Microsoft Patch Tuesday – October 2017

BeyondTrust Research Team, October 10th, 2017

Welcome back to this month’s Patch Tuesday. This month brings fixes to the usual suspects and one interesting product with trivial ease of exploit. Three critical Windows DNS client vulnerabilities were patched that allowed an attacker to send simple DNS queries with malicious code and gain arbitrary code execution. These vulnerabilities were privately disclosed and are not known to be exploited publicly. However, a vulnerability patched in Office was exploited in the wild.


This vulnerability is somewhat alarming, as an attacker would only need to be on the same local network or in a man-in-the-middle position to take over a Windows system acting as a DNS server. The vulnerability stems back to the introduction of DNSSEC in Windows starting with Windows 8 via the DNSAPI.dll library. The NSEC3 resource unsafely parses its records, which allows for attackers to leverage the weakness and send their own malicious code with the DNS request. Microsoft rates this vulnerability as Critical, and advises that all admins patch immediately.


Returning as a routine face for Patch Tuesday, the Kernel comes bearing vulnerabilities that could allow for attackers to gain information on the system. These vulnerabilities revolve around how objects in Kernel memory are (mis)handled. An attacker would have to log onto a system or obtain code execution like the DNS vulnerability, and then run a specially crafted application to gain this information. The information could then be used to bypass Kernel Address Space Layout Randomization (ASLR). These vulnerabilities are rated as Important by Microsoft.


As usual, the vulnerabilities from malicious use of Microsoft Office rear their ugly heads. Attackers using maliciously crafted files would be able to obtain remote code execution if they lured a victim into opening the file. Always be sure to verify the integrity the sender of a file sent via email to protect yourself from these kinds of attacks. One vulnerability (CVE-2017-11826) for Microsoft Word was exploited in the wild. Yang Kang, Ding Maoyin and Song Shenlei of Qihoo 360 Core Security reported this vulnerability to Microsoft. Microsoft rates this vulnerability as Important, but since this vulnerability has been exploited in the wild it is important that all users patch as soon as possible.


A somewhat unfamiliar face on Patch Tuesday, Microsoft’s JET DB Engine contained two buffer overflows that could allow remote code execution on an affected system. These vulnerabilities have not been reported to be exploited in the wild. To exploit the vulnerabilities, an attacker would have to open or preview a maliciously crafted Excel file while using an affected version of Windows. Microsoft rates these vulnerabilities as Important.


Graphics comes bearing two remote code execution vulnerabilities. These vulnerabilities stem from the use of maliciously crafted embedded fonts. Attackers exploiting these vulnerabilities could then install programs, view, change or delete data. These vulnerabilities have not been reported to be exploited in the wild. Microsoft rates these vulnerabilities at Critical, and urges admins patch as soon as possible.


Microsoft Server Message Block (SMB) has three fixes for vulnerabilities this month. One of these vulnerabilities is for SMBv1, which is the same format that WannaCry exploited. Microsoft states that these vulnerabilities have not been exploited in the wild, but that exploitation of the SMBv1 vulnerability is likely. To exploit the vulnerability, an attacker would only have to send a specially crafted packet to a targeted SMBv1 server. The other two vulnerabilities allow for Denial of Service, and Information Disclosure to authenticated users. Microsoft rates these vulnerabilities as important.


A vulnerability in Windows Shell that could be exploited via content viewed in Internet Explorer was patched. Microsoft has stated that while this vulnerability has not been exploited in the wild, exploitation of this vulnerability is more likely that usual. This is likely due to the ease of propagation of this exploit. An attacker would have to host a malicious website, or upload malicious content to a website that accepts or host user-provided content, and then lure a victim to the website. The attacker would gain rights equal to that of the current user, meaning victims that are logged in as an administrator would grant the attacker the ability to take full control over the system. Microsoft rates this vulnerability as critical.