Tuesday, March 14, 2017

Microsoft Patch Tuesday - March 2017

Following a sparse February patch Tuesday, today’s March release brings a bumper crop of fixed vulnerabilities: 17 bulletins covering 140 different vulnerabilities, 47 of which are rated as critical. The critical vulnerabilities affect Internet Explorer, Edge, Hyper-V, Windows PDF Library, Microsoft SMB Server, Uniscribe, Microsoft Graphics Component, Adobe Flash Player and Microsoft Windows. 92 vulnerabilities are rated as important, additionally affecting Active Directory Federation Services, DirectShow, Internet Information Services, Microsoft Exchange Server, Microsoft Office, Microsoft XML Core Services, Windows DVD Maker, Windows Kernel, Windows Kernel-Mode Drivers.

Bulletins Rated Critical

MS17-006, MS17-007, MS17-008, MS17-009, MS17-010, MS17-011, MS17-012, MS17-013 and MS17-023 are rated critical.

MS17-006 is this month's Internet Explorer bulletin. Within the 6 critical Internet Explorer vulnerabilities, 3 relate to remote code execution vulnerabilities due to how browsers handle objects in memory. One of these, CVE-2017-0149 is actively being exploited in the wild. 2 critical vulnerabilities can be exploited to execute remote code due to the way that JScript and VBScript render when handling objects in memory. Although the remaining critical vulnerability doesn’t allow code execution itself, it can be exploited in conjunction with a code execution vulnerability to execute code with higher privileges than shoallinauld be permitted. 4 further vulnerabilities are rated as important, relating to vulnerabilities that can be exploited to disclose information from memory or disk. The last 2 important vulnerabilities relate to incorrect parsing of HTTP headers which potentially allow an attacker to redirect a victim to a malicious website. These 2 vulnerabilities, CVE-2017-0012 and CVE-2017-033 are also found in Edge, and included in the bulletin MS17-007.

MS17-007 is concerned with vulnerabilities in Edge, describing 20 rated as critical and 10 as important. 15 of these critical vulnerabilities relate to issues in how scripting engines render when handling objects in memory, potentially allowing attackers to execute arbitrary code on affected systems. The critical vulnerability CVE-2017-0037 is shared with Internet Explorer, allowing an attacker to execute arbitrary code through a memory corruption vulnerability. Three further vulnerabilities exist in how Edge accesses objects in memory which can also be abused to execute arbitrary code, two of these are rated as critical. One critical vulnerability relates to the MS Windows PDF library where viewing a website containing malicious PDF content can cause remote code execution. This vulnerability is described in more detail in MS17-009. A further memory corruption vulnerability unique to Edge CVE-2017-0034, allows arbitrary code to be executed in the context of the user. 5 important vulnerabilities potentially allow an attack to discover information from memory. 3 vulnerabilities relating to incorrect parsing of HTTP headers are rated as important, 2 of these are shared with Internet Explorer and also addressed in MS17-006. Vulnerabilities in the incorrect application of the same origin policy for html elements account for 2 important and one moderate listings. Finally, one scripting engine memory corruption vulnerability is rated as important, distinct from the other critical vulnerabilities in the same system.

11 vulnerabilities in Windows Hyper-V are addressed in MS17-008, only 3 of which are related as critical. One of these is a vulnerability due to how Hyper-V on a server fails to properly validate vSMB packet data. An attacker within a virtual machine, could exploit this vulnerability to execute arbitrary code on the host. An additional vulnerability also related to validating vSMB packets exists, but is rated as important. Two critical vulnerabilities relate to how the host system validates input from authenticated users on a guest operating system potentially allowing an attacker to execute arbitrary code on the host. Six important fixes for denial of service vulnerabilities, and one important fix for a memory disclosure vulnerability are also included.

MS17-010 addresses 6 vulnerabilities in Windows SMB Server. 5 critical vulnerabilities can be exploited by an attacker sending a malicious packet to a SMBv1 server to result in remote code execution. A further important vulnerability can be exploited by sending a malicious packed to a SMBv1 server to cause information from the server to be disclosed.

Microsoft Uniscribe is a series of services used in the rendering of Unicode characters. MS17-011 addresses 29 vulnerabilities in Uniscribe, of which 8 are rated as critical, the remainder as important. The critical vulnerabilities allow an attacker to take full control of a system by hosting malicious content on a website that the victim is tricked into visiting, or by enticing a victim into opening a specially crafted malicious file. The vulnerabilities rated as important, can be exploited in the same way, but result in the disclosure of memory contents to the attacker.

The MS17-012 bulletin fixes 5 important vulnerabilities, and a single critical vulnerability. The critical vulnerability is in the Internet Storage Name Service (iSNS) server service which fails to properly validate client input. This potentially allows an attacker to run arbitrary code in the context of the SYSTEM account on an affected system. The important vulnerabilities are in Device Guard which permits an attacker to modify a PowerShell script without invalidating the file signature; a denial of service vulnerability in SMBv2 and SMBv3; and a remote code execution vulnerability in loading certain DLL files.

Microsoft Windows Graphics Component is used by a number of different programs including Microsoft Office and Silverlight. MS17-013 describes 2 critical and 10 important vulnerabilities in the component. The critical vulnerabilities result in remote code execution when exploited by either tricking a victim into visiting a website hosting malicious content, or getting a victim to open a malicious file. The important vulnerabilities exist in how Windows Graphics Device Interface handles objects in memory, allowing a local user to execute code in kernel mode, a remote user to discover memory contents, or help in bypassing address space layout randomization (ASLR) protection.

Patch Tuesday is never complete without an Adobe Flash Player bulletin, and MS17-023 delivers by addressing the critical vulnerabilities otherwise described in Adobe Security Bulletin APSB17-07. This update resolves a series of remote code execution vulnerabilities in Adobe Flash Player. If you can’t patch, or remove Adobe Flash Player, the bulletin describes a number of workarounds to prevent Flash Player from executing.

Bulletins Rated Important

MS17-014, MS17-015, MS17-016, MS17-017, MS17-018, MS17-019, MS17-020, MS17-021, and MS17-022 are rated important.

Although MS17-014 addresses 12 vulnerabilities in Microsoft Office, not a single one of the vulnerabilities is classed as critical, nevertheless all are important. 7 of these allow an attacker to execute arbitrary code in the context of the local user with the aid of a user opening a malicious document or visiting a malicious content hosting website. Further vulnerabilities permit an attacker to perform a denial of service attack against Microsoft Office, disclose memory contents, facilitate cross site scripting (XSS), and tamper with trusted communications through an improperly validated certificate.

MS17-015 and MS17-016 describe single vulnerabilities, both rated as important in Microsoft Exchange Outlook Web Access and Microsoft IIS Server respectively. The Outlook Web Access vulnerability allows an attacker to perform content injection attacks via a victim clicking a malicious link in an email or in a chat client. The IIS Server vulnerability allows an attacker to perform a cross site scripting attack (XSS) and run scripts in the context of the current user; again a victim must click a malicious link for the attack to succeed.

MS17-017 and MS17-018 address 12 important vulnerabilities in Windows Kernel and Windows Kernel-Mode Drivers. These vulnerabilities allow a locally authenticated user or a user with local access to improperly escalate their privileges.

Bulletins MS17-019, MS17-020, MS17-021, MS17-022 relate to single important vulnerabilities in Active Directory Federation Services, Windows DVD Maker, Direct Show and XML Core Services. This series of vulnerabilities allow attackers to gather information from the affected system. In the case of Windows DVD Maker the attacker must be locally authenticated to trigger the exploit. The latter two vulnerabilities require the victim to visit a malicious website before they can be exploited.


In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Management Center or Snort.org.

Snort SIDs: 41549-41556, 41561-41598, 41601-41602, 41605-41610, 41633-41634, 41763-41764, 41926-41961, 41964-41998

No comments:

Post a Comment