VIDAS® 3 System Windows 10 Cyber Security Bulletin / 10 SEP 2018

The aim of this information is to:

- Provide relevant information regarding both security vulnerabilities and their corrections.
- Provide the list of known significant security vulnerabilities for the VIDAS® 3 systems.
- Provide the list of corrected security vulnerabilities for the VIDAS® 3 systems.

NOTE:
This Security Bulletin is based on VIDAS® 3 System on Windows 10 Operating
System. No other Security Bulletin on Windows 7 Operating System will be edited now.

REMINDER:
Security Update pack 1 to 4 are not applicable on Windows 10.

VIDAS®3 Security Patch-OS release information

See below the list of all released Security updates for the VIDAS®3 System and their status:
VIDAS®3
Release information Status
Security update
N/A N/A N/A

Windows security policy update for the VIDAS®3 system

Starting from October 2016, Microsoft’s servicing model has evolved to only deliver security
and reliability updates as part of a single monthly update packages, called Security and
Quality Rollup.

It is advised to install the Microsoft Security and Quality Rollup (in addition to the former
Security and Critical Microsoft updates) on the VIDAS®3 systems in order to maintain
Microsoft operating systems and software components secured.
List of HIGH/CRITICAL known vulnerabilities on the VIDAS® 3
system (all versions from VIDAS® 3 V1.2.2 Windows 10)

In computer security, a vulnerability is a weakness which allows an attacker to reduce a

system's information assurance. Vulnerability is the intersection of three elements: a system
susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
To exploit a vulnerability, an attacker must have at least one applicable tool or technique that
can connect to a system weakness.

On a fully up-to-date VIDAS® 3 system, which includes:

- VIDAS® 3 V1.2.2 on Windows 10 (including BCI Link 4.0.0.22 and QC Module)
- VILINK agent V3.2.0
- ML2SW 4.3.6
- The Security and Critical Microsoft updates installed on each computer of the VIDAS®
3 system
- The Security and Quality Rollup Microsoft updates installed on each computer of the
VIDAS® 3 system

The following high or critical security vulnerabilities are known to be still present:
1. Microsoft SQL Server Unsupported Version Detection (CRITICAL)
This vulnerability is present on the VIDAS® 3 V1.2.2 Windows 10 and concerns the SQL
server version used by the VIDAS® 3 QC Module.
 The deployed SQL Server is configured to be accessible on the local
workstation only (not visible on the network). In addition, a bioMérieux
router/firewall can be used to secure the workstation. No need immediate
correction.

2. KB4022715: Windows 10 Version 1607 and Windows Server 2016 June 2017 Cumulative
Update (CRITICAL)
This vulnerability is present on the VIDAS® 3 V1.2.2 Windows 10.
 The R&D VIDAS® 3 team is working to provide a fix for this issue.

3. 7-Zip < 18.05 Memory Corruption Arbitrary Code Execution (CRITICAL)

This vulnerability is present on the VIDAS® 3 V1.2.2 Windows 10.
 The R&D VIDAS® 3 team is working to provide a fix for this issue.

4. MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow

Remote Code Execution (2500212) (HIGH)
This vulnerability is present on the VIDAS® 3 V1.2.2 Windows 10.
 The R&D VIDAS® 3 team is working to provide a fix for this issue.

5. MS15-124: Cumulative Security Update for Internet Explorer (3116180) (HIGH)

This vulnerability is present on the VIDAS® 3 V1.2.2 Windows 10.
 The R&D VIDAS® 3 team is working to provide a fix for this issue.

6. Insecure Windows Service Permissions (HIGH)

This vulnerability is present on the VIDAS® 3 V1.2.2 Windows 10.
 The R&D VIDAS® 3 team is working to provide a fix for this issue.
7. SSL Version 2 and 3 Protocol Detection (HIGH)
This vulnerability is present on the VIDAS® 3 V1.2.2 Windows 10 when VILINK is
installed.
 The VILINK team is working to provide a fix for this issue.
List of HIGH/CRITICAL vulnerabilities already corrected on the VIDAS® 3 system

N/A (No Security Update Pack has been released on Windows 10 Operating System yet)