Microsoft Patch Tuesday – August 2017

BeyondTrust Research Team, August 9th, 2017

Patch Tuesday

It’s that time for Microsoft Patch Tuesday August 2017. This month patches some usual suspects, with only a few out of the ordinary products and services receiving fixes. Examples of those products and services would be NetBIOS, Windows CLFS, and the JET DB Engine.

Windows Kernel

The Windows Kernel has been patched for multiple Information Disclosure vulnerabilities. While these vulnerabilities themselves do not compromise the victim system, they do provide information that could aid an attacker’s ongoing compromise of a system. As usual, the vulnerability revolves around improper initialization of objects in kernel memory. Microsoft has rated this vulnerability as Important.

Office

Office was unusually quiet this month, bearing only an update for Sharepoint 2010. Sharepoint had a vulnerability that could allow an attacker to conduct cross-site scripting (XSS) attacks on affected systems and run script in the security context of the current user.

Internet Explorer and Edge

Microsoft’s web browsers bear vulnerabilities very similar to last month’s, hosting multiple memory corruption vulnerabilities in javascript. An attacker who exploited these vulnerabilities by luring the user to view malicious content would be able to remotely execute commands on the victim’s system, view memory contents, and create user accounts with privileges equal to that of the victim user. Microsoft rates the most severe of these vulnerabilities as Critical.

Adobe Flash Player

Adobe Flash Player returns with two vulnerabilities. These updates address a critical type confusion vulnerability that could lead to code execution and an important security bypass vulnerability that could lead to information disclosure. These vulnerabilities are rated Critical by Microsoft.

SQL Server

Microsoft’s SQL Server comes bearing vulnerabilities across its version spectrum. The vulnerability pertains to information disclosed when the Server Analysis Services improperly enforces permissions. An attacker could exploit the vulnerability if the attacker’s credentials allow access to an affected SQL server database. Microsoft rates this vulnerability as Important.

Windows Search

Windows Search returns bearing a vulnerability that revolves around improper handling of memory objects. An attacker who successfully exploits this vulnerability could take control of the affected system. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability by sending a malicious message through the SMB connection and then take control of a target computer. Microsoft rates this vulnerability as Critical.

NetBIOS

While Denial of Service is typically a lame form of vulnerability, being able to trigger one from a single malicious packet is worthy of attention. An attacker who successfully exploited this vulnerability could cause a target computer to become completely unresponsive. Microsoft rates this vulnerability as Important.

Windows CLFS

The Windows Common Log File System (CLFS) makes an unusual appearance, with a local vulnerability that allows for elevation of privilege. The vulnerability revolves around improper memory object handling, in which an attacker running a specially crafted application could elevate their privileges. Microsoft rates this vulnerability as Important.

JET DB Engine

The Microsoft JET Database Engine steps into the spotlight with a vulnerability that allows for remote code execution with elevated privilege. An attacker exploiting this vulnerability could take complete control of the target system. Exploitation requires a user open a maliciously crafted database file while using an affected version of Windows. Microsoft rates this vulnerability as Critical.

Express Fonts

Express Compressed Fonts, otherwise known as an embedded font, come bearing a vulnerability that could allow for remote code execution with privileges equal to that of the current user. An attacker has multiple potential vectors in which they can choose to exploit this vulnerability. They could choose to lure a victim to a website that is hosting this maliciously crafted font, or share a file that uses the embedded font to trigger the vulnerability after the user attempts to view its contents. Microsoft rates this vulnerability as Important.

Volume Manager

Have you heard about the vulnerability in the volume manager? Perhaps you need to turn it up! The Volume Manager Extension Driver component improperly provides kernel information when leveraged by a malicious application. An attacker exploiting this vulnerability could gain information that would be useful in further compromising a system. Microsoft rates this noisy vulnerability as Important.

Error Reporting

Evidently, the line “I’d like to report an error in the error report” is not foreign to Microsoft’s ears. Windows Error Reporting (WER) bears a vulnerability that could allow a local attacker to gain elevated privileges on an affected system. To exploit the vulnerability, an attacker would need to run a specially crafted application that leverages the reporting system flaw. Microsoft rates this vulnerability as Important.