August Patch Tuesday Analysis

Patch Tuesday Webinar
Wednesday, Aug 15, 2018
Hosted by: Brian Secrist & Todd Schell
Dial in: 1-877-668-4490 (US)
Event ID: 802 250 039

Agenda
Aug 2018 Patch Tuesday Overview
In the News
Bulletins
Q & A
1
2
3
4

In the News
 TSMC hit by WannaCry
 https://www.zdnet.com/article/tsmc-says-variant-of-wannacry-virus-brought-
down-its-plants/
 NetSpectre
 https://thehackernews.com/2018/07/netspectre-remote-spectre-attack.html
 SamSam Ransomware in Review
 https://thehackernews.com/2018/07/samsam-ransomware-attacks.html
 Newer laptops hijacked through charger
 https://www.techradar.com/news/hackers-could-hijack-devices-using-a-
laptops-usb-c-charger

In the News (Cont)
 Foreshadow/L1 Terminal Fault (L1TF)
 https://portal.msrc.microsoft.com/en-us/security-
guidance/advisory/ADV180018
 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-
00161.html
 https://support.microsoft.com/en-us/help/4093836/summary-of-intel-
microcode-updates
 https://www.wired.com/story/foreshadow-intel-secure-enclave-vulnerability/
 https://www.vmware.com/security/advisories/VMSA-2018-0021.html

Microsoft Notable August Out-of-Band Releases
Microsoft released a series of emergency non-security fixes for all supported operating
systems. These updates fix the following:
 Some devices may experience stop error 0xD1 when you run network monitoring
workloads
 The restart of the SQL Server service may fail with the error, “Tcp port is already in
use”
 An issue may occur when an administrator tries to stop the World Wide Web
Publishing Service (W3SVC)
Affected OS KB Ivanti ID
Windows Server 2008 KB4345397 MSNS18-07-4345397
Windows 7/Server 2008 R2 KB4345459 MSNS18-07-4345459
Windows Server 2012 KB4345425 MSNS18-07-4345425
Windows 8.1/Server 2012 R2 KB4345424 MSNS18-07-4345424

Publicly Disclosed and Exploited Vulnerabilities
 CVE-2018-8373 - Scripting Engine Memory Corruption Vulnerability
 A remote code execution vulnerability exists in the way that the scripting engine
handles objects in memory in Internet Explorer. The vulnerability could corrupt
memory in such a way that an attacker could execute arbitrary code in the
context of the current user. An attacker who successfully exploited the
vulnerability could gain the same user rights as the current user. If the current
user is an administrator, the attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights.
 In a web-based attack scenario, an attacker could host a specially crafted
website that is designed to exploit the vulnerability through Internet Explorer and
then convince a user to view the website. An attacker could also embed an
ActiveX control marked "safe for initialization" in an application or Microsoft Office
document that hosts the IE rendering engine. The attacker could also take
advantage of compromised websites and websites that accept or host user-
provided content or advertisements.

Publicly Disclosed and Exploited Vulnerabilities (cont)
 CVE-2018-8414 - Windows Shell Remote Code Execution Vulnerability
 An attacker who successfully exploited this vulnerability could run arbitrary code
in the context of the current user. If the current user is logged on as an
administrator, an attacker could take control of the affected system. An attacker
could then install programs; view, change, or delete data; or create new accounts
with elevated privileges. Users whose accounts are configured to have fewer
privileges on the system could be less impacted than users who operate with
administrative privileges.
 To exploit the vulnerability, an attacker must entice a user to open a specially
crafted file. This file could be sent via email or posted on a web site. In either
case, the file containing malicious code would need to be opened to exploit the
vulnerability.

Windows 10 Lifecycle Awareness
 Windows 10 Branch Support: End of Service for 2018
 Branch 1703 scheduled for October 9
 Windows 10 Version 1607, 1703, 1709 and 1803 will continue to receive
security-only updates for 6 months past EOS dates
 Supported Editions
 Windows 10 Education
 Windows 10 Enterprise
 Unsupported Editions
 Windows 10 Home
 Windows 10 Pro
 Windows 10 Version 1607 is in extended support now until October 9
 Everyone strongly urged to update to latest version of Windows 10
 Windows lifecycle fact sheet

Other Microsoft Information
 Service Stack Update (SSU) KB 4132216 must be installed before installing
the latest cumulative update KB 4343887 on Windows 10 Version 1607. The
same servicing stack update is required for Microsoft’s Adobe Flash update
(4343902). The updates will not be reported as applicable until the SSU is
installed.
 Visual C++ 2013 Redistributable must be installed before installing Exchange
2010 Rollup 23 (KB4340733)
 Development Tool Security Releases
 Visual Studio 2015/2017

Weekly Patch BLOG
 Latest Patch Releases
 Microsoft and Third-party
 Security and non-Security
 CVE Analysis
 Security Events of Interest
 Host: Brian Secrist
 https://www.ivanti.com/blog/
topics/patch-tuesday

New Patch Content Announcement System
 Announcements Posted on Community Pages
 https://community.ivanti.com/community/other/bulletins/patch-content-
notifications
 Separate pages by product
NOTE: Linux/UNIX/Mac still under construction

Automated Patch Content Notification
 Email and RSS Feed Notification Options Available
 Subscription Managed from the News Page
 https://community.ivanti.com/news?channel=news
 Complete instructions at https://community.ivanti.com/docs/DOC-68623
 Subscribe to one or more products
 Include the Weekly Patch blog in your Subscription to get the Latest Info!
 NOTE: Legacy Notifications from Listserv end after August Patch Tuesday

APSB18-29: Security Update for Adobe Acrobat and Reader
 Maximum Severity: Critical
 Affected Products: Adobe Acrobat and Reader (all current versions)
 Description: Adobe has released security updates for Adobe Acrobat and Reader for
Windows and macOS. These updates address critical and important vulnerabilities.
Successful exploitation could lead to arbitrary code execution in the context of the
current user.
 Impact: Remote Code Execution
 Fixes 2 Vulnerabilities: CVE-2018-12799, CVE-2018-12808.
 Restart Required: Requires application restart

APSB18-25: Security Update for Adobe Flash Player
 Affected Products: Adobe Flash Player for Desktop Runtime, Google Chrome,
Internet Explorer 11 and Edge
 Description: Adobe has released security updates for Adobe Flash Player for
Windows, macOS, Linux and Chrome OS. These updates address critical
vulnerabilities in Adobe Flash Player 30.0.0.134 and earlier versions. Successful
exploitation could lead to arbitrary code execution in the context of the current user.
 Impact: Security Feature Bypass, Elevation of Privilege, and Information Disclosure
 Fixes 5 Vulnerabilities: CVE-2018-12824, CVE-2018-12825, CVE-2018-12826,
CVE-2018-12827, CVE-2018-12828

MS18-08-AFP: Security Update for Adobe Flash Player
 Affected Products: Adobe Flash Player
 Description: This security update resolves vulnerabilities in Adobe Flash Player that is
installed on any supported edition of Windows Server Version 1803, Windows 10
Version 1803, Windows Server 2016 Version 1709, Windows 10 Version 1709,
Windows 10 Version 1703, Windows Server 2016, Windows 10 Version 1607, Windows
10 (RTM), Windows Server 2012 R2, Windows 8.1, or Windows RT 8.1. This bulletin is
based on ADV180020.
CVE-2018-12827, CVE-2018-12828

MS18-08-W10: Windows 10 Update
 Affected Products: Microsoft Windows 10 Versions 1607, 1703, 1709, 1803, Server
2016, Server 1709, Server 1803, IE 11 and Microsoft Edge
 Description: This bulletin references 9 KB articles. See KBs for the list of changes.
 Impact: Remote Code Execution, Security Feature Bypass, Spoofing, Elevation of
Privilege, and Information Disclosure
 Fixes 44 Vulnerabilities: CVE-2018-8373 and CVE-2018-8414 are publicly
disclosed and known exploited. See Details column of Security Update Guide for
complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: See next slide

August Known Issues for Windows 10
 KB 4343897 - Windows 10 version 1709
 Some non-English platforms may display the following string in English instead of the localized
language: ”Reading scheduled jobs from file is not supported in this language mode.” This error
appears when you try to read the scheduled jobs you've created and Device Guard is enabled.
 When Device Guard is enabled, some non-English platforms may display the following strings in
English instead of the localized language:
 "Cannot use '&' or '.' operators to invoke a module scope command across language boundaries."
 "'Script' resource from 'PSDesiredStateConfiguration' module is not supported when Device Guard is
enabled. Please use 'Script' resource published by PSDscResources module from PowerShell Gallery."
 Workaround – None. Microsoft is still working on a resolution.

MS18-08-IE: Security Updates for Internet Explorer
 Affected Products: Microsoft Internet Explorer 9, 10 and 11
 Description: These security updates resolve several reported vulnerabilities in Internet
Explorer. The fixes that are included in the cumulative Security Update for Internet
Explorer (KB 4343205) are also included in the August 2018 Security Monthly Quality
Rollup. Installing either the Security Update for Internet Explorer or the Security
Monthly Quality Rollup installs the fixes that are in this update. This bulletin references
10 KB articles.
 Impact: Remote Code Execution, Elevation of Privilege, and Information Disclosure
 Fixes 11 vulnerabilities: CVE-2018-8316, CVE-2018-8351, CVE-2018-8353, CVE-
2018-8355, CVE-2018-8357, CVE-2018-8371, CVE-2018-8372, CVE-2018-8373, CVE-
2018-8385, CVE-2018-8389, CVE-2018-8403
 Restart Required: Requires browser restart
 Known Issues: None reported

MS18-08-2K8: Windows Server 2008
 Affected Products: Microsoft Windows Server 2008
 Description: Security updates for Microsoft COM for Windows, Windows font library,
processing of .LNK files, the Windows kernel and Windows Graphics Device Interface
(GDI). Provides protections for an additional vulnerability involving side-channel
speculative execution known as Lazy Floating Point (FP) State Restore (CVE-2018-
3665). This bulletin references 6 KB articles.
 Fixes 10 Vulnerabilities: CVE-2018-8339, CVE-2018-8344, CVE-2018-8345, CVE-
2018-8397, CVE-2018-8398

MS18-08-MR7: Monthly Rollup for Win 7 and Server 2008 R2
 Affected Products: Microsoft Windows 7, Server 2008 R2, and IE
 Description: This security update includes improvements and fixes that were a part of
update KB 4338821 (released July 18, 2018). Provides protections against a new
speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF).
Provides protections against an additional vulnerability involving side-channel
3665) for 32-Bit (x86) versions of Windows. This bulletin is based on KB 4343900.
 Fixes 14 (shown) + 11 (IE) Vulnerabilities: CVE-2018-8339, CVE-2018-8341,
CVE-2018-8342, CVE-2018-8343, CVE-2018-8344, CVE-2018-8345, CVE-2018-8346,
CVE-2018-8398, CVE-2018-8404
 Known Issues: See next slide

August Known Issue for Windows 7 and Server 2008 R2
 KB 4343900 - Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1
 There is an issue with Windows and third-party software that is related to a missing file
(oem<number>.inf). Because of this issue, after you apply this update, the network interface
controller will stop working.
 Workaround –
1.To locate the network device, launch devmgmt.msc; it may appear under Other Devices.
2.To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes
from the Action menu.
a. Alternatively, install the drivers for the network device by right-clicking the device and
selecting Update. Then select Search automatically for updated driver software or Browse
my computer for driver software.

MS18-08-SO7: Security-only Update for Win 7 and Server 2008 R2
 Affected Products: Microsoft Windows 7 and Server 2008 R2
 Description: Provides protections against a new speculative execution side-channel
vulnerability known as L1 Terminal Fault (L1TF). Provides protections against an
additional vulnerability involving side-channel speculative execution known as Lazy
Floating Point (FP) State Restore (CVE-2018-3665) for 32-Bit (x86) versions of Windows.
This bulletin is based on KB 4343899.
2018-8404

MS18-08-MR8: Monthly Rollup for Server 2012
 Affected Products: Microsoft Server 2012 and IE
speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF).
Provides protections against an additional vulnerability involving side-channel
3665) for 32-Bit (x86) versions of Windows. This bulletin is based on KB 4343901.
CVE-2018-8394, CVE-2018-8398, CVE-2018-8404

MS18-08-SO8: Security-only Update for Server 2012
 Affected Products: Microsoft Server 2012
vulnerability known as L1 Terminal Fault (L1TF). Provides protections against an
additional vulnerability involving side-channel speculative execution known as Lazy
Floating Point (FP) State Restore (CVE-2018-3665) for 32-Bit (x86) versions of
Windows. This bulletin is based on KB 4343896.
2018-8398, CVE-2018-8404

MS18-08-MR81: Monthly Rollup for Win 8.1 and Server 2012 R2
 Affected Products: Microsoft Windows 8.1, Server 2012 R2, and IE
speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF)
This bulletin is based on KB 4343898.
 Impact: Remote Code Execution, Security Feature Bypass, Elevation of Privilege, and
Information Disclosure
CVE-2018-8349, CVE-2018-8394, CVE-2018-8398, CVE-2018-8404, CVE-2018-8405

MS18-08-SO81: Security-only Update for Win 8.1 and Server 2012 R2
 Affected Products: Microsoft Windows 8.1, Server 2012 R2
vulnerability known as L1 Terminal Fault (L1TF). This bulletin is based on KB 4343888.
 Impact: Remote Code Execution, Security Feature Bypass, Elevation of Privilege, and
Information Disclosure
2018-8394, CVE-2018-8398, CVE-2018-8404, CVE-2018-8405

MS18-08-EX: Security Updates for Exchange Server
 Affected Products: Microsoft Exchange Server 2010-2016
 Description: This security update resolves several memory corruption vulnerabilities
in Microsoft Exchange. This bulletin is based on KB 4340731 and KB 4340733.
 Impact: Remote Code Execution and Tampering
 Fixes 2 Vulnerabilities: CVE-2018-8302, CVE-2018-8374
 Restart Required: Requires Restart
 Known Issues: Updates must be installed when running in elevated mode as
administrator. Installing in normal mode will result in failed installation.

MS18-08-SQL: Security Updates for SQL Server
 Affected Products: Microsoft SQL Server 2016, 2017
 Description: This security update fixes a buffer overflow vulnerability. This bulletin is
based on 6 KB articles.
 Fixes 1 Vulnerability: CVE-2018-8273

MS18-08-SPT: Security Updates for SharePoint Server
 Maximum Severity: Important
 Affected Products: Microsoft Enterprise SharePoint Server 2013, 2016
 Description: This security update resolves vulnerabilities in Microsoft Office that could
allow remote code execution if a user opens a specially crafted Office file. This bulletin
is based on 4 KB articles.
 Impact: Information Disclosure

MS18-08-OFF: Security Updates for Microsoft Office
 Affected Products: Excel 2010-2016, Office 2010-2016, Office 2016 for Mac, Outlook
2010-2016, Powerpoint 2010, Web Apps
 Description: This security update resolves vulnerabilities in most Microsoft Office
applications. This bulletin references 19 KB articles and Release Notes.
 Impact: Remote Code Execution, Elevation of Privilege, Information Disclosure, and
Defense in Depth
2018-8379, CVE-2018-8382, CVE-2018-8412

MS18-08-O365: Security Updates for Microsoft Office 365
 Affected Products: Excel 2016, Office 2016, Outlook 2016
 Description: This security update resolves vulnerabilities in most Microsoft Office 365
applications. Information on Office 365 updates is available at
https://technet.microsoft.com/en-us/office/mt465751
 Impact: Remote Code Execution and Information Disclosure
2018-8382

MS18-08-MRNET: Monthly Rollup for Microsoft .Net
 Affected Products: Microsoft Windows .Net Framework 2.0 through 4.7.2
 Description: This security update resolves an information disclosure vulnerability in
Microsoft .NET Framework that could allow an attacker to access information in multi-
tenant environments. This bulletin references 10 KB articles.
 Restart Required: Does not require a system restart after you apply it unless files
that are being updated are locked or are being used.

MS18-08-SONET: Security-only Update for Microsoft .Net
 Affected Products: Microsoft Windows .Net Framework 2.0 through 4.7.2
 Description: This security update resolves an information disclosure vulnerability in
Microsoft .NET Framework that could allow an attacker to access information in multi-
tenant environments. This bulletin references 10 KB articles.
 Restart Required: Does not require a system restart after you apply it unless files
that are being updated are locked or are being used.

Between Patch Tuesday’s
New Product Support: Box Edit
Security Updates: CCleaner (1), Google Chrome (3), Firefox (1), Foxit PhantomPDF
(1), Foxit Reader (1), FileZilla (2), Oracle JRE (2), Oracle JDK (1), Libreoffice (1), Nitro Pro
(1), Notepad++ (1), Opera (3), SeaMonkey (1), Splunk Universal Forwarder (2),
Thunderbird (1), TortoiseSVN (1), UltraVNC (1), Wireshark (2), VirtualBox (1), VMWare
Horizon Client (1)
Non-Security Updates: Allway Sync (1), Bandicut (1), Box Edit (1), Camtasia (1),
DropBox (1), Google Drive File Stream (1), Google Earth Pro (1), GOM Player (1),
GoodSync (4), GoToMeeting (2), Microsoft (55), Power BI Desktop (2), PDF-Xchange Pro
(1), Paint.net (1), Plex Media Player (3), Plex Media Server (3), Prezi Classic Desktop (1),
Royal TS (3), Skype (1), TreeSize Free (2), TeamViewer (1), Xmind (1), Zoom Client (1)

Third Party CVE Information
 Thunderbird 60.0
 TB18-6000, QTB6000
CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-12362, CVE-
2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, CVE-2018-
12367, CVE-2018-12368, CVE-2018-12371
 SeaMonkey 2.49.4
 SM18-2494, QSM2494
2018-12365, CVE-2018-12366, CVE-2018-12368, CVE-2018-12372, CVE-2018-
12373, CVE-2018-12374

Third Party CVE Information (cont)
 Foxit Reader/Phantom PDF
 FI18-920, QFI920 / FIP-016, QFIP920
 Fixes 85 Vulnerabilities: CVE-2018-3924, CVE-2018-3939, CVE-2018-11617, CVE-2018-11618,
CVE-2018-11619, CVE-2018-11620, CVE-2018-11621, CVE-2018-11622, CVE-2018-11623, CVE-2018-
14241, CVE-2018-14242, CVE-2018-14243, CVE-2018-14244, CVE-2018-14245, CVE-2018-14246, CVE-
2018-14247, CVE-2018-14248, CVE-2018-14249, CVE-2018-14250, CVE-2018-14251, CVE-2018-14252,
2018-14315, CVE-2018-14316

Third Party CVE Information (cont)
 Wireshark 2.6.2/2.4.8
 Bulletin WIRES-079, QWIRES262 / WIRES-080, QWIRES248
 Fixes 9 Vulnerability: CVE-2018-14339, CVE-2018-14340, CVE-2018-14341,
2018-14368, CVE-2018-14369
 VMWare Horizon Client 4.8.1
 Bulletin VMWH-006, QVMWH481
 Oracle VirtualBox 5.2.16
 Bulletin OVB-013, QOVB5216
 Fixes 9 Vulnerability: CVE-2018-3005, CVE-2018-3055, CVE-2018-3085, CVE-
2018-3086, CVE-2018-3087, CVE-2018-3088, CVE-2018-3089, CVE-2018-3090,
CVE-2018-3091

August Patch Tuesday Analysis

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to August Patch Tuesday Analysis

Similar to August Patch Tuesday Analysis (20)

More from Ivanti

More from Ivanti (20)

Recently uploaded

Recently uploaded (20)

August Patch Tuesday Analysis

Editor's Notes