Today’s VERT Alert addresses Microsoft’s March 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-769 on Wednesday, March 14th.
In-The-Wild & Disclosed CVEs
CVE-2018-0808
This publicly disclosed CVE could lead to a successful denial of service against ASP.NET Core web applications due to the improper handling of web requests. Microsoft has rated this as a 3 on the Exploitability Index (Exploitation Unlikely)
CVE-2018-0940
This vulnerability, which allows attackers to present a fake login page to OWA users in an effort to collect user credentials or other sensitive information, has been fixed via an Exchange update to how links are sanitized within the body of emails. Microsoft has rated this as a 3 on the Exploitability Index (Exploitation Unlikely)
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.
| Tag | CVE Count | CVEs |
| ASP.NET | 2 | CVE-2018-0787, CVE-2018-0808 |
| Windows Hyper-V | 2 | CVE-2018-0885, CVE-2018-0888 |
| Windows Desktop Bridge | 3 | CVE-2018-0877, CVE-2018-0880, CVE-2018-0882 |
| .NET Core | 1 | CVE-2018-0875 |
| Microsoft Windows | 4 | CVE-2018-0886, CVE-2018-0902, CVE-2018-0983, CVE-2018-0878 |
| Microsoft Edge | 1 | CVE-2018-0879 |
| Microsoft Graphics Component | 3 | CVE-2018-0816, CVE-2018-0817, CVE-2018-0815 |
| Microsoft Browsers | 2 | CVE-2018-0927, CVE-2018-0932 |
| Device Guard | 1 | CVE-2018-0884 |
| Windows Installer | 1 | CVE-2018-0868 |
| Windows Kernel | 14 | CVE-2018-0811, CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, CVE-2018-0901, CVE-2018-0926, CVE-2018-0977, CVE-2018-0813, CVE-2018-0814, CVE-2018-0904 |
| Microsoft Video Control | 1 | CVE-2018-0881 |
| Internet Explorer | 2 | CVE-2018-0929, CVE-2018-0942 |
| Microsoft Exchange Server | 3 | CVE-2018-0924, CVE-2018-0940, CVE-2018-0941 |
| Windows Shell | 1 | CVE-2018-0883 |
| Microsoft Office | 17 | CVE-2018-0947, CVE-2018-0903, CVE-2018-0909, CVE-2018-0910, CVE-2018-0907, CVE-2018-0911, CVE-2018-0912, CVE-2018-0913, CVE-2018-0914, CVE-2018-0915, CVE-2018-0916, CVE-2018-0917, CVE-2018-0919, CVE-2018-0921, CVE-2018-0922, CVE-2018-0923, CVE-2018-0944 |
| Microsoft Scripting Engine | 16 | CVE-2018-0889, CVE-2018-0891, CVE-2018-0893, CVE-2018-0930, CVE-2018-0931, CVE-2018-0933, CVE-2018-0934, CVE-2018-0935, CVE-2018-0936, CVE-2018-0937, CVE-2018-0939, CVE-2018-0872, CVE-2018-0873, CVE-2018-0874, CVE-2018-0876, CVE-2018-0925 |
Other Information
In addition to the Microsoft vulnerabilities included in the February Security Guidance, a number of security advisories were also made available.
March 2018 Adobe Flash Security Update [ADV180006]
Microsoft released updates for Adobe Flash. These correspond with Adobe Update APSB18-05. This includes fixes for CVE-2018-4919 and CVE-2018-4920.
CVE-20180-0886
Microsoft has released a patch for a code execution vulnerability in the Credential Security Support Provider protocol (CredSSP). This is an important vulnerability to take note of, as it could allow an attacker with MitM capabilities to gain full access to a Remote Desktop Protocol session. Microsoft has released detailed documentation regarding related registry key changes and the client update required to fully resolve this vulnerability. Additionally, a blog post has been released detailing the discovery of this vulnerability.
