KLA11288
Multiple vulnerabilities in Microsoft Development Tools
Updated: 07/11/2018
CVSS
?
7.3
Detect date
?
07/10/2018
Severity
?
High
Description

Multiple serious vulnerabilities have been found in Microsoft Development Tools. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, perform cross-site scripting attacks, gain privileges and spoof user interface.

Below is a complete list of vulnerabilities:

  1. A security feature bypass vulnerability in .NET Framework can be exploited remotely to bypass security restrictions;
  2. Multiple memory corruption vulnerabilities in ChakraCore can be exploited remotely to execute arbitrary code;
  3. A security feature bypass vulnerability in MSR JavaScript Cryptography Library can be exploited remotely to bypass security restrictions;
  4. A cross-site-scripting (XSS) vulnerability in Microsoft Active Directory Federation Services can be exploited remotely via specially crafted request to perform cross-site scripting attacks;
  5. A command injection vulnerability in Microsoft Wireless Display Adapter V2 can be exploited remotely to execute arbitrary code;
  6. An elevation of privilege vulnerability in .NET Framework can be exploited remotely to gain privileges;
  7. A remote code execution vulnerability in Visual Studio can be exploited remotely to execute arbitrary code;
  8. Multiple remote code execution vulnerabilities in .NET Framework can be exploited remotely to execute arbitrary code;
  9. Miltiple security feature bypass vulnerabilities in ChakraCore can be exploited remotely to bypass security restrictions;
  10. A remote code execution vulnerability in PowerShell Editor Services can be exploited remotely to execute arbitrary code;
  11. A security feature bypass vulnerability in ASP.NET can be exploited remotely to bypass security restrictions;
  12. A tampering vulnerability in Microsoft Visual Studio can be exploited remotely to spoof user interface.
Affected products

ASP.NET Core 1.1
ASP.NET Core 1.0
ASP.NET Core 2.0
ASP.NET Web Pages 3.2.3
ASP.NET MVC 5.2
Microsoft Visual Studio 2015 Update 3
Microsoft Visual Studio 2017
Microsoft Visual Studio 2013 Update 5
Microsoft Visual Studio 2010 Service Pack 1
Microsoft Visual Studio 2012 Update 5
Microsoft Visual Studio 2017 Version 15.7.5
Microsoft Visual Studio 2017 Version 15.8 Preview
Expression Blend 4 Service Pack 3
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 4.7.2
Microsoft .NET Framework 4.6/4.6.1/4.6.2
Microsoft .NET Framework 4.7/4.7.1/4.7.2
.NET Framework 4.7.2 Developer Pack
ChakraCore
Microsoft Wireless Display Adapter V2 Software Version 2.0.8365
Microsoft Wireless Display Adapter V2 Software Version 2.0.8372
Microsoft Wireless Display Adapter V2 Software Version 2.0.8350
Microsoft Research JavaScript Cryptography Library
Web Customizations for Active Directory Federation Services
PowerShell Extension for Visual Studio Code
PowerShell Editor Services
.NET Core 1.1
.NET Core 1.0
.NET Core 2.0

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts
?
SUI 
[?]

ACE 
[?]

XSSCSS 
[?]

SB 
[?]

PE 
[?]
Related products
Microsoft Visual Studio
Microsoft ASP.NET MVC
Microsoft .NET Framework
CVE-IDS
?

CVE-2018-8283
CVE-2018-8284
CVE-2018-8291
CVE-2018-8232
CVE-2018-8287
CVE-2018-8171
CVE-2018-8290
CVE-2018-8280
CVE-2018-8327
CVE-2018-8276
CVE-2018-8260
CVE-2018-8172
CVE-2018-8275
CVE-2018-8202
CVE-2018-8306
CVE-2018-8326
CVE-2018-8294
CVE-2018-8279
CVE-2018-8286
CVE-2018-8288
CVE-2018-8319
CVE-2018-8298
CVE-2018-8356

KB list

4338420
4338611
4338604
4338415
4338421
4338422
4338416
4338601
4336919
4338613
4338418
4338424
4338419
4338825
4338819
4338417
4338814
4339279
4336986
4338600
4338612
4336999
4338606
4338826
4336946
4338829
4338602
4338605
4338423
4342193
4338610