Today’s VERT Alert addresses Microsoft’s July 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-786 on Wednesday, July 11th.
出回っている & 公開されているCVE
CVE-2018-8278
Microsoft Edge is vulnerable to a spoofing vulnerability that could allow an attacker to design a malicious fake website that appears to be legitimate. This is due to how Microsoft Edge handles HTML content.
Microsoftはこの脆弱性について、悪用可能性指標の1 (悪用される可能性は高い) と評価しています。
CVE-2018-8313
A privilege escalation within the Windows Kernel API could allow attackers to impersonate processes, interject cross-process communication, or interrupt system functionality. This attack requires that an authenticated, local user run a purpose-built application. Changes were made to how the Windows Kernel API enforces permissions to resolve this vulnerability.
Microsoftはこの脆弱性について、悪用可能性指標の1 (悪用される可能性は高い) と評価しています。
CVE-2018-8314
Attackers can escalate privileges and escape a sandbox due to failure in how Windows file picker handles paths. This could allow an attacker to gain higher levels of access but does not specifically allow code execution, attackers would need to pair this attack with another vulnerability if code execution is the desired goal.
Microsoftはこの脆弱性について、悪用可能性指標の1 (悪用される可能性は高い) と評価しています。
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.
TAG |
CVE COUNT |
CVES |
MICROSOFT WORDPAD |
1 |
CVE-2018-8307 |
ACTIVE DIRECTORY |
1 |
CVE-2018-8326 |
ASP.NET |
1 |
CVE-2018-8171 |
MICROSOFT WINDOWS |
6 |
CVE-2018-8206, CVE-2018-8313, CVE-2018-8319, CVE-2018-8305, CVE-2018-8308, CVE-2018-8309 |
MICROSOFT POWERSHELL |
1 |
CVE-2018-8327 |
MICROSOFT DEVICES |
1 |
CVE-2018-8306 |
.NET FRAMEWORK |
4 |
CVE-2018-8202, CVE-2018-8356, CVE-2018-8260, CVE-2018-8284 |
MICROSOFT EDGE |
8 |
CVE-2018-8262, CVE-2018-8274, CVE-2018-8278, CVE-2018-8289, CVE-2018-8297, CVE-2018-8301, CVE-2018-8324, CVE-2018-8325 |
DEVICE GUARD |
1 |
CVE-2018-8222 |
VISUAL STUDIO |
2 |
CVE-2018-8172, CVE-2018-8232 |
WINDOWS KERNEL |
1 |
CVE-2018-8282 |
WINDOWS SHELL |
1 |
CVE-2018-8314 |
SKYPE FOR BUSINESS AND MICROSOFT LYNC |
2 |
CVE-2018-8238, CVE-2018-8311 |
INTERNET EXPLORER |
1 |
CVE-2018-0949 |
MICROSOFT WINDOWS DNS |
1 |
CVE-2018-8304 |
MICROSOFT OFFICE |
6 |
CVE-2018-8281, CVE-2018-8323, CVE-2018-8299, CVE-2018-8300, CVE-2018-8310, CVE-2018-8312 |
MICROSOFT SCRIPTING ENGINE |
15 |
CVE-2018-8242, CVE-2018-8275, CVE-2018-8276, CVE-2018-8279, CVE-2018-8280, CVE-2018-8283, CVE-2018-8286, CVE-2018-8287, CVE-2018-8288, CVE-2018-8290, CVE-2018-8291, CVE-2018-8294, CVE-2018-8296, CVE-2018-8298, CVE-2018-8125 |
その他の情報
In addition to the Microsoft vulnerabilities included in the May Security Guidance, a security advisory was also made available.
JULY 2018 ADOBE FLASH SECURITY UPDATE [ADV180017]
Microsoft released updates for Adobe Flash. These correspond with Adobe Update APSB18-24. This includes fixes for CVE-2018-5007, CVE-2018-5008.