Tuesday, August 8, 2017

Microsoft Patch Tuesday - August 2017

Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 48 new vulnerabilities with 25 of them rated critical, 21 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Remote Desktop Protocol, Sharepoint, SQL Server, the Windows Subsystem for Linux, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.


Vulnerabilities Rated Critical

The following vulnerabilities are rated "critical" by Microsoft:
The following briefly describes these vulnerabilities.

Multiple CVEs - Scripting Engine Memory Corruption Vulnerability


Multiple vulnerabilities have been identified in the Microsoft Browser JavaScript engine that could allow remote code execution to occur in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory, resulting in memory corruption. Exploitation of these vulnerabilities is achievable if a user visits a specifically crafted web page that contains JavaScript designed to exploit one or more of these vulnerabilities.

The following is a list of CVEs that reflect these vulnerabilities:
  • CVE-2017-8634
  • CVE-2017-8635
  • CVE-2017-8636
  • CVE-2017-8638
  • CVE-2017-8639
  • CVE-2017-8640
  • CVE-2017-8641
  • CVE-2017-8645
  • CVE-2017-8646
  • CVE-2017-8647
  • CVE-2017-8655
  • CVE-2017-8656
  • CVE-2017-8657
  • CVE-2017-8670
  • CVE-2017-8671
  • CVE-2017-8672
  • CVE-2017-8674

CVE-2017-8653, CVE-2017-8669 - Microsoft Browser Memory Corruption Vulnerabilities


Two vulnerabilities have been identified in Edge and Internet Explorer that could result in remote code execution in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory when attempting to render a webpage. Both vulnerabilities could be exploited if, for example, a user visits a specifically crafted webpage that exploits one of the flaws.

CVE-2017-8661 - Microsoft Edge Memory Corruption Vulnerability


A vulnerability in Microsoft Edge has been identified that could allow an attacker to execute arbitrary code on a targeted host. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-0250 - Microsoft JET Database Engine Remote Code Execution Vulnerability


A buffer overflow vulnerability in the Microsoft JET Database Engine has been identified that could allow an attacker to execute arbitrary code in the context of the current user. This vulnerability can be triggered by opening or previewing a specifically crafted database file on a vulnerable system. Scenarios where this could occur could be an email-based attack where an attacker sends the targeted user a malicious database file to be opened.

CVE-2017-8591 - Windows IME Remote Code Execution Vulnerability


An arbitrary code execution vulnerability in the Windows Input Method Editor (IME) has been identified that could allow an attacker to execute code in the context of the current user. The vulnerability manifests due to improper handling of parameters in a method of a DCOM class. Note that DCOM server is a component of Microsoft Windows that is installed regardless of the language/IMEs used. An attacker who exploits this vulnerability can instantiate the DCOM class and exploit the system, even if IME is disabled.

CVE-2017-0293 - Windows PDF Remote Code Execution Vulnerability


A vulnerability in Windows PDF has been identified that could allow an attacker to execute arbitrary code on a targeted host. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. Users who open a specifically crafted PDF file or who visit a web page containing a specifically crafted PDF could exploit this vulnerability.

CVE-2017-8620 - Windows Search Remote Code Execution Vulnerability


A vulnerability in Windows Search has been identified that could allow an attacker to remotely execute arbitrary code on a targeted host. This vulnerability manifests due to improper handling of objects in memory. Upon successful exploitation, an attacker with physical access to the affected host could elevate privileges to that of an administrator. This vulnerability could also be exploited in an enterprise environment via an SMB connection to the affected host.

CVE-2017-8622 - Windows Subsystem for Linux Elevation of Privilege Vulnerability


A vulnerability in the Windows System for Linux has been identified that could be used escalate a user's privileges to that of an administrator. This vulnerability manifests due to how the Windows Subsystem for Linux handles NT pipes. Successful exploitation could allow a local, authenticated attacker to execute code as an administrator.

Vulnerabilities Rated Important

The following vulnerabilities are rated "important" by Microsoft:
The following briefly describes these vulnerabilities.

CVE-2017-8644, CVE-2017-8652, CVE-2017-8662 - Microsoft Edge Information Disclosure Vulnerability


Multiple vulnerabilities in Microsoft Edge have been identified that could allow an attacker to discover sensitive information regarding the targeted system. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of these vulnerabilities could given an attacker the necessary information to further exploit additional vulnerabilities on the system.

CVE-2017-8503 - Microsoft Edge Elevation of Privilege Vulnerability


A vulnerability in Microsoft Edge has been identified that could result in privilege escalation if exploited. This vulnerability manifests as an AppContainter sandbox escape within the browser. Successful exploitation could result in a user obtaining elevated privileges. Note that this vulnerability does not allow arbitrary code execution. However, if used in conjunction with one more vulnerabilities, an attacker could execute arbitrary code in the context of an administrator.

CVE-2017-8642 - Microsoft Edge Elevation of Privilege Vulnerability


A vulnerability in Microsoft Edge has been identified that could result in privilege escalation if exploited. This vulnerability manifests due to improper validation of JavaScript in certain circumstances. Successful exploitation could elevate privileges in affected versions of Microsoft Edge. Note that this vulnerability does not permit arbitrary code execution. However, if used in conjunction with one, an attacker could execute arbitrary code with medium-level integrity, or that of the current user. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability


A vulnerability in Internet Explorer has been identified that could be exploited to bypass a security feature. This vulnerability manifests due to Internet Explorer improperly validating User Mode Code Integrity (UMCI) policies. Successful exploitation of this vulnerability could allow an attacker to execute unsigned malicious code as if it were signed. Exploiting this vulnerability is possible if a user visits a specifically crafted website designed to exploit the flaw.

CVE-2017-8691 - Express Compressed Fonts Remote Code Execution Vulnerability


A vulnerability in the Windows Font library has been identified that could permit an attacker to execute arbitrary code in the context of the current user. This vulnerability manifests due to the library improperly handling specially crafted embedded fonts. Exploitation of this vulnerability is possible if a user visits a specifically crafted web page or if a user opens a specifically crafted file that is designed to exploit this vulnerability.

CVE-2017-8654 - Microsoft Office SharePoint XSS Vulnerability


A vulnerability in Microsoft Sharepoint has been identified that could could allow an attacker to execute a cross-site scripting (XSS) attack. This vulnerability manifests due to Sharepoint Server improperly sanitizing specific web requests from a user. Successful exploitation of this vulnerability could allow an attacker to execute script in the context of the current user, read content that the attacker would not have permission to otherwise view, or execute actions on behalf of the affected user.

CVE-2017-8516 - Microsoft SQL Server Analysis Services Information Disclosure Vulnerability


A vulnerability in Microsoft SQL Server Analysis Services has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to SQL Server Analysis Services improperly enforcing permissions. An attacker with valid credentials that permit access to the affected SQL Server could exploit this vulnerability to gain additional database and file information that should otherwise not be permitted.

CVE-2017-8659 - Scripting Engine Information Disclosure Vulnerability


A vulnerability in the Chakra JavaScript Engine has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining information that could then be used to further exploit the system. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-8637 - Scripting Engine Security Feature Bypass Vulnerability


A vulnerability in the Microsoft Edge has been identified that could allow an attacker to bypass a security feature. This vulnerability manifests due to way memory is accessed in "code compiled by the Edge Just-In-Time (JIT) compiler that allows Arbitrary Code Guard (ACG) to be bypassed". Note that this exploiting this vulnerability does not result in arbitrary code execution. However, if used in combination with another vulnerability, an attacker could execute arbitrary code on the targeted system. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-8668 - Volume Manager Extension Driver Information Disclosure Vulnerability


A vulnerability in the Volume Manager Extension Driver has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to the Volume Manager Extension Driver improperly providing kernel information. Successful exploitation could allow an attacker to gain information that could be used to further compromise a targeted system.

CVE-2017-8593 - Win32k Elevation of Privilege Vulnerability


A vulnerability in the Win32k component in Windows has been identified that could allow a privilege escalation attack to occur. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system. Users who run a specifically crafted executable that exploits this vulnerability could leverage this vulnerability to perform actions as an administrator on the affected system.

CVE-2017-8666 - Win32k Information Disclosure Vulnerability


A vulnerability in the Win32k component in Windows has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to the Win32k component improperly providing kernel information. Successful exploitation could allow an attacker to gain information that could be used to further compromise a targeted system.

CVE-2017-8624 - Windows CLFS Elevation of Privilege Vulnerability


A vulnerability in the Windows Common Log File System (CLFS) driver has been identified that could allow a privilege escalation attack to occur. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system. Users who run a specifically crafted executable that exploits this vulnerability could leverage this vulnerability to perform actions as an administrator on the affected system.

CVE-2017-8633 - Windows Error Reporting Elevation of Privilege Vulnerability


A vulnerability in the Windows Error Reporting (WER) has been identified that could allow a privilege escalation attack to occur. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system.

CVE-2017-8623 - Windows Hyper-V Denial of Service Vulnerability


A vulnerability in the Microsoft Hyper-V Network Switch has been identified that could allow a denial of service attack to occur. This vulnerability manifests due to improper validation of input "from a privileged user on a guest operating system." Successful exploitation of this vulnerability could cause the host server to crash. Exploiting this flaw requires that a privileged user on the guest host runs a specifically crafted executable that exploits this vulnerability, thus causing the host system to crash.

CVE-2017-8664 - Windows Hyper-V Remote Code Execution Vulnerability


A vulnerability in Windows Hyper-V has been identified that could allow arbitrary code execution on the hypervisor system to occur. This vulnerability manifests due to improperly validating "input from an authenticated user on a guest operating system." Exploitation of the vulnerability could be achieved if an attackers runs a specifically crafted application within a guest operating system that causes Hyper-V to execute arbitrary code.

CVE-2017-0174 - Windows NetBIOS Denial of Service Vulnerability


A vulnerability in the Microsoft Windows has been identified that could allow a denial of service attack to occur. This vulnerability manifests due to Windows improperly handling NetBIOS packets. Successful exploitation of this vulnerability could cause the host to become unresponsive. An attacker who sends a series of specifically crafted TCP packets to the targeted system could create a permanent denial of service condition.

CVE-2017-8673 - Windows Remote Desktop Protocol Denial of Service Vulnerability


A vulnerability in Remote Desktop Protocol (RDP) has been identified that could allow a denial of service attack to occur. This vulnerability manifests due to target system improperly handling RDP requests once an attacker has connected to the targeted system. Successful exploitation of this vulnerability could cause the RDP service to become unresponsive.

CVE-2017-8627 - Windows Subsystem for Linux Denial of Service Vulnerability


A vulnerability in the Windows Subsystem for Linux has been identified that could allow a denial of service attack to occur. This vulnerability manifests due to the Subsystem improperly handling objects in memory. Successful exploitation of this vulnerability could cause the local system to become unresponsive.

Vulnerabilities Rated Moderate

The following vulnerabilities are rated "moderate" by Microsoft:
The following briefly describes these vulnerabilities.

CVE-2017-8650 - Microsoft Edge Security Feature Bypass Vulnerability


A vulnerability in Microsoft Edge has been identified that allow an attacker to bypass a security feature. This vulnerability manifests due to improperly enforcement of same-origin policies. Successful exploitation could allow an attacker to "access information from origins outside the current one." Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-8651 - Internet Explorer Memory Corruption Vulnerability


A vulnerability in Internet Explorer has been identified that could allow an attacker to execute arbitrary code on a targeted host. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Management Center or Snort.org.

Snort Rules:

  • 43847-43848
  • 43851-43852

No comments:

Post a Comment