3. Industry News
Vault 7 – The latest from Wikileaks https://www.ivanti.com/blog/vault-7-tracker/
4.
5.
6.
7.
8.
9. CSWU-048: Cumulative update for Windows 10: March, 2017
Maximum Severity: Critical
Affected Products: Windows 10, IE, Edge
Description: This update for Windows 10 includes functionality improvements and resolves the
vulnerabilities in Windows that are described in the following Microsoft security bulletins and
advisory: MS17-006, MS17-007, MS17-008, MS17-009, MS17-010, MS17-011, MS17-012, MS17-
013, MS17-016, MS17-017, MS17-018, MS17-019, MS17-021, MS17-022, MS17-023
Impact: Remote Code Execution, Elevation of Privilege, Information Disclosure,
Fixes 132 vulnerabilities:
Restart Required: Requires Restart
10. SB17-002, SB17-003, SB17-004: Security Only Quality Update :
March, 2017
Maximum Severity: Critical
Affected Products: Windows 7, 8.1, Server 2008 R2, Server 2012, Server 2012 R2
Description: This security update resolves the following bulletins: MS17-008, MS17-009, MS17-
010, MS17-011, MS17-012, MS17-013, MS17-016, MS17-017, MS17-018, MS17-019, MS17-021,
MS17-022
Impact: Remote Code Execution, Elevation of Privilege, Information Disclosure,
Fixes 81 vulnerabilities:
Restart Required: Requires Restart
11. CR17-002, CR17-003, CR17-004: Security Monthly Quality Rollup :
March, 2017
Maximum Severity: Critical
Affected Products: Windows 7, 8.1, Server 2008 R2, Server 2012, Server 2012 R2
Description: This cumulative security update resolves the following bulletins: MS17-006, MS17-
008, MS17-009, MS17-010, MS17-011, MS17-012, MS17-013, MS17-016, MS17-017, MS17-018,
MS17-019, MS17-021, MS17-022
Impact: Remote Code Execution, Elevation of Privilege, Information Disclosure,
Fixes 81 vulnerabilities:
Restart Required: Requires Restart
12. MS17-006: Cumulative Security Update for Internet Explorer (4013073)
Maximum Severity: Critical
Affected Products: Microsoft Windows, Microsoft Internet Explorer
Description: This security update resolves vulnerabilities in Internet Explorer. The most severe of
the vulnerabilities could allow remote code execution if a user views a specially crafted webpage
using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the
same user rights as the current user. If the current user is logged on with administrative user rights,
an attacker who successfully exploited this vulnerability could take control of an affected system. An
attacker could then install programs; view, change, or delete data; or create new accounts with full
user rights.
Impact: Remote Code Execution
Fixes 12 vulnerabilities: CVE-2017-0008 (Publicly Disclosed), CVE-2017-0009, CVE-2017-
0012 (Publicly Disclosed), CVE-2017-0018, CVE-2017-0033 (Publicly Disclosed), CVE-2017-
0037 (Publicly Disclosed), CVE-2017-0040, CVE-2017-0049, CVE-2017-0059, CVE-2017-0130,
CVE-2017-0149 (Exploited), CVE-2017-0154 (Publicly Disclosed)
Restart Required: Requires Restart
13. MS17-007: Cumulative Security Update for Microsoft Edge (4013071)
Maximum Severity: Critical
Affected Products: Microsoft Windows, Microsoft Edge
Description: This security update resolves vulnerabilities in Microsoft Edge. These vulnerabilities
could allow remote code execution if a user views a specially crafted webpage using Microsoft
Edge. An attacker who successfully exploited these vulnerabilities could take control of an affected
system. An attacker could then install programs; view, change, or delete data; or create new
accounts with full user rights.
Impact: Remote Code Execution
Fixes 32 vulnerabilities: CVE-2017-0009, CVE-2017-0010, CVE-2017-0011, CVE-2017-0012
(Publicly Disclosed), CVE-2017-0015, CVE-2017-0017, CVE-2017-0023, CVE-2017-0032, CVE-
2017-0033 (Publicly Disclosed), CVE-2017-0034, CVE-2017-0035, CVE-2017-0037 (Publicly
Disclosed), CVE-2017-0065 (Publicly Disclosed), CVE-2017-0066, CVE-2017-0067, CVE-2017-
0068, CVE-2017-0069 (Publicly Disclosed), CVE-2017-0070, CVE-2017-0071, CVE-2017-0094,
CVE-2017-0131, CVE-2017-0132, CVE-2017-0133, CVE-2017-0134, CVE-2017-0135, CVE-2017-
0136, CVE-2017-0137, CVE-2017-0138, CVE-2017-0140, CVE-2017-0141, CVE-2017-0150, CVE-
2017-0151
Restart Required: Requires Restart
14. MS17-008: Security Update for Windows Hyper-V (4013082)
Maximum Severity: Critical
Affected Products: Microsoft Windows
Description: This security update resolves vulnerabilities in Microsoft Windows. The most severe
of the vulnerabilities could allow remote code execution if an authenticated attacker on a guest
operating system runs a specially crafted application that causes the Hyper-V host operating system
to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.
Impact: Remote Code Execution
Fixes 11 vulnerabilities: CVE-2017-0021, CVE-2017-0051, CVE-2017-0074, CVE-2017-0075,
CVE-2017-0076, CVE-2017-0095, CVE-2017-0096, CVE-2017-0097 (Publicly Disclosed), CVE-
2017-0098, CVE-2017-0099, CVE-2017-0109
Restart Required: Requires Restart
15. MS17-009: Security Update for Microsoft Windows PDF Library (4010319)
Maximum Severity: Critical
Affected Products: Microsoft Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability
could allow remote code execution if a user views specially crafted PDF content online or opens a
specially crafted PDF document.
Impact: Remote Code Execution
Fixes 1 vulnerability: CVE-2017-0023
Restart Required: Requires Restart
16. MS17-010: Security Update for Microsoft Windows SMB Server (4013389)
Maximum Severity: Critical
Affected Products: Microsoft Windows
Description: This security update resolves vulnerabilities in Microsoft Windows. The most severe
of the vulnerabilities could allow remote code execution if an attacker sends specially crafted
messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
Impact: Remote Code Execution
Fixes 6 vulnerabilities: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146,
CVE-2017-0147, CVE-2017-0148
Restart Required: Requires Restart
17. MS17-011: Security Update for Microsoft Uniscribe (4013076)
Maximum Severity: Critical
Affected Products: Microsoft Windows
Description: This security update resolves vulnerabilities in Windows Uniscribe. The most severe
of these vulnerabilities could allow remote code execution if a user visits a specially crafted website
or opens a specially crafted document. Users whose accounts are configured to have fewer user
rights on the system could be less impacted than users who operate with administrative user rights.
Impact: Remote Code Execution
Fixes 29 vulnerabilities: CVE-2017-0072, CVE-2017-0083, CVE-2017-0084, CVE-2017-
0085, CVE-2017-0086, CVE-2017-0087, CVE-2017-0088, CVE-2017-0089, CVE-2017-0090, CVE-
2017-0091, CVE-2017-0092, CVE-2017-0111, CVE-2017-0112, CVE-2017-0113, CVE-2017-0114,
CVE-2017-0115, CVE-2017-0116, CVE-2017-0117, CVE-2017-0118, CVE-2017-0119, CVE-2017-
0120, CVE-2017-0121, CVE-2017-0122, CVE-2017-0123, CVE-2017-0124, CVE-2017-0125, CVE-
2017-0126, CVE-2017-0127, CVE-2017-0128
Restart Required: Requires Restart
18. MS17-012: Security Update for Microsoft Windows (4013078)
Maximum Severity: Critical
Affected Products: Microsoft Windows
Description: This security update resolves vulnerabilities in Microsoft Windows. The most severe
of the vulnerabilities could allow remote code execution if an attacker runs a specially crafted
application that connects to an iSNS Server and then issues malicious requests to the server.
Impact: Remote Code Execution
Fixes 6 vulnerabilities: CVE-2017-0007, CVE-2017-0016, CVE-2017-0039, CVE-2017-0057,
CVE-2017-0100, CVE-2017-0104
Restart Required: Requires Restart
19. MS17-013: Security Update for Microsoft Graphics Component (4013075)
Maximum Severity: Critical
Affected Products: Microsoft Windows, Microsoft Office, Skype for Business,
Microsoft Lync, Microsoft Silverlight
Description: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office,
Skype for Business, Microsoft Lync, and Microsoft Silverlight. The most severe of these
vulnerabilities could allow remote code execution if a user either visits a specially crafted website or
opens a specially crafted document. Users whose accounts are configured to have fewer user rights
on the system could be less impacted than users who operate with administrative user rights.
Impact: Remote Code Execution
Fixes 12 vulnerabilities: CVE-2017-0001, CVE-2017-0005 (Exploited), CVE-2017-0014
(Publicly Disclosed), CVE-2017-0025, CVE-2017-0038, CVE-2017-0047, CVE-2017-0060, CVE-
2017-0061, CVE-2017-0062, CVE-2017-0063, CVE-2017-0073, CVE-2017-0108
Restart Required: Requires Restart
20. MS17-014: Security Update for Microsoft Office (4013241)
Maximum Severity: Important
Affected Products: Microsoft Office, Microsoft Office Services and Web Apps,
Microsoft Server Software, Microsoft Communications Platforms and Software
Description: This security update resolves vulnerabilities in Microsoft Office. The most severe of
the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft
Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the
context of the current user. Customers whose accounts are configured to have fewer user rights on
the system could be less impacted than those who operate with administrative user rights.
Impact: Remote Code Execution
Fixes 12 vulnerabilities: CVE-2017-0006, CVE-2017-0019, CVE-2017-0020, CVE-2017-
0027, CVE-2017-0029 (Publicly Disclosed), CVE-2017-0030, CVE-2017-0031, CVE-2017-0052,
CVE-2017-0053, CVE-2017-0105, CVE-2017-0107, CVE-2017-0129
Restart Required: May Require Restart
21. MS17-017: Security Update for Windows Kernel (4013081)
Maximum Severity: Important
Affected Products: Microsoft Windows
Description: This security update resolves vulnerabilities in Microsoft Windows. The
vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application.
Impact: Elevation of Privilege
Fixes 4 vulnerabilities: CVE-2017-0050 (Publicly Disclosed), CVE-2017-0101, CVE-2017-
0102, CVE-2017-0103
Restart Required: Requires Restart
22. MS17-022: Security Update for Microsoft XML Core Services (4010321)
Maximum Severity: Important
Affected Products: Microsoft Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability
could allow information disclosure if a user visits a malicious website. However, in all cases an
attacker would have no way to force a user to click a specially crafted link. An attacker would have
to convince a user to click the link, typically by way of an enticement in an email or Instant
Messenger message.
Impact: Information Disclosure
Fixes 1 vulnerability: CVE-2017-0022 (Exploited)
Restart Required: Requires Restart
23. MS17-023: Security Update for Adobe Flash Player (4014329)
Maximum Severity: Critical
Affected Products: Microsoft Windows, Adobe Flash Player
Description: This security update resolves vulnerabilities in Adobe Flash Player when installed
on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2,
Windows RT 8.1, Windows 10, and Windows Server 2016.
Impact: Remote Code Execution
Fixes 7 vulnerabilities: CVE-2017-2997, CVE-2017-2998, CVE-2017-2999, CVE-2017-3000,
CVE-2017-3001, CVE-2017-3002, CVE-2017-3003
Restart Required: Requires Restart
24. APSB17-07: Security Update for Adobe Flash Player (4014329)
Maximum Severity: Critical
Affected Products: Adobe Flash Player
Description: Adobe has released security updates for Adobe Flash Player for Windows,
Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could
potentially allow an attacker to take control of the affected system.
Impact: Remote Code Execution
Fixes 7 vulnerabilities: CVE-2017-2997, CVE-2017-2998, CVE-2017-2999, CVE-2017-3000,
CVE-2017-3001, CVE-2017-3002, CVE-2017-3003
Restart Required:
25. VMWW-004, VMWP-028: Security Update for VMware Workstation and
Player (VMSA-2017-0005)
Maximum Severity: Critical
Affected Products: VMware Workstation Pro, VMware Player
Description: VMware Workstation and Fusion updates address critical out-of-bounds
memory access vulnerability.
Impact: Remote Code Execution
Fixes 1 vulnerabilities: CVE-2017-4901
Restart Required:
26. MS17-015: Security Update for Microsoft Exchange Server (4013242)
Maximum Severity: Important
Affected Products: Microsoft Exchange
Description: This security update resolves a vulnerability in Microsoft Exchange Outlook Web
Access (OWA). The vulnerability could allow remote code execution in Exchange Server if an
attacker sends an email with a specially crafted attachment to a vulnerable Exchange server.
Impact: Remote Code Execution
Fixes 1 vulnerability: CVE-2017-0110
Restart Required: Requires Restart
27. MS17-016: Security Update for Windows IIS (4013074)
Maximum Severity: Important
Affected Products: Microsoft Windows
Description: This security update resolves a vulnerability in Microsoft Internet Information
Services (IIS). The vulnerability could allow elevation of privilege if a user clicks a specially crafted
URL which is hosted by an affected Microsoft IIS server. An attacker who successfully exploited this
vulnerability could potentially execute scripts in the user’s browser to obtain information from web
sessions.
Impact: Remote Code Execution
Fixes 1 vulnerability: CVE-2017-0055
Restart Required: Requires Restart
28. MS17-018: Security Update for Windows Kernel-Mode Drivers (4013083)
Maximum Severity: Important
Affected Products: Microsoft Windows
Description: This security update resolves vulnerabilities in Microsoft Windows. The
vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs
a specially crafted application that could exploit the vulnerabilities and take control of an affected
system.
Impact: Elevation of Privilege
Fixes 8 vulnerabilities: CVE-2017-0024, CVE-2017-0026, CVE-2017-0056, CVE-2017-0078,
CVE-2017-0079, CVE-2017-0080, CVE-2017-0081, CVE-2017-0082
Restart Required: Requires Restart
29. MS17-019: Security Update for Active Directory Federation Services (4010320)
Maximum Severity: Important
Affected Products: Microsoft Windows
Description: This security update resolves a vulnerability in Active Directory Federation Services
(ADFS). The vulnerability could allow information disclosure if an attacker sends a specially crafted
request to an ADFS server, allowing the attacker to read sensitive information about the target
system.
Impact: Information Disclosure
Fixes 1 vulnerability: CVE-2017-0043
Restart Required: Requires Restart
30. MS17-020: Security Update for Windows DVD Maker (3208223)
Maximum Severity: Important
Affected Products: Microsoft Windows
Description: This security update resolves an information disclosure vulnerability in Windows
DVD Maker. The vulnerability could allow an attacker to obtain information to further compromise a
target system.
Impact: Information Disclosure
Fixes 1 vulnerability: CVE-2017-0045
Restart Required: Requires Restart
31. MS17-021: Security Update for Windows DirectShow (4010318)
Maximum Severity: Important
Affected Products: Microsoft Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability
could allow an information disclosure if Windows DirectShow opens specially crafted media content
that is hosted on a malicious website. An attacker who successfully exploited the vulnerability could
obtain information to further compromise a target system.Impact: Information Disclosure
Fixes 1 vulnerability: CVE-2017-0042
Restart Required: Requires Restart
32. APSB17-08: Security update available for Adobe Shockwave Player
Maximum Severity: Important
Affected Products: Adobe Shockwave Player
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability
could allow an information disclosure if Windows DirectShow opens specially crafted media content
that is hosted on a malicious website. An attacker who successfully exploited the vulnerability could
obtain information to further compromise a target system.
Impact: Escalation of Privilege
Fixes 1 vulnerability: CVE-2017-2983
Restart Required:
33.
34. Resources and Webinars
Get Shavlik Content Updates
Get Social with Shavlik
Sign up for next months
Patch Tuesday Webinar
Watch previous webinars
and download presentation.
NEARLY 50% OPEN E-MAILS AND CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR.
User Targeted – Privilege Management Mitigates
Multiple Microsoft Browser Information Disclosure Vulnerabilities (Publicly Disclosed CVE-2017-0008)
Multiple information disclosure vulnerabilities exist because of how the affected components handle objects in memory. An attacker who successfully exploited these vulnerabilities could obtain information to further compromise a target system.
In a web-based attack scenario an attacker could host a website in an attempt to exploit the vulnerabilities. Additionally, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could be used to exploit the vulnerabilities. However, in all cases an attacker would have no way to force users to view attacker-controlled content. Instead, an attacker would have to convince users to take action. For example, an attacker could trick users into clicking a link that takes them to the attacker's site.
Multiple Microsoft Browser Memory Corruption Vulnerabilities (Publicly Disclosed CVE-2017-0037, Exploited CVE-2017-0149)
Multiple remote code execution vulnerabilities exist when affected Microsoft browsers improperly access objects in memory. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attacker could host a specially crafted website that is designed to exploit these vulnerabilities through affected Microsoft browsers, and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by an enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email.
Multiple Microsoft Browser Spoofing Vulnerabilities (Publicly Disclosed CVE-2017-0012, CVE-2017-0033)
Multiple spoofing vulnerabilities exist when a Microsoft browser does not properly parse HTTP responses. An attacker who successfully exploited these vulnerabilities could trick a user by redirecting them to a specially crafted website. The specially crafted website could spoof content or be used as a pivot to chain an attack with other vulnerabilities in web services.
To exploit these vulnerabilities, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.
In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or Instant Messenger message, and then convince the user to interact with content on the website.
Internet Explorer Elevation of Privilege Vulnerability – Publicly Disclosed CVE-2017-0154
An elevation of privilege vulnerability exists when Internet Explorer does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain. The update addresses the vulnerability by helping to ensure that cross-domain policies are properly enforced in Internet Explorer.
In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action. For example, an attacker could trick users into clicking a link that takes them to the attacker's site. An attacker who successfully exploited this vulnerability could elevate privileges in affected versions of Internet Explorer.
The vulnerability by itself does not allow arbitrary code to be run. However, the vulnerability could be used in conjunction with another vulnerability (for example, a remote code execution vulnerability) that could take advantage of the elevated privileges when running arbitrary code. For example, an attacker could exploit another vulnerability to run arbitrary code through Internet Explorer, but due to the context in which processes are launched by Internet Explorer, the code might be restricted to run at a low integrity level (very limited permissions). However, an attacker could, in turn, exploit this vulnerability to cause the arbitrary code to run at a medium integrity level (permissions of the current user).
User Targeted – Privilege Management Mitigates
Multiple Microsoft Edge Information Disclosure Vulnerabilities - Publicly Disclosed CVE-2017-0065
Multiple information disclosure vulnerabilities exist in the way that the affected components handle objects in memory. An attacker who successfully exploited these vulnerabilities could obtain information to further compromise a target system.
In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerabilities. Additionally, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could be used to exploit these vulnerabilities. However, in all cases, an attacker would have no way to force users to view attacker-controlled content. Instead, an attacker would have to convince users to take action. For example, an attacker could trick users into clicking a link that takes them to the attacker's site.
Multiple Microsoft Edge Spoofing Vulnerabilities – (Publicly Disclosed) CVE-2017-0012, CVE-2017-0033, CVE-2017-0069
Multiple spoofing vulnerabilities exist when a Microsoft browser does not properly parse HTTP responses. An attacker who successfully exploited these vulnerabilities could trick a user by redirecting them to a specially crafted website. The specially crafted website could spoof content or be used as a pivot to chain an attack with other vulnerabilities in web services.
To exploit these vulnerabilities, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.
In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or Instant Messenger message, and then convince the user to interact with content on the website.
Microsoft Browser Memory Corruption Vulnerability – Publicly Disclosed CVE-2017-0037
A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory that enables an attacker to execute arbitrary code in the context of the current user.
An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email.
In order to effect full code execution, an adversary would also need to combine this vulnerability with other exploits. An attacker who successfully combined multiple vulnerabilities to create an exploit chain could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Multiple Hyper-V Denial of Service Vulnerabilities - CVE-2017-0097
Multiple denial of service vulnerabilities exist when the Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. To exploit these vulnerabilities, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash.
To exploit these vulnerabilities, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application.
User Targeted – Privilege Management Mitigates
Microsoft PDF Memory Corruption Vulnerability CVE – 2017-0023
A remote code execution vulnerability exists when Microsoft Windows PDF Library improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit the vulnerability on Windows 10 systems with Microsoft Edge set as the default browser, an attacker could host a specially crafted website that contains malicious PDF content and then convince users to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted PDF content to such sites. Only Windows 10 systems with Microsoft Edge set as the default browser can be compromised simply by viewing a website. The browsers for all other affected operating systems do not automatically render PDF content, so an attacker would have no way to force users to view attacker-controlled content. Instead, an attacker would have to convince users to open a specially crafted PDF document, typically by way of an enticement in an email or instant message or by way of an email attachment.
Multiple Windows SMB Remote Code Execution Vulnerabilities
Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.
To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
The security update addresses the vulnerabilities by correcting how SMBv1 handles these specially crafted requests.
User Targeted
Multiple Windows Uniscribe Remote Code Execution Vulnerabilities
Multiple remote code execution vulnerabilities exist in Windows due to the way Windows Uniscribe handles objects in memory. An attacker who successfully exploited these vulnerabilities could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
There are multiple ways an attacker could exploit these vulnerabilities:
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website, or by opening an attachment sent through email.
In a file sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit these vulnerabilities and then convince a user to open the document file.
User Targeted
SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability – Publicly Disclosed CVE-2017-0016
A denial of service vulnerability exists in implementations of the Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client. The vulnerability is due to improper handling of certain requests sent by a malicious SMB server to the client. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding until it is manually restarted.
To exploit the vulnerability, an attacker could use various methods such as redirectors, injected HTML header links, etc., which could cause the SMB client to connect to a malicious SMB server.
The security update addresses the vulnerability by correcting how the Microsoft SMBv2/SMBv3 Client handles specially crafted requests.
User Targeted
Multiple Windows GDI Elevation of Privilege Vulnerabilities – Exploited CVE-2017-0005
Elevation of privilege vulnerabilities exist in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited these vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit these vulnerabilities, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit these vulnerabilities and take control of an affected system.
The update addresses these vulnerabilities by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation.
Multiple Graphics Component Remote Code Execution Vulnerabilities – Publicly Disclosed CVE-2017-0014
Remote code execution vulnerabilities exist due to the way the Windows Graphics Component handles objects in memory. An attacker who successfully exploited these vulnerabilities could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
There are multiple ways an attacker could exploit these vulnerabilities.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.
In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit these vulnerabilities, and then convince a user to open the document file.
Note that for affected Microsoft Office products, the Preview Pane is an attack vector.
User Targeted – Privilege Management Mitigates Impact
Microsoft Office Denial of Service Vulnerability – Publicly Disclosed CVE-2017-0029
A denial of service vulnerability exists when a specially crafted file is opened in Microsoft Office. An attacker who successfully exploited the vulnerability could cause Office to stop responding. Note that the denial of service would not allow an attacker to execute code or to elevate the attacker's user rights.
For an attack to be successful, this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and by convincing the user to open the file.
The security update addresses the vulnerability by correcting how Microsoft Office handles objects in memory.
Windows Kernel Elevation of Privilege Vulnerability – Publicly Disclosed CVE-2017-0050
An elevation of privilege vulnerability exists when the Windows Kernel API enforces permissions. An attacker who successfully exploited the vulnerability could run processes in an elevated context.
To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.
The security update addresses the vulnerability by correcting how the Windows Kernel API validates input.
User Targeted
Microsoft XML Core Services Information Disclosure Vulnerability – Exploited CVE-2017-0022
An information vulnerability exists when Microsoft XML Core Services (MSXML) improperly handles objects in memory. Successful exploitation of the vulnerability could allow the attacker to test for the presence of files on disk.
To exploit the vulnerability, an attacker could host a specially-crafted website that is designed to invoke MSXML through Internet Explorer. However, an attacker would have no way to force a user to visit such a website. Instead, an attacker would typically have to convince a user to either click a link in an email message or a link in an Instant Messenger request that would then take the user to the website.
The update addresses the vulnerability by changing the way MSXML handles objects in memory.
User Targeted
Mitigating Factors
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a website that contains a webpage that is used to exploit any of these vulnerabilities. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
Internet Explorer in the Windows 8-style UI will only play Flash content from sites listed on the Compatibility View (CV) list. This restriction requires an attacker to first compromise a website already listed on the CV list. An attacker could then host specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.
By default, all supported versions of Microsoft Outlook and Windows Live Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables scripts and ActiveX controls, helps reduce the risk of an attacker being able to use any of these vulnerabilities to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of any of these vulnerabilities through the web-based attack scenario.
By default, Internet Explorer on Windows Server 2012 and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode can help reduce the likelihood of the exploitation of these Adobe Flash Player vulnerabilities in Internet Explorer.
User Targeted
Mitigating Factors
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a website that contains a webpage that is used to exploit any of these vulnerabilities. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
Internet Explorer in the Windows 8-style UI will only play Flash content from sites listed on the Compatibility View (CV) list. This restriction requires an attacker to first compromise a website already listed on the CV list. An attacker could then host specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.
By default, all supported versions of Microsoft Outlook and Windows Live Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables scripts and ActiveX controls, helps reduce the risk of an attacker being able to use any of these vulnerabilities to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of any of these vulnerabilities through the web-based attack scenario.
By default, Internet Explorer on Windows Server 2012 and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode can help reduce the likelihood of the exploitation of these Adobe Flash Player vulnerabilities in Internet Explorer.
User Targeted
Microsoft Exchange Elevation of Privilege Vulnerability – CVE-2017-0110
An elevation of privilege vulnerability exists in the way that Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests. To exploit the vulnerability, an attacker who successfully exploited this vulnerability could, perform script/content injection attacks, and attempt to trick the user into disclosing sensitive information.
An attacker could exploit the vulnerability by sending a specially crafted email, containing a malicious link, to a user. Alternatively, an attacker could use a chat client to social engineer a user into clicking on the malicious link.
The security update addresses the vulnerability by correcting how Microsoft Exchange validates web requests.
NOTE: For this vulnerability to be exploited, a user must click on a maliciously crafted link from an attacker.
User Targeted
Microsoft IIS Server XSS Elevation of Privilege Vulnerability – CVE-2017-0055
An elevation of privilege vulnerability exists when Microsoft IIS Server fails to properly sanitize a specially crafted request. An attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on behalf of the victim, and inject malicious content in the victim’s browser.
For this vulnerability to be exploited, a user must click a specially crafted URL.
In an email attack scenario, an attacker could exploit the vulnerability by sending an email message containing the specially crafted URL to the user and by convincing the user to click on the specially crafted URL.
In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted URL. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an instant messenger or email message that directs them to the affected website by way of a specially crafted URL.
Multiple Win32k Elevation of Privilege Vulnerabilities
Multiple elevation of privilege vulnerabilities exist in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit these vulnerabilities, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerabilities and take control of an affected system.
The update addresses these vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.
Microsoft Active Directory Federation Services Information Disclosure Vulnerability – CVE- 2017-0043
An information disclosure vulnerability exists when Windows Active Directory Federation Services (ADFS) honors XML External Entities. An authenticated attacker who successfully exploited this vulnerability would be able to read sensitive information about the target system.
To exploit this condition, an authenticated attacker would need to send a specially crafted request to the ADFS service. Note that the information disclosure vulnerability by itself would not be sufficient for an attacker to compromise a system. However, an attacker could combine this vulnerability with additional vulnerabilities to further exploit the system. The update addresses the vulnerability by causing ADFS to ignore these malicious entities.
User Targeted
Windows DVD Maker Cross-Site Request Forgery Vulnerability CVE-2017-0045
An information disclosure vulnerability exists in Windows when Windows DVD Maker fails to properly parse a specially crafted .msdvd file. An attacker who successfully exploited the vulnerability could obtain information to further compromise a target system.
To exploit the vulnerability, an attacker would have to either log on locally to an affected system, or convince a locally authenticated user to execute a specially crafted application.
The security update addresses the vulnerability by correcting how Windows DVD Maker parses files.
User Targeted
Windows DirectShow Information Disclosure Vulnerability - CVE-2017-0042
An information disclosure vulnerability exists when Windows DirectShow handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a target system.
In a web-based attack scenario, an attacker could host a website used to attempt to exploit the vulnerability. Additionally, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could be used to exploit the vulnerability. However, in all cases, an attacker would have no way to force users to view attacker-controlled content. Instead, an attacker would have to convince users to take action. For example, an attacker could trick users into clicking a link that takes them to the attacker's site.
The security update addresses the vulnerability by correcting how Windows DirectShow handles objects in memory.
User Targeted
Sign up for Content Announcements:
Email http://www.shavlik.com/support/xmlsubscribe/
RSS http://protect7.shavlik.com/feed/
Twitter @ShavlikXML
Follow us on:
Shavlik on LinkedIn
Twitter @ShavlikProtect
Shavlik blog -> www.shavlik.com/blog
Chris Goettl on LinkedIn
Twitter @ChrisGoettl
Sign up for webinars or download presentations and watch playbacks:
http://www.shavlik.com/webinars/