====================================================================


                             CERT-Renater

                 Note d'Information No. 2018/VULN210
_____________________________________________________________________

DATE                : 13/06/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Windows versions 7, 8.1, RT 8.1, 10,
    Server 2008, Server 2012, Server 2016, Windows Server version 1709,
                          Windows Server version 1803,
                      Systems running Internet Explorer, Microsoft Edge,
                      ChakraCore, Adobe Flash Player pour Windows,
                      Microsoft Office, Excel Services,
                      Microsoft Excel Viewer,
                      Microsoft Excel,
                      Microsoft Outlook,
                      Microsoft Publisher,
                      Microsoft Office Web Apps,
                      Microsoft Office Compatibility Pack,
                      Microsoft SharePoint,
                      Word Automation Services,
                      Office Online Server.

=====================================================================

https://portal.msrc.microsoft.com/en-us/security-guidance
https://docs.microsoft.com/en-us/security-updates/
securityadvisories/2018/4338110
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012
_____________________________________________________________________

********************************************************************
Microsoft Security Update Summary for June 12, 2018
Issued: June 12, 2018
********************************************************************

This summary lists security updates released for June 12, 2018.

Complete information for the June 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.

Critical Security Updates
============================

ChakraCore
Microsoft Edge
Internet Explorer 9
Internet Explorer 11
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core
installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 10 version 1709 for 32-bit Systems
Windows 10 version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for x64-based Systems
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server, version 1709 (Server Core Installation)
Windows Server, version 1803 (Server Core Installation)

Important Security Updates
============================

Excel Services installed on Microsoft SharePoint Enterprise
Server 2013 Service Pack 1
Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Excel Viewer
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2016 Click-to-Run (C2R) for 32-bit editions
Microsoft Office 2016 Click-to-Run (C2R) for 64-bit editions
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Office Web Apps Server 2010 Service Pack 2
Microsoft Office Web Apps Server 2013 Service Pack 1
Microsoft Outlook 2010 Service Pack 2 (32-bit editions)
Microsoft Outlook 2010 Service Pack 2 (64-bit editions)
Microsoft Outlook 2013 RT Service Pack 1
Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
Microsoft Outlook 2016 (32-bit edition)
Microsoft Outlook 2016 (64-bit edition)
Microsoft Project Server 2010 Service Pack 2
Microsoft Publisher 2010 Service Pack 2 (32-bit editions)
Microsoft Publisher 2010 Service Pack 2 (64-bit editions)
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2013 Service Pack 1
Word Automation Services installed on Microsoft SharePoint
Server 2010 Service Pack 2
Word Automation Services installed on Microsoft SharePoint Server
2013 Service Pack 1
Office Online Server 2016

Moderate Security Updates
============================

Internet Explorer 10

Other Information
=================

Recognize and avoid fraudulent email to Microsoft customers:
=============================================================
If you receive an email message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious websites. Microsoft does
not distribute security updates via email.

The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security information, or
installing security updates. You can obtain the MSRC public PGP key
at
<https://technet.microsoft.com/security/dn753714>.

********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************

Microsoft respects your privacy. Please read our online Privacy
Statement at
<http://go.microsoft.com/fwlink/?LinkId=81184>.

If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
<https://profile.microsoft.com/RegSysProfileCenter/subscriptionwi
zard.aspx?wizid=5a2a311b-5189-4c9b-9f1a-d5e913a26c2e&%3blcid=1033>.

These settings will not affect any newsletters you've requested or
any mandatory service communications that are considered part of
certain Microsoft services.

For legal Information, see:
<http://www.microsoft.com/info/legalinfo/default.mspx>.

This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052

____________________________________________________________________

********************************************************************
Title: Microsoft Security Advisory Notification
Issued: June 12, 2018
********************************************************************

Security Advisories Released or Updated on June 12, 2018
===================================================================

* Microsoft Security Advisory 4338110

 - Title: Microsoft guidance for CBC Symmetric Encryption Security
   Feature Bypass
 - https://docs.microsoft.com/en-us/security-updates/
   securityadvisories/2018/4338110
 - Reason for Revision: Information published.
 - Originally posted: June 12, 2018
 - Version: 1.0

* Microsoft Security Advisory 180002

 - Title: Guidance to mitigate speculative execution side-channel
   vulnerabilities
 - https://portal.msrc.microsoft.com/en-US/security-guidance/
   advisory/ADV180002
 - Reason for Revision: Updated FAQ #15 to announce that the
   following security updates provide addtional mitigations for AMD
   processors for CVE-2017-5715: 1. Security update 4284874 for
   Windows 10 Version 1703 - see https://support.microsoft.com/
   en-us/help/4103723/ for more information. 2. Security update
   4284860 for Windows 10 - see https://support.microsoft.com/en-us/
   help/4284860/ for more information. 3. Security update 4284826
   (monthly rollup) or 4284867 (security only) for Windows 7,
   Windows Server 2008 R2, or Windows Server 2008 R2 (Server Core
   installation) - see https://support.microsoft.com/en-us/help/
   4284826/ or https://support.microsoft.com/en-us/help/4284867/
   for more information.
 - Originally posted: January 3, 2018
 - Updated: June 12, 2018
 - Version: 20.0

* Microsoft Security Advisory 180012

 - Title: Microsoft Guidance for Speculative Store Bypass
 - https://portal.msrc.microsoft.com/en-US/security-guidance/
   advisory/ADV180012
 - Reason for Revision: Microsoft is announcing that the Windows
   security updates released on June 12, 2018 include support for
   Speculative Store Bypass Disable (SSBD) in Intel processors. This
   support is available for all supported editions of Windows 10,
   Windows Server 2016, Windows 7, and Windows Server 2008 R2. See
   the Affected Products table for the security updates. The
   Recommended Actions section of this advisory has been updated
   to include steps for applying updates to mitigate CVE-2018-3639 -
   Speculative Store Bypass (SSB), Variant 4. In addtion, revisions
   have been made to the FAQ section to address questions about
   performance implications of these updates and of SSBD.
 - Originally posted: May 21, 2018
 - Updated: June 12, 2018
 - Version: 2.0

Other Information
=================

Recognize and avoid fraudulent email to Microsoft customers:
=============================================================
If you receive an email message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious websites. Microsoft does
not distribute security updates via email.

The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security bulletins, or
installing security updates. You can obtain the MSRC public PGP key
at <https://technet.microsoft.com/security/dn753714>.

********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************

Microsoft respects your privacy. Please read our online Privacy
Statement at <http://go.microsoft.com/fwlink/?LinkId=81184>.

If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
<https://profile.microsoft.com/RegSysProfileCenter/subscriptionwizar
d.aspx?wizid=5a2a311b-5189-4c9b-9f1a-d5e913a26c2e&%3blcid=1033>.

These settings will not affect any newsletters you've requested or
any mandatory service communications that are considered part of
certain Microsoft services.

For legal Information, see:
<http://www.microsoft.com/info/legalinfo/default.mspx>.

This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052

______________________________________________________________________

********************************************************************
Title: Microsoft Security Update Releases
Issued: June 12, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2018-0976
* CVE-2018-1003
* CVE-2018-8136

Revision Information:
=====================

 - CVE-2018-0976 | Windows Remote Desktop Protocol (RDP) Denial of
   Service Vulnerability
 - https://portal.msrc.microsoft.com/en-us/security-guidance
 - Reason for Revision: Microsoft is re-releasing security update
   4093227 for all supported versions of Windows Server 2008 Service
   Pack 2 to address a signing issue experienced by some customers.
   Customers should reinstall this new update.
 - Originally posted: April 10, 2018
 - Updated: June 12, 2018
 - Aggregate CVE Severity Rating: Important
 - Version: 2.0

 - CVE-2018-1003 | Microsoft JET Database Engine Remote Code
   Execution Vulnerability
 - https://portal.msrc.microsoft.com/en-us/security-guidance
 - Reason for Revision: Revised the Affected Products table to
   include Windows 10 Version 1803 for 32-bit System, Windows 10
   Version 1803 for x64-based Systems, and Windows Server
   version 1803 (Server Core installation) because they are
   affected by CVE-2018-1003. Microsoft recommends that
   customers running Windows 10 Version 1803 install update
   4284835 to be protected from this vulnerability.
 - Originally posted: April 10, 2018
 - Updated: June 12, 2018
 - Aggregate CVE Severity Rating: Important
 - Version: 2.0

 - CVE-2018-8136 | Windows Remote Code Execution Vulnerability
 - https://portal.msrc.microsoft.com/en-us/security-guidance
 - Reason for Revision: CVE revised to announce the availability
   of security update 4130956 for Windows Server 2008. See
   Microsoft Knowledge Base Article 4130956 for more information.
 - Originally posted: May 5, 2018
 - Updated: June 12, 2018
 - Aggregate CVE Severity Rating: Low
 - Version: 2.0


Other Information
=================

Recognize and avoid fraudulent email to Microsoft customers:
=============================================================
If you receive an email message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious websites. Microsoft does
not distribute security updates via email.

The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security bulletins, or
installing security updates. You can obtain the MSRC public PGP key
at <https://technet.microsoft.com/security/dn753714>.

********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************

Microsoft respects your privacy. Please read our online Privacy
Statement at <http://go.microsoft.com/fwlink/?LinkId=81184>.

If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
<https://profile.microsoft.com/RegSysProfileCenter/subscriptionwizar
d.aspx?wizid=5a2a311b-5189-4c9b-9f1a-d5e913a26c2e&%3blcid=1033>.

These settings will not affect any newsletters you���ve requested or
any mandatory service communications that are considered part of
certain Microsoft services.

For legal Information, see:
<http://www.microsoft.com/info/legalinfo/default.mspx>.

This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================