.NET Framework Elevation of Privilege Vulnerability
Released: Jul 10, 2018
Last updated: Aug 15, 2018
- Assigning CNA
- Microsoft
- CVE.org link
- CVE-2018-8202
Executive Summary
An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level.
To exploit the vulnerability, an attacker would first have to access the local machine, and then run a malicious program.
The update addresses the vulnerability by correcting how .NET Framework activates COM objects.
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
- Publicly disclosed
- No
- Exploited
- No
- Exploitability assessment
- Exploitation Less Likely
FAQ
After I installed the July 2018 updates for .NET Framework, applications fail to start or are not working correctly. What do I need to do to remedy this situation?
Microsoft is aware of multiple customer reports of applications that fail to start or that do not run correctly. Please refer to the following Recommended Actions.
Recommended actions
Customers who have not installed security updates released on July 10 for .NET: Test the updates released on July 10, and if no application errors are found, apply the updates to production.
Customers who have successfully installed security updates released on July 10 for .NET and who are not experiencing any issues: No further action is required.
Customers who have installed security updates released on July 10 for .NET and who are experiencing application errors:
- Register for security notifications mailer to be alerted of any content changes to this advisory and notifications of new updates. See Microsoft Technical Security Notifications.
- Assess the risk of application errors caused by the updates compared to vulnerability exposure risk:
Risk guidance:
Workstations and Terminal servers are the primary target systems where an attacker could have User level access to exploit the vulnerability. In web-application server scenarios, unprivileged users will not typically have system login access. As such, the attack surface is diminished.
- If the risk of application errors is acceptable, then:
- Apply the security updates released on July 10 for .NET to workstations and non-web-application servers.
- Prepare to apply the forthcoming cumulative update, which no longer carries the application errors described in KB4345913. Customers will be notified via an update to this CVE when those updates are available.
- If the risk of application errors is not acceptable, then:
- Remove the security updates released on July 10 for .NET from systems that are showing application errors.
- You will be notifed via an update to this CVE when a limited-distribution update is available in the following days. Apply it to affected web-application servers.
Acknowledgements
- Lasse Trolle Borup of Langkjaer Cyber Defence
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
Disclaimer
Revisions
Microsoft is releasing the August Monthly Rollup, Security Only, and Security Updates to fully resolve known issues some customers experienced after installing the July security updates for .NET Framework. Customers who installed either the Standalone updates or Alternate Cumulative update should also install the August updates. See the Affected Products table for links to download and install the August updates.
Corrected Article and Download entries in the Affected Products table. This is an informational change only.
Microsoft is announcing the release of updates, available via the Microsoft Update catalog, to resolve known issues some customers experienced after installing the July 2018 security updates for .NET Framework. Microsoft recommends that customers who experienced application errors as described in KB4345913 (https://support.microsoft.com/en-us/help/4345913) install the applicable Standalone update for your system. Customers running Window 10 Version 1607 or Windows Server 2016 should install Cumulative update 4346877 to resolve application errors. See the Affected Products table for links to download and install the updates.
Microsoft is aware of a known issue some customers experienced after installing the security updates for CVE-2018-8202 that were released on July 10. We are investigating this issue and will rerelease security updates for this CVE as soon as they are available. In the meantime, please refer to the FAQ section of CVE-2018-8202 for recommended actions you can take prior to deploying these updates. Also see KB4345913 for further information, including descriptions of application errors that customers might experience and available workarounds.
To address a known issue in the security updates released on July 10, Microsoft is releasing Alternate Cumulative update packages for all supported editions of Windows 10. These packages are available via Microsoft Update catalog, WSUS, or by manually searching Windows Update. Customers who are experiencing issues after installing the July Windows security updates should install the replacement packages as applicable. Note that the Monthly Rollup and Security Only updates for .NET Framework are not affected. Please refer to the Affected Products table for the replacement package KB numbers. Customers who have successfully installed the security updates and who are not experiencing any issues do not need to take any action.
Corrected Supersedence entries in the Affected Products table. This is an informational change only.
Information published.