Security Updates for Microsoft Visual Studio Products (April 2018)

medium Nessus Plugin ID 109029

Synopsis

The Microsoft Visual Studio Products are missing a security update.

Description

The Microsoft Visual Studio Products are missing a security update. It is, therefore, affected by the following vulnerability :

- An information disclosure vulnerability exists when Visual Studio improperly discloses limited contents of uninitialized memory while compiling program database (PDB) files. An attacker who took advantage of this information disclosure could view uninitialized memory from the Visual Studio instance used to compile the PDB file. To take advantage of the vulnerability, an attacker would require access to an affected PDB file created using a vulnerable version of Visual Studio. An attacker would have no way to force a developer to produce this information disclosure. The security update addresses the vulnerability by correcting how PDB files are generated when a project is compiled.
(CVE-2018-1037)

Solution

Microsoft has released the following security updates to address this issue:
-KB4089501
-KB4091346
-KB4087371
-KB4089283

See Also

http://www.nessus.org/u?1a8e7d73

http://www.nessus.org/u?5b4e94bf

http://www.nessus.org/u?b61645d0

http://www.nessus.org/u?de1ae25a

Plugin Details

Severity: Medium

ID: 109029

File Name: smb_nt_ms18_apr_visual_studio.nasl

Version: 1.13

Type: local

Agent: windows

Published: 4/13/2018

Updated: 10/1/2021

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2018-1037

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:visual_studio

Required KB Items: SMB/MS_Bulletin_Checks/Possible, installed_sw/Microsoft Visual Studio

Exploit Ease: No known exploits are available

Patch Publication Date: 4/10/2018

Vulnerability Publication Date: 4/10/2018

Reference Information

CVE: CVE-2018-1037

BID: 103715

MSFT: MS18-4087371, MS18-4089283, MS18-4089501, MS18-4091346

MSKB: 4087371, 4089283, 4089501, 4091346