SB2018071014 - Multiple vulnerabilities in Microsoft Visual Studio

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2018-8172)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper check of the source markup of a file for an unbuilt project. A remote unauthenticated attacker can trick the victim into opening a specially crafted file with an affected version of Visual Studio and run arbitrary code in the context of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Security restrictions bypass (CVE-ID: CVE-2018-8232)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper validation of code logic in Microsoft Macro Assembler. A remote unauthenticated attacker can bypass security restrictions and introduce code into an application, which modifies data in an unintended manner.

Remediation

Install update from vendor's website.

References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8172
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8232