Today’s VERT Alert addresses Microsoft’s August 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-792 on Wednesday, August 15th.
In-The-Wild & Disclosed CVEs
CVE-2018-8373
A vulnerability exists within the scripting engine in Internet Explorer. An attacker exploiting this vulnerability via a malicious webpage or Office document, could execute code in the context of the current user. Microsoft has rated this as a 2 on the Exploitability Index (Exploitation Less Likely) for the latest software release, however exploitation has been detected on older releases.
CVE-2018-8414
Windows Shell does not always properly validate file paths. An attacker that convinces a user to visit a malicious page, click a malicious link, or open a malicious attachment could execute code in the context of the current user. Microsoft has rated this as a 1 on the Exploitability Index (Exploitation More Likely).
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.
Tag |
CVE Count |
CVEs |
Microsoft Windows PDF |
1 |
CVE-2018-8350 |
Windows Kernel |
5 |
CVE-2018-8399, CVE-2018-8404, CVE-2018-8341, CVE-2018-8347, CVE-2018-8348 |
Windows Diagnostic Hub |
1 |
CVE-2018-0952 |
Microsoft Windows |
2 |
CVE-2018-8345, CVE-2018-8346 |
SQL Server |
1 |
CVE-2018-8273 |
Microsoft Edge |
6 |
CVE-2018-8358, CVE-2018-8370, CVE-2018-8377, CVE-2018-8383, CVE-2018-8388, CVE-2018-8387 |
Microsoft Graphics Component |
9 |
CVE-2018-8394, CVE-2018-8396, CVE-2018-8397, CVE-2018-8398, CVE-2018-8400, CVE-2018-8401, CVE-2018-8405, CVE-2018-8406, CVE-2018-8344 |
.NET Framework |
1 |
CVE-2018-8360 |
Microsoft Browsers |
3 |
CVE-2018-8403, CVE-2018-8351, CVE-2018-8357 |
Device Guard |
2 |
CVE-2018-8204, CVE-2018-8200 |
Windows Installer |
1 |
CVE-2018-8339 |
Windows NDIS |
1 |
CVE-2018-8343 |
Windows Shell |
2 |
CVE-2018-8253, CVE-2018-8414 |
Windows Authentication Methods |
1 |
CVE-2018-8340 |
Microsoft Exchange Server |
2 |
CVE-2018-8302, CVE-2018-8374 |
Internet Explorer |
1 |
CVE-2018-8316 |
Windows RNDIS |
1 |
CVE-2018-8342 |
Windows COM |
1 |
CVE-2018-8349 |
Microsoft Office |
6 |
CVE-2018-8375, CVE-2018-8376, CVE-2018-8378, CVE-2018-8379, CVE-2018-8382, CVE-2018-8412 |
Microsoft Scripting Engine |
13 |
CVE-2018-8266, CVE-2018-8371, CVE-2018-8372, CVE-2018-8373, CVE-2018-8380, CVE-2018-8381, CVE-2018-8384, CVE-2018-8385, CVE-2018-8389, CVE-2018-8390, CVE-2018-8353, CVE-2018-8355, CVE-2018-8359 |
Other Information
In addition to the Microsoft vulnerabilities included in the August Security Guidance, a security advisory was also made available.
August 2018 Adobe Flash Security Update [ADV180020]
Microsoft released updates for Adobe Flash. These correspond with Adobe Update APSB18-25. This includes fixes for CVE-2018-12824, CVE-2018-12825, CVE-2018-12826, CVE-2018-12827, and CVE-2018-12828.
