Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 56 vulnerabilities with 15 of them rated critical and 41 rated important. Impacted products include .NET, DirectX, Edge, Internet Explorer, Office, Sharepoint, and Windows.
In addition to the coverage Talos is providing for the normal monthly Microsoft security advisories, Talos is also providing coverage for CVE-2017-0290, the MsMpEng Malware Protection service vulnerability in Windows reported by Natalie Silvanovich and Tavis Ormandy of Google Project Zero. Snort rule SIDs for this specific vulnerability are 42820-42821.
Vulnerabilities Rated Critical The following vulnerabilities are rated critical by Microsoft:
These vulnerabilities are broken out by affected software below.
Adobe Flash Adobe has released a security update for Flash Player addressing memory corruption vulnerabilities that could result in remote code execution if exploited. Windows is impacted by these vulnerabilities as Flash Player is integrated into Internet Explorer and Edge in Windows 8 and 10. For further details, please refer to Adobe's Flash Player security bulletin here.
Internet Explorer/Edge Multiple memory corruption vulnerabilities have been identified in Internet Explorer, Edge, and the Scripting Engine component utilized by both browsers. These vulnerabilities manifest due to the way Internet Explorer, Edge, and Chakra (the scripting engine) handle objects in memory. Exploitation of these vulnerabilities could yield arbitrary code execution in the context of the current user's privileges if the user navigates to a specifically crafted web page.
Windows SMB Multiple vulnerabilities have been identified in Microsoft Server Message Block (SMB) 1.0 that could allow an attacker to execute arbitrary code on the targeted host. Per Microsoft's advisories, an unauthenticated attacker could exploit these vulnerabilities via specifically crafted packets being transmitted to a vulnerable SMBv1 server.
Microsoft Malware Protection Engine A vulnerability has been identified in the Microsoft Malware Protection Engine that could lead to arbitrary code execution in the context of the kernel. This vulnerability, CVE-2017-0290, manifests due to the Malware Protection engine improperly scanning specifically crafted files. Exploitation of this flaw is achievable by opening an email containing a malicious file, visiting a malicious website that exploits this vulnerability, or by downloading a maliciously crafted file.
Microsoft has released an engine update separate from a bulletin that addresses this issue. Users and administrators should note that no action is typically required for updates for the Malware Protection Engine as updates are normally applied within 48 hours of the release. For further details, please see Microsoft's security advisory.
Vulnerabilities Rated ImportantThe following vulnerabilities are rated important by Microsoft:
These vulnerabilities are broken out by affected software below.
.NET A security feature bypass vulnerability has been identified and patched in the .NET Core and .NET Framework. CVE-2017-0248 manifests due to .NET core and .NET component failing to completely validate certificates. Exploitation of this flaw could occur where an attacker presents a certificate which is not valid for a specific use, but is still utilized for that purpose.
DirectX A privilege escalation vulnerability in the DirectX graphics kernel subsystem (dxgkrnl.sys) has been identified and patched. CVE-2017-0077 manifests due to the way objects in memory are incorrectly handled. Exploitation of the flaw is achievable if a user runs a specifically written application that exploits this flaw.
Microsoft Browser Multiple vulnerabilities have been identified and patched in Microsoft Internet Explorer and Edge. Two of the vulnerabilities (CVE-2017-0233, CVE-2017-0241) are privilege escalation vulnerabilities in Edge, one is a memory corruption flaw in IE (CVE-2017-0226), one is a security feature bypass in IE (CVE-2017-0064), one is a browser spoofing vulnerability (CVE-2017-0231), and one is a ActiveX information disclosure flaw (CVE-2017-0242).
Office Multiple arbitrary code execution vulnerabilities have been identified and patched in Microsoft Office for Mac and PC. These vulnerabilities manifest due to incorrectly handling objects in memory, resulting in memory corruption and arbitrary code execution in the context of the current privilege level. Exploitation of the these flaws achievable if a victim opens a specifically crafted Office document with a vulnerable version of Office on the host system. Attack vectors where this could be exploited included email-based attack where the user opens a malicious attachment from an attacker.
Sharepoint A cross-site scripting (XSS) vulnerability has been identified and patched in Sharepoint Foundation 2013. CVE-2017-0255 manifests due to improperly sanitizing web requests to an affected server, potentially allowing an attacker to run scripts in the context of the current user. Exploiting the vulnerability could allow an attacker to read sensitive information or perform actions on behalf of the targeted user.
Win32k Three vulnerabilities have been identified and patched in the Win32k subsystem that could allow an attacker to gain elevated privileges or gain sensitive information regarding the system. Two of the vulnerabilities (CVE-2017-0246, CVE-2017-0263) are privilege escalation flaws while the third vulnerability (CVE-2017-0245) is an information disclosure vulnerability that could expose sensitive information about the system. All three vulnerabilities manifest due the kernel-mode driver failing to properly handle object in memory and could be exploited by executing a specifically written application.
Windows COM Two privilege escalation vulnerabilities (CVE-2017-0213 and CVE-2017-0214) in Windows Component Object Model (COM) have been identified and patched. CVE-2017-0213 manifests in the Windows COM Aggregate Marshaller due to how the COM Marshaller processes interface requests. CVE-2017-0214 manifests as a failure to properly validate input before loading libraries and could be exploited when loading type libraries.
Windows DNS A denial of service vulnerability (CVE-2017-0171) in Windows DNS Server has been identified and patched. CVE-2017-0171 manifests due to incorrectly handling DNS queries "if the server is configured to answer version queries." As a result, a remote attacker could exploit this vulnerability and cause the host to become unresponsive.
Windows GDI A information disclosure vulnerability in the Windows Graphics Device Interface (GDI) has been identified and patched that could allow an attacker to gain information about the targeted system. The vulnerability (CVE-2017-0190) itself does not permit an attacker to execute arbitrary code on the targeted system. However, exploiting this vulnerability in conjunction with another flaw could allow an attacker to execute arbitrary code.
Windows Hyper-V A privilege escalation vulnerability has been identified and patched in Windows Hyper-V. The vulnerability in question, CVE-2017-0212, is a flaw where the host server fails to properly handle vSMB packets.
Windows Kernel Five vulnerabilities have been identified and fixed in the Windows Kernel with four of them being information disclosure flaws and one of them being a privilege escalation vulnerability. All five vulnerabilities manifest due to the way object are incorrectly handled in memory.
A user who executes a specifically written application could exploit these vulnerabilities and gain information to further compromise the host (in the case of the information disclosure vulnerabilities), or gain elevated privileges that could be used to gain full control of the affected system. Note that for the privilege escalation vulnerability (CVE-2017-0244), x86-64 based systems will suffer from a denial of service instead of a privilege escalation.
Windows SMB Multiple vulnerabilities have been identified in Microsoft Server Message Block (SMB) 1.0 that could result a denial of service or information leakage on affected hosts. These vulnerabilities manifest as a result of an affected host incorrectly processing SMBv1 requests.
Coverage In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Management Center or Snort.org.
- 42820-42821 (for CVE-2017-0290)