==================================================================== CERT-Renater Note d'Information No. 2018/VULN281 _____________________________________________________________________ DATE : 14/09/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office, Microsoft Office Services and Web Apps, ChakraCore, Adobe Flash Player, .NET Framework, System.IO.Pipelines, C SDK for Azure IoT, Microsoft.Data.OData, Microsoft SharePoint Server, Microsoft SharePoint Enterprise Server, Microsoft Lync for Mac, Microsoft Excel Viewer 2007 Service Pack, Microsoft Office Compatibility Pack. ===================================================================== https://portal.msrc.microsoft.com/en-us/security-guidance https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180018 _____________________________________________________________________ ******************************************************************** Microsoft Security Update Summary for September 11, 2018 Issued: September 11, 2018 ******************************************************************** This summary lists security updates released for September 11, 2018. Complete information for the September 2018 security update release can Be found at . Critical Security Updates ============================ ChakraCore Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows 8.1 for 32-bit systems Windows 8.1 for x64-based systems Windows RT 8.1 Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1703 for 32-bit Systems Windows 10 Version 1703 for x64-based Systems Windows 10 version 1709 for 32-bit Systems Windows 10 version 1709 for x64-based Systems Windows 10 Version 1803 for 32-bit Systems Windows 10 Version 1803 for x64-based Systems Windows Server 2016 Windows Server 2016 (Server Core installation) Windows Server, version 1709 (Server Core Installation) Windows Server, version 1803 (Server Core Installation) Microsoft Edge Internet Explorer 11 Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2 Microsoft .NET Framework 4.7.1/4.7.2 Microsoft .NET Framework 4.7.2 Microsoft .NET Framework 4.7/4.7.1/4.7.2 Microsoft Office 2016 Click-to-Run (C2R) for 32-bit editions Microsoft Office 2016 Click-to-Run (C2R) for 64-bit editions Microsoft Office 2016 for Mac Important Security Updates ============================ .NET Core 2.1 ASP.NET Core 2.1 System.IO.Pipelines C SDK for Azure IoT Microsoft Excel 2010 Service Pack 2 (32-bit editions) Microsoft Excel 2010 Service Pack 2 (64-bit editions) Microsoft Excel 2013 RT Service Pack 1 Microsoft Excel 2013 Service Pack 1 (32-bit editions) Microsoft Excel 2013 Service Pack 1 (64-bit editions) Microsoft Excel 2016 (32-bit edition) Microsoft Excel 2016 (64-bit edition) Microsoft Excel Viewer 2007 Service Pack 3 Microsoft Office Compatibility Pack Service Pack 3 Microsoft Excel Viewer 2007 Service Pack 3 Microsoft SharePoint Enterprise Server 2013 Service Pack 1 Microsoft SharePoint Enterprise Server 2016 Microsoft SharePoint Server 2010 Service Pack 2 Microsoft Word 2013 RT Service Pack 1 Microsoft Word 2013 Service Pack 1 (32-bit editions) Microsoft Word 2013 Service Pack 1 (64-bit editions) Microsoft Word 2016 (32-bit edition) Microsoft Word 2016 (64-bit edition) Microsoft.Data.OData Moderate Security Updates ============================ Microsoft Lync for Mac 2011 Internet Explorer 9 Low Security Updates ============================ Internet Explorer 10 Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ============================================================= If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security information, or installing security updates. You can obtain the MSRC public PGP key at . ******************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 ______________________________________________________________ ******************************************************************** Title: Microsoft Security Advisory Notification Issued: September 11, 2018 ******************************************************************** Security Advisories Released or Updated on September 11, 2018 =================================================================== * Microsoft Security Advisory ADV180002 - Title: Guidance to mitigate speculative execution side-channel vulnerabilities - https://portal.msrc.microsoft.com/en-us/security-guidance/ advisory/ADV180002 - Reason for Revision: The following updates have been made: 1. Microsoft has released security update 4457128 for Windows 10 Version 1803 for ARM64-based Systems to provide protection against CVE-2017-5715. See the Affected Products table for links to download and install the update. Note that this update is also available via Windows Update. 2. Added FAQ #19 to explain where customer can find and install ARM64 firmware that address CVE-2017-5715 - Branch target injection (Spectre, Variant 2). - Originally posted: January 3, 2018 - Updated: September 11, 2018 - Version: 25.0 * Microsoft Security Advisory ADV180018 - Title: Microsoft guidance to mitigate L1TF variant - https://portal.msrc.microsoft.com/en-us/security-guidance/ advisory/ADV180018 - Reason for RevisioMicrosoft is announcing the release of Monthly Rollup 4458010 and Security Only 4457984 for Windows Server 2008 to provide additional protections against the speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) that affects Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646). Customers running Windows Server 2008 should install either 4458010 or 4457984 in addition to Security Update 4341832, which was released on August 14, 2018. See [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver /2018/06/12/windows-server-2008-sp2-servicing-changes/) for more information. In addition, a note has been added to FAQ #2 to provide further information regarding enabling the mitigation for CVE-2017-5754 (Meltdown). - Originally posted: August 14, 2018 - Updated: September 11, 2018 - Version: 4.0 Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ============================================================= If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security bulletins, or installing security updates. You can obtain the MSRC public PGP key at . ******************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================