Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 92 vulnerabilities with 17 of them rated critical and 75 rated important. Impacted products include Edge, Internet Explorer, Office, Sharepoint, Skype for Business, Lync, and Windows.

Vulnerabilities Rated Critical

CVE-2017-0291 / CVE-2017-0292 These are remote code execution vulnerability in Microsoft Windows if a user opens a specially crafted PDF file. The attack results in potential arbitrary code execution in the context of the current user and can be exploited by having the user open a specially crafted PDF file.

CVE-2017-8522 This is a remote code execution vulnerability in the way the Javascript engines render when handling objects in memory in Microsoft browsers including both Internet Explorer and Edge. This can be exploited by a user visiting a specially crafted webpage.

Vulnerabilities Rated as Important

CVE-2017-0173 / CVE-2017-0215 / CVE-2017-0216 / CVE-2017-0218 / CVE-2017-0219 These are security feature bypass vulnerabilities in Device Guard that could allow the attacker to inject malicious code into a Windows PowerShell session. This can be exploited by an attacker with access to a local machine by injecting malicious code into a script that is trusted by the Code Integrity policy.

CVE-2017-0286 / CVE-2017-0287 / CVE-2017-0288 / CVE-2017-0289 These are information disclosure vulnerabilities in the Windows GDI functionality that results in disclosure of the contents of memory. This can be exploited by a user opening a specially crafted document or convincing a user to access an untrusted webpage.

CVE-2017-0295 This is a tampering vulnerability in Microsoft Windows that allows an authenticated attacker to modify the C:\Users\DEFAULT folder structure. This is exploitable by an authenticated user prior to the target user logging on locally to the computer. Users that have previously logged on to the system are not impacted by this vulnerability.

CVE-2017-0296 This is a privilege escalation vulnerability that impacts Windows 10. The vulnerability is a buffer overrun corruption that can result in escalation of privilege. This is exploitable by local attacker executing a specially crafted application to elevate privilege.

CVE-2017-0298 This is a privilege escalation vulnerability in the Windows, specifically when a DCOM object in Helppane.exe that is configured to run as the interactive user fails to improperly authenticate a client. Exploitation occurs by an attacker that is logged into the system and executed a specially crafted application that would exploit the vulnerability after another user logged on to the same system via Terminal Services or Fast User Switching.

CVE-2017-8465 / CVE-2017-8466 / CVE-2017-8468 These are use-after-free vulnerability that can result in privilege escalation. This is specifically triggered when the Windows improperly handles objects in memory. These vulnerabilities can be exploited by the attacker logging in locally or convincing a user to execute a specially crafted application.

CVE-2017-8493 This is a security feature bypass vulnerability that exists when Microsoft Windows fails to enforce case sensitivity for certain variable checks. This could result in an attacker being able to set variables that are either read-only or require authentication. This can be exploited by an attacker executing a specially crafted application to bypass UEFI variable security in Windows.

CVE-2017-8515 This is a denial of service vulnerability in Microsoft Windows that is triggered when an unauthenticated attacker sends a specially crafted kernel mode request. This attack could cause a denial of service on the target system, requiring a reboot to resolve.

CVE-2017-8529 This is an information disclosure vulnerability that targets both Internet Explorer and Edge. The vulnerability resides specifically in print preview and can be triggered by browsing to a specially crafted URL.

Coverage In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Management Center or Snort.org.

Snort Rules:
17042
24500
43155-43166
43169-43176