Patch Tuesday May 2017

BeyondTrust Research Team, May 11th, 2017

Patch Tuesday

Microsoft’s Patch Tuesday this May addresses 14 critical-rated and 41 important-rated vulnerabilities, bringing the overall count to 55. Of these, three were actively being exploited, involving Internet Explorer (CVE-2017-0222), Office (CVE-2017-0261), and Win32K (CVE-2017-0263), therefore it’s especially important to ensure that these particular patches are applied.

Internet Explorer Memory Corruption Vulnerability

A vulnerability in Internet Explorer’s handling of objects in memory has been patched. This vulnerability requires that a victim be lured to a malicious website by an attacker, or for a malicious ad to be placed on a legitimate website. The attacker would gain privileges equal to those of the browser, so it is again time to emphasize the importance of exercising the principals of least-privilege. This vulnerability is actively being exploited in the wild, so users are advised to patch as soon as possible.

Microsoft Office Remote Code Execution Vulnerability

Once again we are reminded that malicious Microsoft Office files can be deadly. This month’s patch fixes a vulnerability in the EPS image file processing methods that allow for remote code execution on the victim’s system. The attacker only has the privileges equal to the user who has opened the malicious file, however reports of this bug being exploited in the wild also account for a combination with an escalation of privilege, affording the attacker complete control over the victim’s system. Since this vulnerability is actively being exploited in the wild, users are advised to patch as soon as possible.

Win32k Elevation of Privilege Vulnerability

The Kernel-Mode-Drivers for Windows have been patched for two vulnerabilities, one of which allows for elevation of privilege and has been coupled with remote attacks to afford attackers complete control over a victim’s system. However, since this vulnerability by itself only has a local attack vector, it is rated as important instead of critical. Since this vulnerability is actively being exploited in the wild, users are advised to patch as soon as possible.

Windows DNS Server Denial of Service Vulnerability

While not as glamorous as a vulnerability that takes complete control over a system, a Denial of Service vulnerability can be devastating if applied on the appropriate part of a network’s infrastructure. One such critical component is the DNS Server. Without the ability to resolve hostnames via DNS, networks would no longer be able to communicate and the potential business cost could be catastrophic. This vulnerability has not been reported to be exploited in the wild.

Windows Kernel Information Disclosure Vulnerability

The Windows Kernel makes its usual appearance on Patch Tuesday, as a vulnerability that allowed for attackers to gain sensitive information from memory contents has been patched. The vulnerability stems from how the Windows Kernel handles objects in memory. While benign on its own, this vulnerability would allow an attacker to gain information that could further compromise an affected system. This vulnerability has not been reported to be exploited in the wild.

Windows COM Elevation of Privilege Vulnerability

A vulnerability in the Windows COM Aggregate Marshaler was patched that allowed for local attackers to gain elevated privileges on the system. The vulnerability by itself does not allow for code execution, but when used in conjunction with another remote vulnerability the attacker could execute code with higher privileges, like other vulnerabilities that were being actively exploited and patched this month. This vulnerability has not been reported to be actively exploited in the wild.

Microsoft ActiveX

ActiveX is patched for one vulnerability which could lead to information disclosure, allowing an attacker to gain access to protected memory regions. To successfully exploit this, the attacker would need to convince a user to open a specially crafted document, which does limit the vulnerability’s overall exposure.

Windows Graphics Information Disclosure Vulnerability

As usual, Patch Tuesday is graced by the presence of Windows Graphics, as its vulnerabilities rear their ugly heads to the world. This vulnerability allowed attackers to gain information on the system from a mishandling of memory objects. By itself this vulnerability does not allow an attacker to execute arbitrary code, but could allow the attacker to do so if used in conjunction with another vulnerability that utilizes the information that was leaked. This vulnerability has not been reported or actively exploited in the wild.

Windows SMB

SMB was hit hard this time around with 14 vulnerabilities being addressed, four of which are critical severity and ten important severity. The critical vulnerabilities stem from how SMB handles certain requests which can allow an attacker to execute arbitrary code.

.Net Framework

.Net is back this month with a security feature bypass caused by certificates not being properly validated. In this case, an attacker could present a certificate marked as invalid for specific use, however the component will still utilize it for that purpose.

Adobe Flash Player

Last, but not least, Microsoft’s Flash update addresses seven vulnerabilities related to Adobe’s APSB17-15 advisory. Six vulnerabilities involve memory corruptions and the other is due to a use-after-free issue, all of which can allow an attacker to execute arbitrary code.