Today’s VERT Alert addresses the Microsoft May 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-724 on Wednesday, May 10th.
In-The-Wild & Disclosed CVEs
CVE-2017-0290
Also known as Microsoft Security Advisory 4022344, this is a code execution in the Microsoft Malware Protection Engine that occurs when scanning a specially crafted file. Successful exploitation leads to code execution in the context of the LocalSystem account. While the MSRC Security Guidance for this vulnerability says that it has not been publicly disclosed or exploited, technical details, including a proof of concept, can be found in the Google Project Zero bug tracker. Microsoft has rated this as a 2 on the Exploitability Index (Exploitation Less Likely)
CVE-2017-0064
This vulnerability, which has been publicly disclosed, allows content loaded in Internet Explorer to bypass the Mixed Content warnings that alert users to the mixing of unsecure content with secure content. Internet Explorer versions 9, 10, and 11 are affected. Microsoft has rated this as a 2 on the Exploitability Index (Exploitation Less Likely)
CVE-2017-0222
The second Internet Explorer vulnerability in the list today, this one has not been publicly disclosed but is being reported as actively exploited. Successful exploitation of this vulnerability can lead to code execution in the context of the current user. Internet Explorer versions 10 and 11 are affected. Microsoft has rated this as a 0 on the Exploitability Index (Exploitation Detected)
CVE-2017-0241
After two Internet Explorer vulnerabilities, it makes sense to see Edge in the list as well. This vulnerability allows domain-less pages to load in the Intranet Zone, accessing functionality that is typically restricted from the Internet Zone. Microsoft’s Exploitability Assessment is interesting for this vulnerability; Exploitation has been detected but it is not labeled as Exploited, only as Publicly Disclosed. Microsoft has rated this as a 0 on the Exploitability Index (Exploitation Detected)
CVE-2017-0261
A Microsoft Office vulnerability tied to parsing malformed EPS files is up next on this list, allowing attackers to take control of the affected system. Microsoft Office 2010, 2013, and 2016 are affected with exploitation already detected for older software releases. Microsoft has rated this as a 1 for the Latest Software Release and a 0 for Older Software Releases on the Exploitability Index (Exploitation More Likely and Exploitation Detected).
CVE-2017-0263
The final vulnerability in this list today is a Windows Win32k kernel-mode-driver vulnerability that could give attackers the ability to run code in kernel-mode if successfully exploited. All operating systems since Windows 7 are included in the affected products list. Microsoft has rated this as a 1 for the Latest Software Release and a 0 for Older Software Releases on the Exploitability Index (Exploitation More Likely and Exploitation Detected).
FYI Vulnerabilities
While many of the issues fixed today are the same as we saw in the pre-Security Guidance world, there are a few that are worth highlighting. DNS The first issue worth calling out is a vulnerability in the Microsoft DNS Server. If the server is configured to respond to version queries and received a malicious version query, the DNS Server will become unresponsive. If you have Microsoft DNS Servers exposed to the Internet, keep an eye on them until patches can be applied. All server versions since Server 2008 are impacted by this vulnerability (CVE-2017-0171). SMB A large number of SMB vulnerabilities are patched with this month’s release. While many of these are information disclosure and denial of service issues, there are four vulnerabilities that could result in remote code execution. These RCE vulnerabilities are tied to Microsoft SMBv1 and impact all supported versions of Windows. The RCE list includes: CVE-2017-0272, CVE-2017-0277, CVE-2017-0278, and CVE-2017-0279. Microsoft has classified all of these as Exploitation Less Likely (Exploitation Index Value: 2)
Other Information
In addition to the Microsoft vulnerabilities included in the May Security Guidance, a security advisory was also published. In April, Microsoft used Advisory IDs that looked like CVEs and created some confusion, that format is gone this month, replaced by the format ADVYY####. The advisories from last month have received new Advisory IDs that match this updated format.
ADV170006
This month’s advisory is the Microsoft representation of the Adobe Flash Bulletin (APSB17-15). It contains fixes for the following vulnerabilities: CVE-2017-3068, CVE-2017-3069, CVE-2017-3070, CVE-2017-3071, CVE-2017-3072, CVE-2017-3073, and CVE-2017-3074.