Patch Tuesday March 2017

BeyondTrust Research Team, March 16th, 2017

Patch Tuesday

Patch Tuesday is back with a vengeance this month clocking in with 18 bulletins in total, with 8 rated as critical. Notable bulletins include a fix for Windows’ GDI library which was initially patched back in June of last year, however the fix was incomplete and is now supposedly addressed. Additionally, and to no one’s surprise really, IE and Edge receive hefty patches addressing 12 and 32 vulnerabilities, respectively. This is one patch cycle you won’t want to miss!

MS17-006: Cumulative Security Update for Internet Explorer (4013073)

After stocking up vulnerabilities for one month longer than usual in Internet Explorer, Microsoft has released a critical update to fix numerous security issues. Many of the vulnerabilities, CVE-2017-0008, CVE-2017-0037, CVE-2017-0012, CVE-2017-0033, and CVE-2017-0154, were publicly disclosed prior to this patch. The good news is, now with this patch you can protect your systems from these vulnerabilities. Most of these vulnerabilities would require the victim to be tricked into viewing malicious content. The security update addresses the vulnerabilities by correcting how the affected components handle objects in memory.

MS17-007: Cumulative Security Update for Microsoft Edge (4013071)

Edge has returned with critical remote code execution vulnerabilities to be patched. The most critical vulnerabilities stem from the scripting engine’s memory handling. By viewing maliciously crafted content Edge can execute code with privileges equal to that of the current user. This is another reminder to exercise the principals of least privilege.

MS17-008: Security Update for Windows Hyper-V (4013082)

Windows Hyper-V makes an unusual appearance on Patch Tuesday. Windows Hyper-V is the virtualization libraries used by Windows to run and create virtual machines. An attacker on the guest operating systems could cause code execution on the host systems if they ran a specially crafted application. This security update adds additional validation to the guest operating system’s user input, protecting the host from a malicious guest. One of these vulnerabilities, CVE-2017-0097, which lead to a denial of service on the host was publicly disclosed prior to this patch.

MS17-009: Security Update for Microsoft Windows PDF Library (4010319)

Microsoft Windows PDF Library was found to have a critical memory corruption vulnerability. When leveraged to view malicious PDF content, an attacker could execute arbitrary code on the system with the context of the current user. Only Windows 10 systems with Microsoft Edge set as the default browser could be compromised simply by viewing the website. If Edge was not the victim’s default web browser they would have to be socially engineered into viewing the content specifically with Edge to leverage the appropriate PDF Library.

MS17-010: Security Update for Windows SMB Server (4013389)

Windows SMB Server comes loaded with critical vulnerabilities this Patch Tuesday. Most of the vulnerabilities allow for remote code execution, and one allows for information disclosure. None of these vulnerabilities were publicly disclosed prior to release of this patch. To exploit these vulnerabilities an attacker could send a specially crafted packet to a targeted SMBv1 server on a connected network. This patch corrects how the SMBv1 server handles these packets.

MS17-011: Security Update for Microsoft Uniscribe (4013076)

Microsoft Uniscribe comes to Patch Tuesday teeming with vulnerabilities. An attacker can remotely execute arbitrary code, and obtain information on the target system. Despite having 30 CVEs associated with this patch, none of these vulnerabilities were disclosed publicly prior to the patch. Most of these vulnerabilities are resolved by changing how Uniscribe handles objects in memory. Accounts with less user rights are less affected by these vulnerabilities, providing a strong reminder to exercise the principals of least privilege whenever possible.

MS17-012: Security Update for Microsoft Windows (4013078)

It wouldn’t be Patch Tuesday without patches for Windows itself. Multiple vulnerabilities were discovered, and the most severe of which could allow remote code execution if an attacker runs a specially crafted application that connects to an iSNS Server and then issues malicious requests to the server. Fortunately, that flaw was not publicly disclosed prior to this patch. However, CVE-2017-0016 which leads to a denial of service was publicly disclosed prior to this patch.

MS17-013: Security Update for Microsoft Graphics Component (4013075)

Making its usual appearance, Microsoft Graphics Components comes with a host of vulnerabilities to be patched. The most severe of these vulnerabilities could lead to remote code execution. Local attackers can also escalate their privilege, and attackers can discover information on the target system. One of these vulnerabilities, CVE-2017-005 was not publicly disclosed, but was exploited in the wild. That exploit allowed for privilege escalation of local users.

MS17-014: Security Update for Microsoft Office (4013241)

As usual, Microsoft Office has numerous routine fixes this month. The most severe of the vulnerabilities patched could allow remote code execution. Of the vulnerabilities that were patched, only one Denial of Service vulnerability was publicly disclosed prior to patching. Microsoft typically does not patch Denial of Service in Office, since it translates to a benign application crash. Does this mean that more security researchers will post their Denial of Service proof of concept files publicly to gain notoriety? Only time will tell.

MS17-015: Security Update for Microsoft Exchange Server (4013242)

This month with see a flaw in Microsoft Exchange Outlook Web Access. Exchange is fails to properly handle specially crafted web requests, which could lead to an attacker acquiring of sensitive information. An attacker can either send an email to a user with either a malicious link or attachments. This vulnerability does require the user to click the link or attachment. As we have observed from the past year, these type of phishing attacks have proven to be very successful.

MS17-016: Security Update for Windows IIS (4013074)

Microsoft IIS server has patched one vulnerability this month. It has been found that IIS server fails to properly sanitize a request that been specially crafted. In this situation, an attacker would use a cross-site scripting attack to run a script with the context of the current user. This could lead to an attacker reading sensitive data, preform actions on behalf of victim, and injection of malicious content.

MS17-017: Security Update for Windows Kernel (4013081)

Microsoft has cleaned up a handful of vulnerabilities in Windows Kernel. There are four vulnerabilities discovered in total this month.  Attackers who successfully exploit these could gain elevated privileges or run processes in elevated context. Correcting how the kernel validates API input and buffer lengths addressed two of the vulnerabilities. The other two were cleaned up by correcting issues with how Kernel API and Transaction Manager handles objects in memory.

MS17-018: Security Update for Windows Kernel-Mode Drivers (4013083)

Vulnerabilities with Windows Kernel-Mode Drivers are always a serious issue. This month we’ve seen a particularly dangerous vulnerability pop up that could lead to an attacker taking control of the affected system. An attacker could construct a special application that could exploit how the kernel-mode driver handles objects in its memory. An attacker who runs arbitrary code could install programs or even delete data. Microsoft again solved this by correcting the flaw in how objects are handled in memory.

MS17-019: Security Update for Active Directory Federation Services (4010320)

It is always good sign to see active directory being tested for vulnerabilities. Many rely on active directory to provide administration for most of our networks. This month, Microsoft has fixed an information disclosure vulnerability in Active Directory Federation Services. An attacker could make a fake request to an ADFS server and get sensitive information in return. Microsoft added an additional verification check to solve this issue.

MS17-020: Security Update for Windows DVD Maker (3208223)

Windows DVD Maker enters the scene with a cross-site request forgery vulnerability. This is a good sign since it shows effort that security is being looked across all Microsoft products. This vulnerability was not previous published or exploited. When DVD Maker fails to properly handle msdvd files and allows attackers to obtain information that can be used to compromise the system further.

MS17-021: Security Update for Windows DirectShow (4010318)

DirectShow has an information disclosure vulnerability in the way it handles objects in memory. This application has been known for remote code execution in the past but looks to be sealing up some flaws. This one was not publicly disclosed or exploited in the wild. An attacker who exploited this could gain information to further compromise the system.

MS17-022: Security Update for Microsoft XML Core Services (4010321)

Microsoft XML core services was found to have informational disclosure vulnerabilities. Microsoft addressed these by altering how MSXML handles objects in memory. This is exploited by visiting a compromised website, after which would allow an attacker to query the existence of files on the system. This has been exploited in the wild but has not been publicly disclosed prior to patching.

MS17-023: Security Update for Adobe Flash Player (4014329)

Adobe released their monthly patch to address seven vulnerabilities, with six of these leading to remote code execution. We see recurring ways in which flash is being exploited through buffer overflow, memory corruption, and use-after-free attacks. It’s scary to think that a machine which is out of date for only a month would be so full of holes, but then again, it’s Flash we’re talking about here.