Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 54 vulnerabilities with 19 of them rated critical, 32 rated important, and 3 rated moderate. Impacted products include Edge, .NET Framework, Internet Explorer, Office, and Windows.
Vulnerabilities Rated Critical
CVE-2017-8463
This is a remote code execution vulnerability related to the way that Windows Explorer handles executable files and shares during rename operations. If exploited this vulnerability could run arbitrary code, users not running as administrators would be less affected. This vulnerability can be triggered via a malicious share folder and malware named with an executable extension.
CVE-2017-8584 A remote code execution vulnerability exists when HoloLens improperly handles objects in memory. An attacker who successfully exploited this vulnerability could take control of an affected system and could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted WiFi packet.
CVE-2017-8589 This is a remote code execution vulnerability in Windows Search related to the improper handling of objects in memory. This can be exploited by an attacker sending a specially crafted SMB message to the Windows Search service.
CVE-2017-8594A remote code execution vulnerability exists when Internet Explorer, this vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code with current user privilege. If the current user is logged on with administrative user rights, the attacker could take control of an affected system and could then install programs; view, change, or delete data; or create new accounts with full user rights. This can be exploited by a user visiting a specially crafted webpage.
CVE-2017-8595 / CVE-2017-8596 / CVE-2017-8617 A remote code execution vulnerability exists in Microsoft Edge, this vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code with current user privilege. If the current user is logged on with administrative user rights, the attacker could take control of an affected system and could then install programs; view, change, or delete data; or create new accounts with full user rights. This can be exploited by a user visiting a specially crafted webpage. In addition, an attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine.
CVE-2017-8598 This is a remote code execution vulnerability in Microsoft Edge related to the improper handling of objects in memory. The resulting memory corruption could result in arbitrary code execution. This can be exploited by having a user view a specially crafted website or via an ActiveX control marked "safe for initialization" in an application or Microsoft Office document.
CVE-2017-8601 This is a remote code execution vulnerability in the Chakra JavaScript engine in Microsoft browsers related to improper handling of objects in memory. Exploitation can occur through a specially crafted website or an ActiveX control marked "safe for initialization" resulting in the attacker gaining taking full control of the affected system.
CVE-2017-8603 This is a remote code execution vulnerability in Microsoft Edge related to the way the engine handles objects in memory. The resulting corruption of memory can result in arbitrary code execution. This can be exploited by a user visiting a specially crafted webpage.
CVE-2017-8604 This is a remote code execution vulnerability in Microsoft Edge related to the improper handling of objects in memory. The resulting memory corruption could result in arbitrary code execution. This can be exploited by having a user view a specially crafted website or via an ActiveX control marked "safe for initialization" in an application or Microsoft Office document.
CVE-2017-8605 This is a remote code execution vulnerability in Microsoft Edge related to the improper handling of objects in memory. The resulting memory corruption could result in arbitrary code execution. This can be exploited by having a user view a specially crafted website or via an ActiveX control marked "safe for initialization" in an application or Microsoft Office document.
CVE-2017-8606 / CVE-2017-8607 / CVE-2017-8608 / CVE-2017-8609 This is a remote code execution in the JavaScript engines in Microsoft Browsers related to improper handling of objects in memory. Exploitation can occur through the viewing of a specially crafted website and can result in the attacker gaining the same user rights as the current user.
CVE-2017-8610 This is a remote code execution vulnerability in Microsoft Edge related to the improper handling of objects in memory. The resulting memory corruption could result in arbitrary code execution. This can be exploited by having a user view a specially crafted website or via an ActiveX control marked "safe for initialization" in an application or Microsoft Office.
CVE-2017-8618 This is a remote code execution in the VBScript engine, when rendered in Internet Explorer handles objects in memory. Exploitation can occur through the viewing of a specially crafted website and can result in the attacker gaining the same user rights as the current user.
CVE-2017-8619 These are remote code execution vulnerabilities in Microsoft's Edge browser related to improper access of objects in memory. This resulting memory corruption can result in arbitrary code execution. These can be exploited by a user visiting a specially crafted website.
Vulnerabilities Rated Moderate
CVE-2017-0170 An information disclosure vulnerability exists in the Windows Performance Monitor Console when it improperly parses XML input. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity(XXE). To exploit the vulnerability, an attacker could create specially crafted XML data and convince an authenticated user to create a Data Collector Set and import the file. To create a Data Collector Set, the user must be a member of the Performance Log Users or Local Administrators group.
CVE-2017-8611 This is a spoofing vulnerability in Microsoft Edge when it does not properly parse HTTP content. An attacker could use a crafted website to either spoof content or serve as a pivot to chain an attack with other vulnerabilities.
CVE-2017-8621 An open redirect vulnerability exists in Microsoft Exchange that could lead to spoofing. To exploit the vulnerability, an attacker could send a crafted URL, when an authenticated Exchange user clicks the link, the authenticated user's browser session could be redirected to a malicious site that is designed to impersonate a legitimate website. By doing so, the attacker could trick the user and potentially acquire sensitive information, such as the user's credentials.
Vulnerabilities Rated Important
CVE-2017-0243 A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could perform actions with privileges of the current user. This can be exploited by having a user open a specially crafted file.
CVE-2017-8467 An elevation of privilege vulnerability exists in Windows when the Microsoft Graphics Component fails to properly handle objects in memory. This is exploitable by local attacker executing a specially crafted application to elevate privilege.
CVE-2017-8486 This is an information disclosure vulnerability in Microsoft Windows when Win32k fails to properly handle objects in memory. This can be triggered by an authenticated attacker executing a specially crafted application.
CVE-2017-8495 A security feature bypass vulnerability exists in Microsoft Windows when Kerberos fails to prevent tampering with the SNAME field during ticket exchange. Successful exploitation of this vulnerability could be used to bypass Extended Protection for Authentication.
CVE-2017-8501 / CVE-2017-8502These are remote code execution in Microsoft Office related to improper handling of objects in memory. Exploitation occurs when a user opens a specially crafted file. This file could be delivered via an email message or be hosted on a website.
CVE-2017-8556 An elevation of privilege vulnerability exists in Windows when the Microsoft Graphics Component fails to properly handle objects in memory. This is exploitable by local attacker executing a specially crafted application to elevate privilege.
CVE-2017-8557 An information disclosure vulnerability exists in the Windows System Information Console when it improperly parses XML input. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity(XXE). To exploit the vulnerability, an attacker could create specially crafted XML data.
CVE-2017-8559 / CVE-2017-8560 An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests. Exploitation occurs by an authenticated attacker sending a specially crafted request.
CVE-2017-8561 This is a privilege escalation vulnerability in the Windows Kernel related to the improper handling of objects in memory. This is exploitable by local attacker executing a specially crafted application to elevate privilege.
CVE-2017-8562 There is a privilege escalation vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call (ALPC). This is exploitable by local attacker executing a specially crafted application to elevate privilege.
CVE-2017-8563 An elevation of privilege vulnerability exists in Microsoft Windows when Kerberos falls back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol. This is exploitable by local attacker executing a specially crafted application to send malicious traffic to a domain controller.
CVE-2017-8564 This is an information disclosure vulnerability in the Windows Kernel related to the improper handling of objects in memory. This is exploitable by local attacker executing a crafted application, allowing the attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass.
CVE-2017-8565 This is a remote code execution vulnerability within PowerShell when PSObject wraps a CIM Instance. An attacker who successfully exploited this vulnerability could execute malicious code on a vulnerable system.
CVE-2017-8566 This is an elevation of privilege vulnerability in Windows Input Method Editor (IME) when IME improperly handles parameters in a method of a DCOM class. The DCOM server is a Windows component installed regardless of which languages/IMEs are enabled and an attacker can instantiate the DCOM class and exploit the system even if IME is not enabled. This is exploitable by local attacker executing a specially crafted application to elevate privilege.
CVE-2017-8569 An elevation of privilege vulnerability exists in Microsoft SharePoint Server, when it does not properly sanitize a specially crafted web request. An authenticated attacker could exploit the vulnerability, via a specially crafted request, to an affected SharePoint server. If successfully the attacker could then perform cross-site scripting attacks on affected systems and run scripts in the privilege of the current user. This can allow the attacker to read content they are not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.
CVE-2017-8570 A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could perform actions with privileges of the current user. This can be exploited by having a user open a specially crafted file.
CVE-2017-8573 / CVE-2017-8574 / CVE-2017-8577 / CVE-2017-8578 / CVE-2017-8580 An elevation of privilege vulnerability exists in Microsoft Graphics Component. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE-2017-8581 An elevation of privilege vulnerability exists when Windows improperly handles objects in memory. An authenticated attacker who successfully exploited this vulnerability could run processes in an elevated context.
CVE-2017-8582 An Information Disclosure vulnerability exists when the HTTP.sys server application component improperly handles objects in memory. A remote unauthenticated attacker could exploit this vulnerability by issuing a request to the server application.
CVE-2017-8585 This is a denial of service vulnerability when Microsoft Common Object Runtime Library improperly handles web requests. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. This attack could cause a denial of service on the target system, requiring a reboot to resolve.
CVE-2017-8587 A Denial Of Service vulnerability exists when Windows Explorer attempts to open a non-existent file. An attacker could exploit this vulnerability by hosting a specially crafted web site and convince a user to browse to the page, containing the reference to the non-existing file, and cause the victim's system to stop responding.
CVE-2017-8588 A remote code execution vulnerability exists in the way that Microsoft WordPad parses specially crafted files. Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft WordPad. An attacker could exploit the vulnerability by sending a specially crafted file to the user via email.
CVE-2017-8590 An elevation of privilege vulnerability exists in Windows Common Log File System (CLFS). A locally authenticated attacker could exploit this vulnerability by running a specially crafted application to take control of the affected system. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
CVE-2017-8592 A security feature bypass vulnerability exists when Microsoft Browsers improperly handle redirect requests. This vulnerability allows Microsoft Browsers to bypass CORS redirect restrictions and follow redirect requests that should otherwise be ignored. An attacker who successfully exploited this vulnerability could force the browser to send data that would otherwise be restricted to a destination web site of their choice.
CVE-2017-8599 A security feature bypass vulnerability exists when Microsoft Edge fails to correctly apply Same Origin Policy for HTML elements present in other browser windows. This can be exploited by a user visiting a specially crafted webpage.
CVE-2017-8602 This is a spoofing vulnerability in Microsoft Browser when it does not properly parse HTTP content. An attacker could use a crafted website to either spoof content or serve as a pivot to chain an attack with other vulnerabilities.
Coverage In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Management Center or Snort.org.
Snort Rules:
42753
42755-42756
43460-43463
43465-43466
43469-43474
43490-43493
43521-43522