July, 2018: 54 CVE's and No Active Attacks

Welcome to this July Patch Tuesday Bulletin. This month we have 54 unique CVE’s, 14 total platforms, 6 platforms with critical severity updates, and 0 attacks in the wild against vulnerabilities listed. Take a look at the Microsoft Wireless Display Adapter Command Injection Vulnerability (CVE-2018-8306) and update the firmware if necessary. There is a mitigation for this vulnerability that requires you to pair with a PIN code. Adobe released an update for Flash Player which also includes a workaround. Take a look at ADV180017 and disable Flash or warn the user when it attempts to run in Internet Explorer or Office products. Take some time to think about mitigations if patching cannot be quickly performed or is delayed. Often, these mitigations are great long term security controls despite the need to mitigate the vulnerability.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of MS patches this month.

Patch data provided by:

Technology

Products Affected

Severity

Reference

Workaround/ Exploited

Vulnerability Info

Internet Explorer

IE 9, 10, 11

Critical

CVE-2018-0949

CVE-2018-8242

CVE-2018-8287

CVE-2018-8288

CVE-2018-8291

CVE-2018-8296

*Workaround: No

**Exploited: No

Security Feature Bypass

Remote Code Execution

 

Edge

All

Critical

CVE-2018-8125

CVE-2018-8262

CVE-2018-8274

CVE-2018-8275

CVE-2018-8276

CVE-2018-8278

CVE-2018-8279

CVE-2018-8280

CVE-2018-8286

CVE-2018-8287

CVE-2018-8288

CVE-2018-8289

CVE-2018-8290

CVE-2018-8291

CVE-2018-8294

CVE-2018-8297

CVE-2018-8301

CVE-2018-8324

CVE-2018-8325

*Workaround: No

**Exploited: No

Remote Code Execution

Security Feature Bypass

Spoofing

Information Disclosure

 

Windows

Windows 7, 8.1, RT 8.1, 10

Server 2008, 2008 R2, 2012, 2012 R2, 2016

Important

CVE-2018-8206

CVE-2018-8222

CVE-2018-8282

CVE-2018-8304

CVE-2018-8307

CVE-2018-8308

CVE-2018-8309

CVE-2018-8313

CVE-2018-8314

*Workaround: No

**Exploited: No

Denial of Service

Security Feature Bypass

Elevation of Privilege

Information Disclosure

 

Office

Access 2013, 2016

Excel Viewer

Lync 2013

Office 2010, 2016, 2016 for Mac

Word Viewer

PowerPoint Viewer

SharePoint Server 2013, 2016

Word 2010, 2013, 2016

Skype for Business 2016

Important

CVE-2018-8238

CVE-2018-8281

CVE-2018-8299

CVE-2018-8300

CVE-2018-8310

CVE-2018-8311

CVE-2018-8312

CVE-2018-8323

*Workaround: No

**Exploited: No

Security Feature Bypass

Remote Code Execution

Elevation of Privilege

Tampering

ChakraCore

All

Critical

CVE-2018-8275

CVE-2018-8276

CVE-2018-8279

CVE-2018-8280

CVE-2018-8283

CVE-2018-8286

CVE-2018-8287

CVE-2018-8288

CVE-2018-8290

CVE-2018-8291

CVE-2018-8294

CVE-2018-8298

*Workaround: No

**Exploited: No

Remote Code Execution

Security Feature Bypass

 

Adobe Flash Player

30.0.0.113 and earlier

Critical

ADV180017

CVE-2018-5007*

CVE-2018-5008*

*Workaround: Yes

**Exploited: No

Information Disclosure

Arbitrary Code Execution

.NET Framework

.NET Core 1.0, 1.1, 2.0

.NET Framework 2.0, 3.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.7, 4.7.1, 4.7.2

Important

CVE-2018-8202

CVE-2018-8260

CVE-2018-8284

CVE-2018-8356

*Workaround: No

**Exploited: No

Elevation of Privilege

Remote Code Execution

Security Feature Bypass

 

ASP.NET

ASP.NET Core 1.0, 1.1, 2.0

ASP.NET Web Pages 3.2.3

ASP.NET MVC 5.2

Important

CVE-2018-8171

CVE-2018-8356

*Workaround: No

**Exploited: No

Security Feature Bypass

JavaScript Cryptography Library

Microsoft Research JavaScript Cryptography Library

Important

CVE-2018-8319

*Workaround: No

**Exploited: No

Security Feature Bypass

Skype for Business

Skype for Business 2016 (64-bit)

Important

CVE-2018-8238

CVE-2018-8311

*Workaround: No

**Exploited: No

Security Feature Bypass

Remote Code Execution

Visual Studio

Visual Studio 2010, 2012, 2013, 2015, 2017

PowerShell Extension for Visual Studio Code

Critical

CVE-2018-8172

CVE-2018-8232

CVE-2018-8327

*Workaround: No

**Exploited: No

Remote Code Execution

Tampering

Wireless Display Adapter V2 Software

Wireless Display Adapter V2 Software Version 2.0.8350, 2.0.8372, 2.0.8365

Important

CVE-2018-8306*

*Workaround: Yes

**Exploited: No

Remote Code Execution

PowerShell Editor Services

All

Critical

CVE-2018-8327

*Workaround: No

**Exploited: No

Remote Code Execution

Web Customizations for ADFS

All

Important

CVE-2018-8326

*Workaround: No

**Exploited: No

Spoofing


Send me this chart next Patch Tuesday.
Email:

We will not share your address. Unsubscribe anytime. By clicking "Submit",
you're agreeing to our Privacy Policy and consenting to be contacted by us.