KLA11288
Multiple vulnerabilities in Microsoft Development Tools
Updated: 09/10/2018
CVSS
?
7.5
Detect date
?
07/10/2018
Severity
?
Critical
Description

Multiple serious vulnerabilities have been found in Microsoft Development Tools. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, perform cross-site scripting attacks, gain privileges and spoof user interface.

Below is a complete list of vulnerabilities:

  1. A security feature bypass vulnerability in .NET Framework can be exploited remotely to bypass security restrictions;
  2. Multiple memory corruption vulnerabilities in ChakraCore can be exploited remotely to execute arbitrary code;
  3. A security feature bypass vulnerability in MSR JavaScript Cryptography Library can be exploited remotely to bypass security restrictions;
  4. A cross-site-scripting (XSS) vulnerability in Microsoft Active Directory Federation Services can be exploited remotely via specially crafted request to perform cross-site scripting attacks;
  5. A command injection vulnerability in Microsoft Wireless Display Adapter V2 can be exploited remotely to execute arbitrary code;
  6. An elevation of privilege vulnerability in .NET Framework can be exploited remotely to gain privileges;
  7. A remote code execution vulnerability in Visual Studio can be exploited remotely to execute arbitrary code;
  8. Multiple remote code execution vulnerabilities in .NET Framework can be exploited remotely to execute arbitrary code;
  9. Miltiple security feature bypass vulnerabilities in ChakraCore can be exploited remotely to bypass security restrictions;
  10. A remote code execution vulnerability in PowerShell Editor Services can be exploited remotely to execute arbitrary code;
  11. A security feature bypass vulnerability in ASP.NET can be exploited remotely to bypass security restrictions;
  12. A tampering vulnerability in Microsoft Visual Studio can be exploited remotely to spoof user interface.
Affected products

.NET Core 2.0
ASP.NET Core 1.1
ASP.NET Core 1.0
ASP.NET Core 2.0
ASP.NET Web Pages 3.2.3
ASP.NET MVC 5.2
Microsoft Visual Studio 2015 Update 3
Microsoft Visual Studio 2017
Microsoft Visual Studio 2013 Update 5
Microsoft Visual Studio 2010 Service Pack 1
Microsoft Visual Studio 2012 Update 5
Microsoft Visual Studio 2017 Version 15.7.5
Microsoft Visual Studio 2017 Version 15.8 Preview
Expression Blend 4 Service Pack 3
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 4.7.2
Microsoft .NET Framework 4.6/4.6.1/4.6.2
Microsoft .NET Framework 4.7/4.7.1/4.7.2
.NET Framework 4.7.2 Developer Pack
ChakraCore
Microsoft Wireless Display Adapter V2 Software Version 2.0.8365
Microsoft Wireless Display Adapter V2 Software Version 2.0.8372
Microsoft Wireless Display Adapter V2 Software Version 2.0.8350
Microsoft Research JavaScript Cryptography Library
Web Customizations for Active Directory Federation Services
PowerShell Extension for Visual Studio Code
PowerShell Editor Services
.NET Core 1.1
.NET Core 1.0

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Original advisories

CVE-2018-8286
CVE-2018-8279
CVE-2018-8294
CVE-2018-8276
CVE-2018-8280
CVE-2018-8290
CVE-2018-8288
CVE-2018-8291
CVE-2018-8275
CVE-2018-8287
CVE-2018-8356
CVE-2018-8298
CVE-2018-8319
CVE-2018-8326
CVE-2018-8306
CVE-2018-8202
CVE-2018-8172
CVE-2018-8260
CVE-2018-8327
CVE-2018-8171
CVE-2018-8232
CVE-2018-8284
CVE-2018-8283

Impacts
?
ACE 
[?]

OSI 
[?]

SB 
[?]

PE 
[?]

SUI 
[?]
Related products
Microsoft .NET Framework
Microsoft Visual Studio
Microsoft ASP.NET MVC
ChakraCore
CVE-IDS
?

CVE-2018-8286
CVE-2018-8279
CVE-2018-8294
CVE-2018-8276
CVE-2018-8280
CVE-2018-8290
CVE-2018-8288
CVE-2018-8291
CVE-2018-8275
CVE-2018-8287
CVE-2018-8356
CVE-2018-8298
CVE-2018-8319
CVE-2018-8326
CVE-2018-8306
CVE-2018-8202
CVE-2018-8172
CVE-2018-8260
CVE-2018-8327
CVE-2018-8171
CVE-2018-8232
CVE-2018-8284
CVE-2018-8283

KB list

4338825
4338814
4338829
4338819
4338826
4345421
4345419
4345455
4345420
4345418
4338420
4338611
4338604
4338415
4338421
4338422
4338416
4338601
4336919
4338613
4338418
4338424
4338419
4338417
4339279
4336986
4338600
4338612
4336999
4338606
4336946
4338602
4338605
4338423
4342193
4338610
4342192
4342191
4346877
4344151
4344146
4343909
4344166
4344177
4344178
4344147
4344148
4343885
4344172
4344144
4343887
4344149
4344175
4344165
4344167
4343892
4344153
4344150
4344152
4344176
4344171
4344173
4344145
4343897

Microsoft official advisories
Microsoft Security Update Guide