n correcting how Windows SNMP Service processes SNMP\n traps. (CVE-2018-0967)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0960)\n\n - An elevation of privilege vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute arbitrary code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1008)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-0987)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-1003)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-0963)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2018-0976)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-0988, CVE-2018-0996, CVE-2018-1001)\n\n - A security feature bypass vulnerability exists when\n Active Directory incorrectly applies Network Isolation\n settings. (CVE-2018-0890)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1010,\n CVE-2018-1012, CVE-2018-1013, CVE-2018-1015,\n CVE-2018-1016)\n\n - An information disclosure vulnerability exists in the\n way that the scripting engine handles objects in memory\n in Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could provide an\n attacker with information to further compromise the\n user's computer or data. (CVE-2018-0981, CVE-2018-0989,\n CVE-2018-1000)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0870,\n CVE-2018-0991, CVE-2018-0997, CVE-2018-1018,\n CVE-2018-1020)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge PDF Reader improperly handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-0998)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2018-0968,\n CVE-2018-0969, CVE-2018-0970, CVE-2018-0971,\n CVE-2018-0972, CVE-2018-0973, CVE-2018-0974,\n CVE-2018-0975)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0892)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-0957, CVE-2018-0964)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-1023)\n\n - A denial of service vulnerability exists in the way that\n Windows handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. Note that the denial\n of service condition would not allow an attacker to\n execute code or to elevate user privileges. However, the\n denial of service condition could prevent authorized\n users from using system resources. The security update\n addresses the vulnerability by correcting how Windows\n handles objects in memory. (CVE-2018-8116)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-1004)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-0979, CVE-2018-0980,\n CVE-2018-0990, CVE-2018-0993, CVE-2018-0994,\n CVE-2018-0995)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-0956)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-0887)\");\n # https://support.microsoft.com/en-us/help/4093107/windows-10-update-kb4093107\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d125849e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4093107.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1016\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-04\";\nkbs = make_list('4093107');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date:\"04_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4093107])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-09T11:37:18", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4093112.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An vulnerability exists within microprocessors utilizing\n speculative execution and indirect branch prediction,\n which may allow an attacker with local user access to\n disclose information via a side-channel analysis.\n (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles objects in memory and\n incorrectly maps kernel memory. (CVE-2018-1009)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-0966, CVE-2018-1035)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-0979, CVE-2018-0980,\n CVE-2018-0990, CVE-2018-0993, CVE-2018-0994,\n CVE-2018-0995, CVE-2018-1019)\n\n - A denial of service vulnerability exists in the way that\n Windows SNMP Service handles malformed SNMP traps. An\n attacker who successfully exploited the vulnerability\n could cause a target system to stop responding. Note\n that the denial of service condition would not allow an\n attacker to execute code or to elevate user privileges.\n However, the denial of service condition could prevent\n authorized users from using system resources. The\n security update addresses the vulnerability by\n correcting how Windows SNMP Service processes SNMP\n traps. (CVE-2018-0967)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0960)\n\n - An elevation of privilege vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute arbitrary code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1008)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-0987)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-1003)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-0963)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2018-0976)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-0988, CVE-2018-0996, CVE-2018-1001)\n\n - A security feature bypass vulnerability exists when\n Active Directory incorrectly applies Network Isolation\n settings. (CVE-2018-0890)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1010,\n CVE-2018-1012, CVE-2018-1013, CVE-2018-1015,\n CVE-2018-1016)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0870,\n CVE-2018-0991, CVE-2018-0997, CVE-2018-1018,\n CVE-2018-1020)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge PDF Reader improperly handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-0998)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2018-0968,\n CVE-2018-0969, CVE-2018-0970, CVE-2018-0971,\n CVE-2018-0972, CVE-2018-0973, CVE-2018-0974,\n CVE-2018-0975)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0892)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-0957, CVE-2018-0964)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-1023)\n\n - A denial of service vulnerability exists in the way that\n Windows handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. Note that the denial\n of service condition would not allow an attacker to\n execute code or to elevate user privileges. However, the\n denial of service condition could prevent authorized\n users from using system resources. The security update\n addresses the vulnerability by correcting how Windows\n handles objects in memory. (CVE-2018-8116)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-1004)\n\n - An information disclosure vulnerability exists in the\n way that the scripting engine handles objects in memory\n in Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could provide an\n attacker with information to further compromise the\n user", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_APR_4093112.NASL", "href": "https://www.tenable.com/plugins/nessus/108964", "published": "2018-04-10T00:00:00", "title": "KB4093112: Windows 10 Version 1709 and Windows Server Version 1709 April 2018 Security Update (Meltdown)(Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108964);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\n \"CVE-2017-5715\",\n \"CVE-2017-5753\",\n \"CVE-2017-5754\",\n \"CVE-2018-0870\",\n \"CVE-2018-0887\",\n \"CVE-2018-0890\",\n \"CVE-2018-0892\",\n \"CVE-2018-0956\",\n \"CVE-2018-0957\",\n \"CVE-2018-0960\",\n \"CVE-2018-0963\",\n \"CVE-2018-0964\",\n \"CVE-2018-0966\",\n \"CVE-2018-0967\",\n \"CVE-2018-0968\",\n \"CVE-2018-0969\",\n \"CVE-2018-0970\",\n \"CVE-2018-0971\",\n \"CVE-2018-0972\",\n \"CVE-2018-0973\",\n \"CVE-2018-0974\",\n \"CVE-2018-0975\",\n \"CVE-2018-0976\",\n \"CVE-2018-0979\",\n \"CVE-2018-0980\",\n \"CVE-2018-0981\",\n \"CVE-2018-0987\",\n \"CVE-2018-0988\",\n \"CVE-2018-0989\",\n \"CVE-2018-0990\",\n \"CVE-2018-0991\",\n \"CVE-2018-0993\",\n \"CVE-2018-0994\",\n \"CVE-2018-0995\",\n \"CVE-2018-0996\",\n \"CVE-2018-0997\",\n \"CVE-2018-0998\",\n \"CVE-2018-1000\",\n \"CVE-2018-1001\",\n \"CVE-2018-1003\",\n \"CVE-2018-1004\",\n \"CVE-2018-1008\",\n \"CVE-2018-1009\",\n \"CVE-2018-1010\",\n \"CVE-2018-1012\",\n \"CVE-2018-1013\",\n \"CVE-2018-1015\",\n \"CVE-2018-1016\",\n \"CVE-2018-1018\",\n \"CVE-2018-1019\",\n \"CVE-2018-1020\",\n \"CVE-2018-1023\",\n \"CVE-2018-1035\",\n \"CVE-2018-8116\",\n \"CVE-2018-8142\"\n );\n script_xref(name:\"MSKB\", value:\"4093112\");\n script_xref(name:\"IAVA\", value:\"2018-A-0019\");\n script_xref(name:\"IAVA\", value:\"2018-A-0020\");\n script_xref(name:\"MSFT\", value:\"MS18-4093112\");\n\n script_name(english:\"KB4093112: Windows 10 Version 1709 and Windows Server Version 1709 April 2018 Security Update (Meltdown)(Spectre)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4093112.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An vulnerability exists within microprocessors utilizing\n speculative execution and indirect branch prediction,\n which may allow an attacker with local user access to\n disclose information via a side-channel analysis.\n (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles objects in memory and\n incorrectly maps kernel memory. (CVE-2018-1009)\n\n - A security feature bypass exists when Device Guard\n incorrectly validates an untrusted file. An attacker who\n successfully exploited this vulnerability could make an\n unsigned file appear to be signed. Because Device Guard\n relies on the signature to determine the file is non-\n malicious, Device Guard could then allow a malicious\n file to execute. In an attack scenario, an attacker\n could make an untrusted file appear to be a trusted\n file. The update addresses the vulnerability by\n correcting how Device Guard handles untrusted files.\n (CVE-2018-0966, CVE-2018-1035)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-0979, CVE-2018-0980,\n CVE-2018-0990, CVE-2018-0993, CVE-2018-0994,\n CVE-2018-0995, CVE-2018-1019)\n\n - A denial of service vulnerability exists in the way that\n Windows SNMP Service handles malformed SNMP traps. An\n attacker who successfully exploited the vulnerability\n could cause a target system to stop responding. Note\n that the denial of service condition would not allow an\n attacker to execute code or to elevate user privileges.\n However, the denial of service condition could prevent\n authorized users from using system resources. The\n security update addresses the vulnerability by\n correcting how Windows SNMP Service processes SNMP\n traps. (CVE-2018-0967)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0960)\n\n - An elevation of privilege vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute arbitrary code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1008)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Internet Explorer. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system.\n (CVE-2018-0987)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-1003)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-0963)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2018-0976)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-0988, CVE-2018-0996, CVE-2018-1001)\n\n - A security feature bypass vulnerability exists when\n Active Directory incorrectly applies Network Isolation\n settings. (CVE-2018-0890)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-1010,\n CVE-2018-1012, CVE-2018-1013, CVE-2018-1015,\n CVE-2018-1016)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0870,\n CVE-2018-0991, CVE-2018-0997, CVE-2018-1018,\n CVE-2018-1020)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge PDF Reader improperly handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-0998)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2018-0968,\n CVE-2018-0969, CVE-2018-0970, CVE-2018-0971,\n CVE-2018-0972, CVE-2018-0973, CVE-2018-0974,\n CVE-2018-0975)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-0892)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2018-0957, CVE-2018-0964)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-1023)\n\n - A denial of service vulnerability exists in the way that\n Windows handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. Note that the denial\n of service condition would not allow an attacker to\n execute code or to elevate user privileges. However, the\n denial of service condition could prevent authorized\n users from using system resources. The security update\n addresses the vulnerability by correcting how Windows\n handles objects in memory. (CVE-2018-8116)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2018-1004)\n\n - An information disclosure vulnerability exists in the\n way that the scripting engine handles objects in memory\n in Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could provide an\n attacker with information to further compromise the\n user's computer or data. (CVE-2018-0981, CVE-2018-0989,\n CVE-2018-1000)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-0956)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-0887)\");\n # https://support.microsoft.com/en-us/help/4093112/windows-10-update-kb4093112\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?19dc0635\");\n # https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8902cebb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4093112 as well as refer to the KB article for additional information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1016\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_enum_services.nasl\", \"microsoft_windows_env_vars.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_reg_query.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\n\nbulletin = \"MS18-04\";\nkbs = make_list('4093112');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nreg_checks = [\n ['GenuineIntel', '0', '3'], # CVE-2017-5715, CVE-2017-5754\n ['GenuineIntel', '8', '3'], # CVE-2018-3639, CVE-2017-5715, CVE-2017-5754\n ['GenuineIntel', '72', '3'], # CVE-2018-3639, CVE-2017-5715, CVE-2017-5754, CVE-2018-11091, CVE-2018-12126,\n # CVE-2018-12127, CVE-2018-12130, CVE-2017-5753, CVE-2018-3615, CVE-2018-3620,\n # CVE-2018-3646 w/ Hyper-Threading\n ['GenuineIntel', '8264', '3'], # CVE-2018-3639, CVE-2017-5715, CVE-2017-5754, CVE-2018-11091, CVE-2018-12126,\n # CVE-2018-12127, CVE-2018-12130, CVE-2017-5753, CVE-2018-3615, CVE-2018-3620,\n # CVE-2018-3646 w/o Hyper-Threading\n ['AuthenticAMD', '64', '3'], # CVE-2017-5715\n ['AuthenticAMD', '72', '3'] # CVE-2017-5715, CVE 2018-3639\n];\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"04_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4093112])\n || ( \"Server\" >< productname && get_kb_item('SMB/WindowsVersionBuild') == '16299' && !spec_exec_check(bulletin:bulletin, kb:kbs[0], reg_checks:reg_checks) )\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2018-05-15T09:08:43", "bulletinFamily": "blog", "description": "## Microsoft Patch Tuesday - April 2018\n\n \nToday, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 65 new vulnerabilities and one advisory, with 25 of them rated critical, 39 of them rated important and one of them rated moderate. These vulnerabilities impact Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Windows kernel, Windows Hyper-V, Microsoft Scripting Engine and more. \n \nIn addition, an update for Adobe Flash Player was released. \n \n \n \n\n\n### Critical Vulnerabilities\n\n \nThis month, Microsoft is addressing 25 vulnerabilities that are rated \"critical\". \n \nThe vulnerabilities rated as \"critical\" are listed below: \n \n[CVE-2018-0870 - Internet Explorer Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0870>) \n[CVE-2018-0959 - Hyper-V Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0959>) \n[CVE-2018-0979 - Chakra Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0979>) \n[CVE-2018-0980 - Chakra Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0980>) \n[CVE-2018-0981 - Scripting Engine Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0981>) \n[CVE-2018-0986 - Microsoft Malware Protection Engine Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0986>) \n[CVE-2018-0988 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0988>) \n[CVE-2018-0990 - Chakra Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0990>) \n[CVE-2018-0991 - Internet Explorer Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0991>) \n[CVE-2018-0993 - Chakra Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0993>) \n[CVE-2018-0994 - Chakra Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0994>) \n[CVE-2018-0995 - Chakra Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0995>) \n[CVE-2018-0996 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0996>) \n[CVE-2018-1000 - Scripting Engine Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1000>) \n[CVE-2018-1004 - Windows VBScript Engine Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1004>) \n[CVE-2018-1010 - Microsoft Graphics Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1010>) \n[CVE-2018-1012 - Microsoft Graphics Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1012>) \n[CVE-2018-1013 - Microsoft Graphics Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1013>) \n[CVE-2018-1015 - Microsoft Graphics Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1015>) \n[CVE-2018-1016 - Microsoft Graphics Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1016>) \n[CVE-2018-1018 - Internet Explorer Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1018>) \n[CVE-2018-1019 - Chakra Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1019>) \n[CVE-2018-1020 - Internet Explorer Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1020>) \n[CVE-2018-1023 - Microsoft Browser Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1023>) \n[ADV180007 - Adobe Flash Player April 2018 Adobe Flash Security Update](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180007>) \n \n\n\n### Important Vulnerabilities\n\n \nThis month, Microsoft is addressing 38 vulnerabilities that are rated \"important\". Talos believes six of these are notable and require prompt attention. \n \n[CVE-2018-1011 - Microsoft Excel Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1011>) \n \nA remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative rights. \n \n \n[CVE-2018-1026 - Microsoft Office Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1026>) \n \nA remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. \n \n \n[CVE-2018-1027 - Microsoft Excel Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1027>) \n \nA remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. \n \n \n[CVE-2018-1028 - Microsoft Office Graphics Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1028>) \n \nA remote code execution vulnerability exists when Office graphics improperly handles specially crafted embedded fonts. An attacker who successfully exploits this vulnerability could take control of the affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. \n \n \n[CVE-2018-1029 - Microsoft Excel Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1029>) \n \nA remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. \n \n \n[CVE-2018-1030 - Microsoft Office Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1030>) \n \nA remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. \n \n \nOther vulnerabilities deemed \"important\" are listed below: \n \n[CVE-2018-0887 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0887>) \n[CVE-2018-0890 - Active Directory Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0890>) \n[CVE-2018-0892 - Microsoft Edge Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0892>) \n[CVE-2018-0920 - Microsoft Excel Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0920>) \n[CVE-2018-0950 - Microsoft Office Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0950>) \n[CVE-2018-0956 - HTTP.sys Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0956>) \n[CVE-2018-0957 - Hyper-V Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0957>) \n[CVE-2018-0960 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0960>) \n[CVE-2018-0963 - Windows Kernel Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0963>) \n[CVE-2018-0964 - Hyper-V Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0964>) \n[CVE-2018-0966 - Device Guard Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0966>) \n[CVE-2018-0967 - Windows SNMP Service Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0967>) \n[CVE-2018-0968 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0968>) \n[CVE-2018-0969 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0969>) \n[CVE-2018-0970 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0970>) \n[CVE-2018-0971 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0971>) \n[CVE-2018-0972 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0972>) \n[CVE-2018-0973 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0973>) \n[CVE-2018-0974 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0974>) \n[CVE-2018-0975 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0975>) \n[CVE-2018-0976 - Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0976>) \n[CVE-2018-0987 - Scripting Engine Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0987>) \n[CVE-2018-0989 - Scripting Engine Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0989>) \n[CVE-2018-0997 - Internet Explorer Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0997>) \n[CVE-2018-0998 - Microsoft Edge Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0998>) \n[CVE-2018-1001 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1001>) \n[CVE-2018-1003 - Microsoft JET Database Engine Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1003>) \n[CVE-2018-1005 - Microsoft SharePoint Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1005>) \n[CVE-2018-1008 - OpenType Font Driver Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1008>) \n[CVE-2018-1009 - Microsoft DirectX Graphics Kernel Subsystem Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1009>) \n[CVE-2018-1014 - Microsoft SharePoint Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1014>) \n[CVE-2018-1032 - Microsoft SharePoint Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1032>) \n[CVE-2018-1034 - Microsoft SharePoint Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1034>) \n \n\n\n### Coverage\n\nIn response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. \n \nSnort Rules: \n \n45628-45629 \n46163-46164 \n46176-46189 \n46192-46201 \n46204-46209 \n46212-46215 \n46218-36221 \n46226-46231 \n46233-46234 \n46243-46246 \n \n \n\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=9g_k4lM7D5g:n7sgYiCfxlI:yIl2AUoC8zA>)\n\n", "modified": "2018-04-10T22:53:51", "published": "2018-04-10T13:13:00", "id": "TALOSBLOG:76829FABFE02C32CB6E07FE9D9A8F09B", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/9g_k4lM7D5g/ms-tuesday.html", "type": "talosblog", "title": "Microsoft Patch Tuesday - April 2018", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "trendmicroblog": [{"lastseen": "2018-04-17T16:24:56", "bulletinFamily": "blog", "description": "\n\nThe interviewing process can be mentally draining. You have to look your best, say the right things, and prove that you\u2019re the best person for the job. When I interview candidates, I love to come up with the one crazy question that isn\u2019t on the usual list of questions that might be asked. I probably won\u2019t be able to use it now since I\u2019m going to disclose it here, but here goes: \u201cIf you were a tree, what type of tree would you be and why?\u201d I don\u2019t expect candidates to be experts in forestry or dendrology because there is no right or wrong answer, but I do like to hear what people can come up with off the top of their head. If you think that question is weird, how about this one? \u201cIs it ever possible that (a== 1 && a ==2 && a==3) could evaluate to true in JavaScript?\u201d Jasiel Spelman from our Zero Day Initiative came across this question on a post he read that is being asked during interviews at major tech firms. He takes a stab at answering the question in his latest blog: Inverting Your Assumptions: A Guide to JIT Comparisons. You can read it here: <https://www.zerodayinitiative.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons>. **Microsoft Security Updates** There are seven new zero-day filters covering four vendors in this week\u2019s Digital Vaccine (DV) package. Microsoft released 67 security patches covering Internet Explorer (IE), Edge, ChakraCore, Windows, Visual Studio, Microsoft Office and Office Services and Web Apps, and the Malware Protection Engine. Of these 67 CVEs, 24 are listed as Critical, 42 are rated Important, and one is listed as Moderate in severity. Seven of these CVEs came through the ZDI program. The following table maps Digital Vaccine filters to the Microsoft updates. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [April 2018 Security Update Review](<https://www.zerodayinitiative.com/blog/2018/4/10/the-april-2018-security-update-review>) from the Zero Day Initiative: \n\n**CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|--- \nCVE-2018-0870 | 31038 | \nCVE-2018-0871 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0887 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0890 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0892 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0920 | 31039 | \nCVE-2018-0950 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0956 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0957 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0960 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0963 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0964 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0966 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0967 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0968 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0969 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0970 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0971 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0972 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0973 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0974 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0975 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0976 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0979 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0980 | 31040 | \nCVE-2018-0981 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0986 | 31136 | \nCVE-2018-0987 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0988 | 31041 | \nCVE-2018-0989 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0990 | 31061 | \nCVE-2018-0991 | 31061 | \nCVE-2018-0993 | 31043 | \nCVE-2018-0994 | 31044 | \nCVE-2018-0995 | 31060 | \nCVE-2018-0996 | 31069 | \nCVE-2018-0997 | 31076 | \nCVE-2018-0998 | 31077 | \nCVE-2018-1000 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-1001 | 31075 | \nCVE-2018-1002 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-1003 | 31079 | \nCVE-2018-1004 | 31080 | \nCVE-2018-1005 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-1007 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-1008 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-1009 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-1010 | 31081 | \nCVE-2018-1011 | 31074 | \nCVE-2018-1012 | 31072 | \nCVE-2018-1013 | 31070 | \nCVE-2018-1014 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-1015 | 31067 | \nCVE-2018-1016 | 31064 | \nCVE-2018-1018 | 31060 | \nCVE-2018-1019 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-1020 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-1022 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-1023 | 31062 | \nCVE-2018-1026 | 31063 | \nCVE-2018-1027 | 31066 | \nCVE-2018-1028 | 31073 | \nCVE-2018-1029 | 31068 | \nCVE-2018-1030 | 31071 | \nCVE-2018-1032 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-1034 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-1037 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8116 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8117 | | Vendor Deemed Reproducibility or Exploitation Unlikely \n \n**Zero-Day Filters** There are nine new zero-day filters covering five vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website. You can also follow the Zero Day Initiative on Twitter [@thezdi](<https://twitter.com/thezdi>) and on their [blog](<https://www.zerodayinitiative.com/blog>).\n\n**_Apple (2)_**\n\n \n\n | \n\n * 31139: ZDI-CAN-5525: Zero Day Initiative Vulnerability (Apple Safari)\n * 31141: ZDI-CAN-5526: Zero Day Initiative Vulnerability (Apple Safari) \n---|--- \n| \n \n**_Foxit (3)_**\n\n| \n\n * 31143: ZDI-CAN-5527: Zero Day Initiative Vulnerability (Foxit Reader)\n * 31145: ZDI-CAN-5528,5331: Zero Day Initiative Vulnerability (Foxit Reader)\n * 31146: ZDI-CAN-5529: Zero Day Initiative Vulnerability (Foxit Reader) \n---|--- \n| \n \n**_Hewlett Packard (2)_**\n\n| \n\n * 30919: HTTP: HP Application Lifecycle Management ActiveX Insecure Method Exposure Vulnerability(ZDI-12-170)\n * 31036: HTTPS: HP iNode Management Center iNodeMngChecker.exe Buffer Overflow Vulnerability (ZDI-11-232) \n---|--- \n| \n \n**_Microsoft (1)_**\n\n| \n\n * 31048: HTTP: Microsoft Office Excel XLSX File Memory Corruption Vulnerability (ZDI-10-025) \n---|--- \n| \n \n**_Trend Micro (1)_**\n\n| \n\n * 31147: ZDI-CAN-5533,5534: Zero Day Initiative Vulnerability (Trend Micro Encryption for Email Gateway) \n---|--- \n| \n \n**Missed Last Week\u2019s News?** Catch up on last week\u2019s news in my [weekly recap](<https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-april-2-2018/>).\n\nThe post [TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of April 9, 2018](<https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-april-9-2018/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2018-04-13T15:37:14", "published": "2018-04-13T15:37:14", "id": "TRENDMICROBLOG:CA6E4ACCDF2EEC642B7D6E90848F2DB0", "href": "https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-april-9-2018/", "type": "trendmicroblog", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of April 9, 2018", "cvss": {"score": 0.0, "vector": "NONE"}}]}
