ASB-2018.0106.2 - UPDATE [Win][Mac] Microsoft Office products: Multiple vulnerabilities 2018-05-16

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2018.0106.2
           Security updates for Microsoft Office and SharePoint
                                16 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Microsoft Excel
                      Microsoft Excel Viewer
                      Microsoft Infopath
                      Microsoft Office
                      Microsoft Project Server
                      Microsoft SharePoint Enterprise Server
                      Microsoft Word
Operating System:     Windows
                      Mac OS
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Existing Account            
                      Cross-site Scripting            -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-8176 CVE-2018-8173 CVE-2018-8168
                      CVE-2018-8163 CVE-2018-8162 CVE-2018-8161
                      CVE-2018-8160 CVE-2018-8158 CVE-2018-8157
                      CVE-2018-8156 CVE-2018-8155 CVE-2018-8150
                      CVE-2018-8149 CVE-2018-8148 CVE-2018-8147
Member content until: Friday, June  8 2018

Revision History:     May 16 2018: Vendor added CVE-2018-8176 in Powerpoint 2016 for Mac
                      May  9 2018: Initial Release

OVERVIEW

        Microsoft has released its monthly security patch update for the month of May
        2018. [1]  This update resolves 14 vulnerabilities across the following
        products:
         Microsoft Excel 2010 Service Pack 2 (32-bit editions)
         Microsoft Excel 2010 Service Pack 2 (64-bit editions)
         Microsoft Excel 2013 RT Service Pack 1
         Microsoft Excel 2013 Service Pack 1 (32-bit editions)
         Microsoft Excel 2013 Service Pack 1 (64-bit editions)
         Microsoft Excel 2016 (32-bit edition)
         Microsoft Excel 2016 (64-bit edition)
         Microsoft Infopath 2013 Service Pack 1 (32-bit edition)
         Microsoft Infopath 2013 Service Pack 1 (64-bit edition)
         Microsoft Office 2010 Service Pack 2 (32-bit editions)
         Microsoft Office 2010 Service Pack 2 (64-bit editions)
         Microsoft Office 2013 RT Service Pack 1
         Microsoft Office 2013 Service Pack 1 (32-bit editions)
         Microsoft Office 2013 Service Pack 1 (64-bit editions)
         Microsoft Office 2016 (32-bit edition)
         Microsoft Office 2016 (64-bit edition)
         Microsoft Office 2016 Click-to-Run (C2R) for 32-bit editions
         Microsoft Office 2016 Click-to-Run (C2R) for 64-bit editions
         Microsoft Office 2016 for Mac
         Microsoft Office Compatibility Pack Service Pack 3
         Microsoft Office Web Apps 2010 Service Pack 2
         Microsoft Office Web Apps Server 2010 Service Pack 2
         Microsoft Office Web Apps Server 2013 Service Pack 1
         Microsoft Project Server 2010 Service Pack 2
         Microsoft Project Server 2013 Service Pack 1
         Microsoft SharePoint Enterprise Server 2013 Service Pack 1
         Microsoft SharePoint Enterprise Server 2016
         Microsoft SharePoint Foundation 2013 Service Pack 1
         Microsoft SharePoint Server 2010 Service Pack 2
         Microsoft Word 2010 Service Pack 2 (32-bit editions)
         Microsoft Word 2010 Service Pack 2 (64-bit editions)
         Microsoft Word 2013 RT Service Pack 1
         Microsoft Word 2013 Service Pack 1 (32-bit editions)
         Microsoft Word 2013 Service Pack 1 (64-bit editions)
         Microsoft Word 2016 (32-bit edition)
         Microsoft Word 2016 (64-bit edition)
         Word Automation Services


IMPACT

        Microsoft has given the following details regarding these vulnerabilities.
        
         Details         Impact                   Severity
         CVE-2018-8147  Remote Code Execution    Important
         CVE-2018-8148  Remote Code Execution    Important
         CVE-2018-8149  Elevation of Privilege   Important
         CVE-2018-8150  Security Feature Bypass  Important
         CVE-2018-8155  Elevation of Privilege   Important
         CVE-2018-8156  Elevation of Privilege   Important
         CVE-2018-8157  Remote Code Execution    Important
         CVE-2018-8158  Remote Code Execution    Important
         CVE-2018-8160  Information Disclosure   Important
         CVE-2018-8161  Remote Code Execution    Important
         CVE-2018-8162  Remote Code Execution    Important
         CVE-2018-8163  Information Disclosure   Important
         CVE-2018-8168  Elevation of Privilege   Important
         CVE-2018-8173  Elevation of Privilege   Important
         CVE-2018-8176  Remote Code Execution    Important


MITIGATION

        Microsoft recommends updating the software with the version made available on
        the Microsoft Update Catalogue for the following Knowledge Base articles. [1]
        
        
         KB2899590, KB3114889, KB3172436, KB3162075, KB4018388
         KB4018381, KB4018383, KB4018382, KB4022142, KB4022141
         KB4022146, KB4022145, KB4018308, KB4018396, KB4018393
         KB4018390, KB4018398, KB4018399, KB4022150, KB4022137
         KB4018327, KB4022135, KB4022130, KB4022139


REFERENCES

        [1] Security Update Guide
            https://portal.msrc.microsoft.com/en-us/security-guidance

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWvu1B4x+lLeg9Ub1AQhgKg//acmKtvY2Y5RDtDQ+cObQ7O/X7IvFZgvY
TuRnZbuPlvw880/OiCLDeL0HyYmNy+ENbsV55EaF5JNbinN4gHYEfLqXCnjn2N/d
9gpF/CCA2C3W7WiofIXma71DEhXESOINjIbLAraW+vpsNrIKzKj4DhcknCoPHYLm
I/Qv7JEBsGKE4AURb1Bs+PMsF6i651DYm2wjHtYwMkqYAfbGRQbKrSNndP5NLzpn
3EKL0XRVZh8M5s4g1e2EyE7i+uDrLJaA4jPHf9iOZ/B1klg0KvDVfYRJXWFJHqcS
7jjICPlrYmbnDSdsKl7aYqcI6p/WAeSqxDiMwQlx6xQCbw+IBC4/uXN/OkE6XG2S
3MnTomputAE9lv0k75WTbTCrxLlDIYPZ2WA3ag/mJd+XUO3CAqhKpau7Abv+FPAu
A9fQXyWmRMJ5bfVVVviFqL6BVvZsHSAwihE0Ih5XpjxjKDx3F3Ih5eQPWkBesFFo
PJ1Si8HmqwMdEsbBOEkyxf3M3kVy97s6i5V2CKq9lh4CODi8I+E5jX2+9Rsbxeev
yaIxtUp5Ye9c1+Xr7CtBs/il6rhya0Hg0cs/VTaRAoiyTDvPQAYm9HQF6YLizeOs
ss7RvRFmfnw0GmkZuqOUORK11NlZyoUTcsB43tT/HB5M/gg/jI1D9kApVM7azfTE
jXgWbacReNQ=
=tTKS
-----END PGP SIGNATURE-----

« Back to bulletins