ID CVE-2017-11769 Type cve Reporter cve@mitre.org Modified 2019-10-03T00:03:00
Description
The Microsoft Windows TRIE component on Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a remote code execution vulnerability in the way it handles loading dll files, aka "TRIE Remote Code Execution Vulnerability".
{"symantec": [{"lastseen": "2018-03-13T22:14:27", "bulletinFamily": "software", "cvelist": ["CVE-2017-11769"], "description": "### Description\n\nMicrosoft Windows is prone to multiple local privilege-escalation vulnerabilities. An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2017-10-10T00:00:00", "published": "2017-10-10T00:00:00", "id": "SMNTC-101112", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/101112", "type": "symantec", "title": "Microsoft Windows DLL Loading CVE-2017-11769 Multiple Local Privilege Escalation Vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:17:52", "bulletinFamily": "info", "cvelist": ["CVE-2017-11769", "CVE-2017-11779", "CVE-2017-8703", "CVE-2017-11776", "CVE-2017-11777", "CVE-2017-11826"], "description": "[](<https://1.bp.blogspot.com/-E4takzJjKk8/Wd3UFwfKMwI/AAAAAAAAuVU/uPeiwXfdpcQIBJUClruJP7W1tKclI0aJgCLcBGAs/s1600/Microsof-Security-Patches.png>)\n\nAs part of its \"October Patch Tuesday,\" Microsoft has today [released](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/313ae481-3088-e711-80e2-000d3a32fc99>) a large batch of security updates to patch a total of 62 vulnerabilities in its products, including a severe MS office zero-day flaw that has been exploited in the wild. \n \nSecurity updates also include patches for Microsoft Windows operating systems, Internet Explorer, Microsoft Edge, Skype, Microsoft Lync and Microsoft SharePoint Server. \n \nBesides the MS Office vulnerability, the company has also addressed two other publicly disclosed (but not yet targeted in the wild) vulnerabilities that affect the SharePoint Server and the Windows Subsystem for Linux. \n \nOctober patch Tuesday also fixes a critical Windows DNS vulnerability that could be exploited by a malicious DNS server to execute arbitrary code on the targeted system. Below you can find a brief technical explanation of all above mentioned critical and important vulnerabilities. \n\n\n### \nMicrosoft Office Memory Corruption Vulnerability (CVE-2017-11826)\n\n \nThis vulnerability, classified by Microsoft as \"important,\" is caused by a memory corruption issue. It affects all supported versions of MS Office and has been actively exploited by the attackers in targeted attacks. \n \nAn attacker could exploit this vulnerability either by sending a specially crafted Microsoft Office file to the victims and convincing them to open it, or hosting a site containing specially crafted files and tricking victims to visit it. \n \nOnce opened, the malicious code within the booby-trapped Office file will execute with the same rights as the logged-in user. So, users with least privilege on their systems are less impacted than those having higher admin rights. \n \nThe vulnerability was [reported](<https://360coresec.blogspot.in/2017/10/new-office-0day-cve-2017-11826.html>) to Microsoft by security researchers at China-based security firm Qihoo 360 Core Security, who initially detected an in-the-wild cyber attack which involved malicious RTF files and leveraged this vulnerability on September 28. \n \n\n\n### Microsoft Windows DNSAPI Remote Code Execution Vulnerability (CVE-2017-11779)\n\n \nAmong other critical vulnerabilities patched by Microsoft include a critical remote code execution flaw in the Windows DNS client that affects computers running Windows 8.1 and Windows 10, and Windows Server 2012 through 2016. \n \nThe vulnerability can be triggered by a malicious DNS response, allowing an attacker gain arbitrary code execution on Windows clients or Windows Server installations in the context of the software application that made the DNS request. \n \nNick Freeman, a security researcher from security firm Bishop Fox, discovered the vulnerability and demonstrated how an attacker connected to a public Wi-Fi network could run malicious code on a victim's machine, escalate privileges and take full control over the target computer or server. \n\n\n> \"This means that if an attacker controls your DNS server (e.g., through a Man-in-the-Middle attack or a malicious coffee-shop hotspot) \u2013 they can gain access to your system,\" the researcher explains.\n\n> \"This doesn\u2019t only affect web browsers \u2013 your computer makes DNS queries in the background all the time, and any query can be responded to in order to trigger this issue.\"\n\nFor full technical details, you can watch the video demonstration by Bishop Fox\u2019s Dan Petro and head on to Bishop Fox\u2019s [blog post](<https://www.bishopfox.com/blog/2017/10/a-bug-has-no-name-multiple-heap-buffer-overflows-in-the-windows-dns-client/>). \n\n\n### \nWindows Subsystem for Linux Denial of Service Vulnerability (CVE-2017-8703)\n\n \nThis denial of service (DoS) issue is yet another noteworthy vulnerability which resides in Windows Subsystem for Linux. \n \nThe vulnerability, classified by Microsoft as \"important,\" was previously publicly disclosed, but wasn't found actively exploited in the wild. \n \nThe vulnerability could allow an attacker to execute a malicious application to affect an object in the memory, which eventually allows that the application to crash the target system and made it unresponsive. \n\n\n> The only affected Microsoft product by this vulnerability is Windows 10 (Version 1703). \"The update addresses the vulnerability by correcting how Windows Subsystem for Linux handles objects in memory,\" Microsoft said in its advisory.\n\n \n\n\n### Microsoft Office SharePoint XSS Vulnerability (CVE-2017-11777)\n\n \nAnother previously disclosed but not yet under attack vulnerability is a cross-site scripting (XSS) flaw in Microsoft SharePoint Server that affects SharePoint Enterprise Server 2013 Service Pack 1 and SharePoint Enterprise Server 2016. \n \nThe vulnerability, also classified by Microsoft as \"important,\" can be exploited by sending a maliciously crafted request to an affected SharePoint server. \n \nSuccessful exploitation of this vulnerability could allow an attacker to perform cross-site scripting attacks on affected systems and execute malicious script in the same security context of the current user. \n\n\n> \"The attacks could allow the attacker to read content that the attacker is not authorised to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user,\" Microsoft explains.\n\nBesides these, the company has patched a total of 19 vulnerabilities in the scripting engine in Edge and Internet Explorer that could allow web pages to achieve remote-code execution, with the logged-in user's permissions, via memory corruption flaws. \n \nJust opening a web page could potentially land you in trouble by executing malware, spyware, ransomware, and other nasty software on the vulnerable computer. \n \n\n\n### More RCE And Other Vulnerabilities\n\n \nRedmond also patched two vulnerabilities in the Windows font library that can allow a web page or document to execute malicious code on a vulnerable machine and hijack it on opening a file with a specially crafted embedded font or visiting a website hosting the malicious file. \n \nThe update also includes fixes for a bug in Windows TRIE (CVE-2017-11769) that allows DLL files to achieve remote code execution, a programming error (CVE-2017-11776) in Outlook that leaves its emails open to snooping over supposedly secure connections. \n \nOther issues patched this month include two remote code execution flaws in the Windows Shell and a remote code execution bug in Windows Search. \n \nMicrosoft also published an [advisory warning](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012>) user of a security feature bypass issue affecting the firmware of Infineon Trusted Platform Modules (TPMs). \n \nSurprisingly, Adobe Flash does not include any security patches. Meanwhile, Adobe has skipped October's Patch Tuesday altogether. \n \nUsers are strongly advised to apply October security patches as soon as possible in order to keep hackers and cybercriminals away from taking control over their computers. \n \nFor installing security updates, simply head on to Settings \u2192 Update & security \u2192 Windows Update \u2192 Check for updates, or you can install the updates manually.\n", "modified": "2017-10-11T09:13:54", "published": "2017-10-10T22:06:00", "id": "THN:362907387C0F8EBF7559F06EA602D348", "href": "https://thehackernews.com/2017/10/microsoft-security-patches.html", "type": "thn", "title": "Microsoft Issues Patches For Severe Flaws, Including Office Zero-Day & DNS Attack", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2020-09-02T11:48:13", "bulletinFamily": "info", "cvelist": ["CVE-2017-8715", "CVE-2017-11772", "CVE-2017-11765", "CVE-2017-11782", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11784", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11829", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-8703", "CVE-2017-11815", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11781", "CVE-2017-11816"], "description": "### *Detect date*:\n10/10/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information, cause denial of service, gain privileges, bypass security restrictions.\n\n### *Affected products*:\nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for x64-based systems \nWindows Server 2012 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2016 \nWindows RT 8.1 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 10 Version 1703 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 10 Version 1703 for 32-bit Systems \nWindows Server 2012 R2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-11762](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11762>) \n[CVE-2017-11763](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11763>) \n[CVE-2017-11765](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11765>) \n[CVE-2017-11769](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11769>) \n[CVE-2017-11771](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11771>) \n[CVE-2017-11772](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11772>) \n[CVE-2017-11779](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11779>) \n[CVE-2017-11780](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11780>) \n[CVE-2017-11781](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11781>) \n[CVE-2017-11782](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11782>) \n[CVE-2017-11783](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11783>) \n[CVE-2017-11784](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11784>) \n[CVE-2017-11785](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11785>) \n[CVE-2017-11814](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11814>) \n[CVE-2017-11815](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11815>) \n[CVE-2017-11816](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11816>) \n[CVE-2017-11817](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11817>) \n[CVE-2017-11818](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11818>) \n[CVE-2017-11823](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11823>) \n[CVE-2017-11824](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11824>) \n[CVE-2017-11829](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-11829>) \n[CVE-2017-8689](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8689>) \n[CVE-2017-8693](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8693>) \n[CVE-2017-8694](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8694>) \n[CVE-2017-8703](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8703>) \n[CVE-2017-8715](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8715>) \n[CVE-2017-8717](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8717>) \n[CVE-2017-8718](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8718>) \n[CVE-2017-8727](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8727>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2017-11762](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11762>)0.0Unknown \n[CVE-2017-11763](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11763>)0.0Unknown \n[CVE-2017-11765](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11765>)0.0Unknown \n[CVE-2017-11769](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11769>)0.0Unknown \n[CVE-2017-11771](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11771>)0.0Unknown \n[CVE-2017-11772](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11772>)0.0Unknown \n[CVE-2017-11779](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11779>)0.0Unknown \n[CVE-2017-11780](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11780>)0.0Unknown \n[CVE-2017-11781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11781>)0.0Unknown \n[CVE-2017-11782](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11782>)0.0Unknown \n[CVE-2017-11783](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11783>)0.0Unknown \n[CVE-2017-11784](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11784>)0.0Unknown \n[CVE-2017-11785](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11785>)0.0Unknown \n[CVE-2017-11814](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11814>)0.0Unknown \n[CVE-2017-11815](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11815>)0.0Unknown \n[CVE-2017-11816](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11816>)0.0Unknown \n[CVE-2017-11817](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11817>)0.0Unknown \n[CVE-2017-11818](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11818>)0.0Unknown \n[CVE-2017-11823](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11823>)0.0Unknown \n[CVE-2017-11824](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11824>)0.0Unknown \n[CVE-2017-11829](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11829>)0.0Unknown \n[CVE-2017-8689](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8689>)0.0Unknown \n[CVE-2017-8693](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8693>)0.0Unknown \n[CVE-2017-8694](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8694>)0.0Unknown \n[CVE-2017-8703](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8703>)0.0Unknown \n[CVE-2017-8715](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8715>)0.0Unknown \n[CVE-2017-8717](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8717>)0.0Unknown \n[CVE-2017-8718](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8718>)0.0Unknown \n[CVE-2017-8727](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8727>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4038793](<http://support.microsoft.com/kb/4038793>) \n[4041689](<http://support.microsoft.com/kb/4041689>) \n[4041693](<http://support.microsoft.com/kb/4041693>) \n[4041687](<http://support.microsoft.com/kb/4041687>) \n[4041676](<http://support.microsoft.com/kb/4041676>) \n[4041690](<http://support.microsoft.com/kb/4041690>) \n[4041691](<http://support.microsoft.com/kb/4041691>) \n[4042895](<http://support.microsoft.com/kb/4042895>) \n[4041679](<http://support.microsoft.com/kb/4041679>) \n[4048955](<http://support.microsoft.com/kb/4048955>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 46, "modified": "2020-07-22T00:00:00", "published": "2017-10-10T00:00:00", "id": "KLA11111", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11111", "title": "\r KLA11111Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-08T23:35:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11812", "CVE-2017-11800", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "description": "This host is missing a critical security\n update according to Microsoft KB4041689", "modified": "2020-06-04T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310811925", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811925", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4041689)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4041689)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811925\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-11762\", \"CVE-2017-8694\", \"CVE-2017-8715\", \"CVE-2017-8717\",\n \"CVE-2017-8718\", \"CVE-2017-11763\", \"CVE-2017-11765\", \"CVE-2017-11816\",\n \"CVE-2017-11769\", \"CVE-2017-8726\", \"CVE-2017-8727\", \"CVE-2017-11771\",\n \"CVE-2017-11772\", \"CVE-2017-11779\", \"CVE-2017-11780\", \"CVE-2017-11781\",\n \"CVE-2017-11783\", \"CVE-2017-11785\", \"CVE-2017-11790\", \"CVE-2017-11793\",\n \"CVE-2017-11798\", \"CVE-2017-11799\", \"CVE-2017-11800\", \"CVE-2017-11802\",\n \"CVE-2017-11804\", \"CVE-2017-11808\", \"CVE-2017-11809\", \"CVE-2017-11810\",\n \"CVE-2017-11811\", \"CVE-2017-11812\", \"CVE-2017-11814\", \"CVE-2017-11817\",\n \"CVE-2017-11818\", \"CVE-2017-11822\", \"CVE-2017-11823\", \"CVE-2017-11824\",\n \"CVE-2017-8689\", \"CVE-2017-8693\", \"CVE-2017-11815\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101163, 101161, 101162, 101109, 101111, 101112,\n 101084, 101142, 101114, 101116, 101166, 101110, 101140, 101144,\n 101149, 101077, 101141, 101125, 101126, 101127, 101130, 101131,\n 101135, 101137, 101081, 101138, 101139, 101093, 101095, 101101,\n 101122, 101102, 101099, 101128, 101096, 101136, 101094, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 08:49:56 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4041689)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041689\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - The Universal CRT _splitpath was not handling multi byte strings correctly,\n which caused apps to fail when accessing multi byte filenames.\n\n - The Universal CRT caused the linker (link.exe) to stop working for large\n projects.\n\n - The MSMQ performance counter (MSMQ Queue) may not populate queue instances\n when the server hosts a clustered MSMQ role.\n\n - The Lock Workstation policy for smart cards where, in some cases, the system\n doesn't lock when you remove the smart card.\n\n - Issue with form submissions in Internet Explorer.\n\n - Issue with URL encoding in Internet Explorer.\n\n - Issue that prevents an element from receiving focus in Internet Explorer.\n\n - Issue with the docking and undocking of Internet Explorer windows.\n\n - Issue with the rendering of a graphics element in Internet Explorer.\n\n - Issue caused by a pop-up window in Internet Explorer.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the security context of the local system, take complete\n control of an affected system, bypass certain security restrictions, gain access\n to potentially sensitive information, conduct a denial-of-service condition and\n gain privileged access.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1511 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041689\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.1175\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.10586.0 - 11.0.10586.1175\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:55:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11782", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11829", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11812", "CVE-2017-11800", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "description": "This host is missing a critical security\n update according to Microsoft KB4041691", "modified": "2019-12-20T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310812026", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812026", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4041691)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4041691)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812026\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2017-8717\", \"CVE-2017-11763\", \"CVE-2017-11765\", \"CVE-2017-11769\",\n \"CVE-2017-8718\", \"CVE-2017-8726\", \"CVE-2017-8727\", \"CVE-2017-11771\",\n \"CVE-2017-11772\", \"CVE-2017-11779\", \"CVE-2017-11780\", \"CVE-2017-11781\",\n \"CVE-2017-11782\", \"CVE-2017-11783\", \"CVE-2017-11785\", \"CVE-2017-11790\",\n \"CVE-2017-11793\", \"CVE-2017-11798\", \"CVE-2017-11799\", \"CVE-2017-11800\",\n \"CVE-2017-11802\", \"CVE-2017-11804\", \"CVE-2017-11808\", \"CVE-2017-11809\",\n \"CVE-2017-11810\", \"CVE-2017-11811\", \"CVE-2017-11812\", \"CVE-2017-11814\",\n \"CVE-2017-11815\", \"CVE-2017-11816\", \"CVE-2017-11817\", \"CVE-2017-11818\",\n \"CVE-2017-11822\", \"CVE-2017-11823\", \"CVE-2017-11824\", \"CVE-2017-11829\",\n \"CVE-2017-8689\", \"CVE-2017-8693\", \"CVE-2017-11762\", \"CVE-2017-8694\",\n \"CVE-2017-8715\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101163, 101161, 101109, 101111, 101112, 101162,\n 101084, 101142, 101114, 101116, 101166, 101110, 101140, 101143,\n 101144, 101149, 101077, 101141, 101125, 101126, 101127, 101130,\n 101131, 101135, 101137, 101081, 101138, 101139, 101093, 101136,\n 101094, 101095, 101101, 101122, 101102, 101099, 101213, 101128,\n 101096, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 10:50:05 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4041691)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041691\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - An error when Windows improperly handles calls to Advanced Local Procedure\n Call (ALPC).\n\n - An error in the Microsoft Server Block Message (SMB) when an attacker sends\n specially crafted requests to the server.\n\n - An error in the Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space Layout Randomization\n (ASLR) bypass.\n\n - An error in certain Trusted Platform Module (TPM) chipsets.\n\n - An error when Internet Explorer improperly accesses objects in memory.\n\n - An error in the way that certain Windows components handle the loading of\n DLL files.\n\n - An error when the Windows kernel improperly handles objects in memory.\n\n - An error when the Windows font library improperly handles specially crafted\n embedded fonts.\n\n - An error when the Microsoft Windows Graphics Component improperly handles\n objects in memory.\n\n - An error when the Windows kernel-mode driver fails to properly handle objects\n in memory.\n\n - An error in the way the scripting engine handle objects in memory in Microsoft\n browsers.\n\n - An error in the way that the scripting engine handles objects in memory in\n Microsoft Edge.\n\n - An error in Device Guard that could allow an attacker to inject malicious code\n into a Windows PowerShell session.\n\n - An error in the Microsoft JET Database Engine that could allow remote code\n execution on an affected system.\n\n - An error when Internet Explorer improperly handles objects in memory.\n\n - An error when the Windows Graphics Component improperly handles objects in memory.\n\n - An error in the way that the scripting engine handles objects in memory in\n Internet Explorer.\n\n - An error when the Windows Update Delivery Optimization does not properly enforce\n file share permissions.\n\n - An error in Windows Domain Name System (DNS) DNSAPI.\n\n - An error in the default Windows SMB Server configuration which allows anonymous\n users to remotely access certain named pipes that are also configured to allow\n anonymous access to users who are logged on locally.\n\n - An error when Windows Search improperly handles objects in memory.\n\n - An error in Microsoft Windows storage when it fails to validate an integrity-level\n check.\n\n - An error in the way affected Microsoft scripting engines render when handling\n objects in memory in Microsoft Edge.\n\n - when Internet Explorer improperly accesses objects in memory via the Microsoft\n Windows Text Services Framework.\n\n - An error when the Windows kernel improperly initializes objects in memory.\n\n - An error in the way that the Windows Graphics Device Interface (GDI) handles\n objects in memory, allowing an attacker to retrieve information from a targeted\n system.\n\n - An error in the way that the Windows SMB Server handles certain requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the security context of the local system, conduct NTLM\n dictionary attacks, cause the affected system to crash, take complete control\n of an affected system, obtain sensitive information to further compromise the\n user's system, inject code into a trusted PowerShell process, run processes\n in an elevated context, inject code code in kernel mode and gain elevated\n privileges.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Server 2016\n\n - Microsoft Windows 10 Version 1607 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041691\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2016:1, win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.1769\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.14393.0 - 11.0.14393.1769\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:35:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11784", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11800", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "description": "This host is missing a critical security\n update according to Microsoft KB4042895", "modified": "2020-06-04T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310811921", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811921", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4042895)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4042895)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811921\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-11762\", \"CVE-2017-8694\", \"CVE-2017-8715\", \"CVE-2017-8717\",\n \"CVE-2017-11763\", \"CVE-2017-11765\", \"CVE-2017-11769\", \"CVE-2017-8718\",\n \"CVE-2017-8726\", \"CVE-2017-8727\", \"CVE-2017-11771\", \"CVE-2017-11772\",\n \"CVE-2017-11779\", \"CVE-2017-11780\", \"CVE-2017-11781\", \"CVE-2017-11783\",\n \"CVE-2017-11784\", \"CVE-2017-11785\", \"CVE-2017-11790\", \"CVE-2017-11793\",\n \"CVE-2017-11798\", \"CVE-2017-11799\", \"CVE-2017-11800\", \"CVE-2017-11802\",\n \"CVE-2017-11804\", \"CVE-2017-11808\", \"CVE-2017-11809\", \"CVE-2017-11810\",\n \"CVE-2017-11811\", \"CVE-2017-11816\", \"CVE-2017-11817\", \"CVE-2017-11818\",\n \"CVE-2017-11822\", \"CVE-2017-11823\", \"CVE-2017-11824\", \"CVE-2017-8689\",\n \"CVE-2017-8693\", \"CVE-2017-11814\", \"CVE-2017-11815\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101163, 101161, 101109, 101111, 101112, 101162,\n 101084, 101142, 101114, 101116, 101166, 101110, 101140, 101144,\n 101147, 101149, 101077, 101141, 101125, 101126, 101127, 101130,\n 101131, 101135, 101137, 101081, 101138, 101094, 101095, 101101,\n 101122, 101102, 101099, 101128, 101096, 101093, 101136, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 08:47:24 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4042895)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4042895\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - The Universal CRT _splitpath was not handling multi byte strings correctly,\n which caused apps to fail when accessing multi byte filenames.\n\n - The Universal CRT caused the linker (link.exe) to stop working for large\n projects.\n\n - The MSMQ performance counter (MSMQ Queue) may not populate queue instances\n when the server hosts a clustered MSMQ role.\n\n - The Lock Workstation policy for smart cards where, in some cases, the system\n doesn't lock when you remove the smart card.\n\n - Issue with form submissions in Internet Explorer.\n\n - Issue with URL encoding in Internet Explorer.\n\n - Issue that prevents an element from receiving focus in Internet Explorer.\n\n - Issue with the docking and undocking of Internet Explorer windows.\n\n - Issue with the rendering of a graphics element in Internet Explorer.\n\n - Issue caused by a pop-up window in Internet Explorer.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the security context of the local system, take complete\n control of an affected system, bypass certain security restrictions, gain access\n to potentially sensitive information, conduct a denial-of-service condition and\n gain privileged access.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4042895\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.17642\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.10240.0 - 11.0.10240.17642\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:35:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11796", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11794", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11829", "CVE-2017-11817", "CVE-2017-11806", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11812", "CVE-2017-8703", "CVE-2017-11792", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11807", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11821", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11805", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "description": "This host is missing a critical security\n update according to Microsoft KB4041676", "modified": "2020-06-04T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310811865", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811865", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4041676)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4041676)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811865\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8694\", \"CVE-2017-8703\", \"CVE-2017-8715\", \"CVE-2017-11780\",\n \"CVE-2017-8717\", \"CVE-2017-11762\", \"CVE-2017-11763\", \"CVE-2017-11765\",\n \"CVE-2017-8718\", \"CVE-2017-8726\", \"CVE-2017-8727\", \"CVE-2017-11769\",\n \"CVE-2017-11771\", \"CVE-2017-11772\", \"CVE-2017-11781\", \"CVE-2017-11783\",\n \"CVE-2017-11785\", \"CVE-2017-11790\", \"CVE-2017-11792\", \"CVE-2017-11793\",\n \"CVE-2017-11794\", \"CVE-2017-11796\", \"CVE-2017-11798\", \"CVE-2017-11799\",\n \"CVE-2017-11802\", \"CVE-2017-11804\", \"CVE-2017-11805\", \"CVE-2017-11806\",\n \"CVE-2017-11807\", \"CVE-2017-11808\", \"CVE-2017-11809\", \"CVE-2017-11810\",\n \"CVE-2017-11811\", \"CVE-2017-11812\", \"CVE-2017-11814\", \"CVE-2017-11815\",\n \"CVE-2017-11816\", \"CVE-2017-11817\", \"CVE-2017-11818\", \"CVE-2017-11821\",\n \"CVE-2017-11822\", \"CVE-2017-11823\", \"CVE-2017-11824\", \"CVE-2017-11829\",\n \"CVE-2017-8689\", \"CVE-2017-8693\", \"CVE-2017-11779\", \"CVE-2017-13080\");\n script_bugtraq_id(101100, 101164, 101163, 101161, 101108, 101109, 101111, 101162,\n 101084, 101142, 101112, 101114, 101116, 101140, 101144, 101149,\n 101077, 101078, 101141, 101079, 101080, 101125, 101126, 101130,\n 101131, 101132, 101133, 101134, 101135, 101137, 101081, 101138,\n 101139, 101093, 101136, 101094, 101095, 101101, 101123, 101122,\n 101102, 101099, 101213, 101128, 101096, 101166, 101110, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 11:02:49 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4041676)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041676\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists, please refer the link\n mentioned in reference for more information.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n who successfully exploited these vulnerabilities to run arbitrary code in the\n security context of the local system, cause the affected system to crash, gain\n access to potentially sensitive information, take control of an affected system\n and gain the same user rights as the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041676\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.673\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.15063.0 - 11.0.15063.673\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:44:19", "description": "The remote Windows host is missing security update 4041691.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Delivery Optimization does not properly\n enforce file share permissions. An attacker who\n successfully exploited the vulnerability could overwrite\n files that require higher privileges than what the\n attacker already has. (CVE-2017-11829)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11798,\n CVE-2017-11799, CVE-2017-11800, CVE-2017-11802,\n CVE-2017-11804, CVE-2017-11808, CVE-2017-11811,\n CVE-2017-11812)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - An elevation of privilege vulnerability exists in the\n default Windows SMB Server configuration which allows\n anonymous users to remotely access certain named pipes\n that are also configured to allow anonymous access to\n users who are logged on locally. An unauthenticated\n attacker who successfully exploits this configuration\n error could remotely send specially crafted requests to\n certain services that accept requests via named pipes.\n (CVE-2017-11782)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handle objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11785)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - A remote code execution vulnerability exists in the way\n affected Microsoft scripting engines render when\n handling objects in memory in Microsoft Edge. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8726)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "edition": 43, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-10T00:00:00", "title": "KB4041691: Windows 10 Version 1607 and Windows Server 2016 October 2017 Cumulative Update (KRACK)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11782", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11829", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11812", "CVE-2017-11800", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_OCT_4041691.NASL", "href": "https://www.tenable.com/plugins/nessus/103749", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103749);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-8689\",\n \"CVE-2017-8693\",\n \"CVE-2017-8694\",\n \"CVE-2017-8715\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-8726\",\n \"CVE-2017-8727\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11769\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11779\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11782\",\n \"CVE-2017-11783\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11798\",\n \"CVE-2017-11799\",\n \"CVE-2017-11800\",\n \"CVE-2017-11802\",\n \"CVE-2017-11804\",\n \"CVE-2017-11808\",\n \"CVE-2017-11809\",\n \"CVE-2017-11810\",\n \"CVE-2017-11811\",\n \"CVE-2017-11812\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11818\",\n \"CVE-2017-11822\",\n \"CVE-2017-11823\",\n \"CVE-2017-11824\",\n \"CVE-2017-11829\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101084,\n 101093,\n 101094,\n 101095,\n 101096,\n 101099,\n 101100,\n 101101,\n 101102,\n 101108,\n 101109,\n 101110,\n 101111,\n 101112,\n 101114,\n 101116,\n 101122,\n 101125,\n 101126,\n 101127,\n 101128,\n 101130,\n 101131,\n 101135,\n 101136,\n 101137,\n 101138,\n 101139,\n 101140,\n 101141,\n 101142,\n 101143,\n 101144,\n 101149,\n 101161,\n 101162,\n 101163,\n 101166,\n 101213,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041691\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSFT\", value:\"MS17-4041691\");\n\n script_name(english:\"KB4041691: Windows 10 Version 1607 and Windows Server 2016 October 2017 Cumulative Update (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041691.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Delivery Optimization does not properly\n enforce file share permissions. An attacker who\n successfully exploited the vulnerability could overwrite\n files that require higher privileges than what the\n attacker already has. (CVE-2017-11829)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11798,\n CVE-2017-11799, CVE-2017-11800, CVE-2017-11802,\n CVE-2017-11804, CVE-2017-11808, CVE-2017-11811,\n CVE-2017-11812)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - An elevation of privilege vulnerability exists in the\n default Windows SMB Server configuration which allows\n anonymous users to remotely access certain named pipes\n that are also configured to allow anonymous access to\n users who are logged on locally. An unauthenticated\n attacker who successfully exploits this configuration\n error could remotely send specially crafted requests to\n certain services that accept requests via named pipes.\n (CVE-2017-11782)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handle objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11785)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - A remote code execution vulnerability exists in the way\n affected Microsoft scripting engines render when\n handling objects in memory in Microsoft Edge. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8726)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\");\n # https://support.microsoft.com/en-us/help/4041691/windows-10-update-kb4041691\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?62ef3ec8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4041691.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041691');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041691])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:44:20", "description": "The remote Windows host is missing security update 4042895.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8726)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11798,\n CVE-2017-11799, CVE-2017-11800, CVE-2017-11802,\n CVE-2017-11804, CVE-2017-11808, CVE-2017-11811)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic to\n hosts on a WPA or WPA 2-protected wireless network.\n Multiple conditions would need to be met in order for an\n attacker to exploit the vulnerability the attacker would\n need to be within the physical proximity of the targeted\n user, and the user's computer would need to have\n wireless networking enabled. The attacker would then\n need to execute a man-in-the-middle (MitM) attack to\n intercept traffic between the target computer and\n wireless access point. The security update addresses the\n vulnerability by changing how Windows verifies wireless\n group key handshakes. (CVE-2017-13080)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)", "edition": 31, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-11-03T00:00:00", "title": "KB4042895: Windows 10 October 2017 Cumulative Update (KRACK)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11784", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11800", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_OCT_4042895.NASL", "href": "https://www.tenable.com/plugins/nessus/104384", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104384);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-8689\",\n \"CVE-2017-8693\",\n \"CVE-2017-8694\",\n \"CVE-2017-8715\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-8726\",\n \"CVE-2017-8727\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11769\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11779\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11783\",\n \"CVE-2017-11784\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11798\",\n \"CVE-2017-11799\",\n \"CVE-2017-11800\",\n \"CVE-2017-11802\",\n \"CVE-2017-11804\",\n \"CVE-2017-11808\",\n \"CVE-2017-11809\",\n \"CVE-2017-11810\",\n \"CVE-2017-11811\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11818\",\n \"CVE-2017-11822\",\n \"CVE-2017-11823\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101084,\n 101093,\n 101094,\n 101095,\n 101096,\n 101099,\n 101100,\n 101101,\n 101102,\n 101108,\n 101109,\n 101110,\n 101111,\n 101112,\n 101114,\n 101116,\n 101122,\n 101125,\n 101126,\n 101127,\n 101128,\n 101130,\n 101131,\n 101135,\n 101136,\n 101137,\n 101138,\n 101140,\n 101141,\n 101142,\n 101144,\n 101147,\n 101149,\n 101161,\n 101162,\n 101163,\n 101166,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4042895\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSFT\", value:\"MS17-4042895\");\n\n script_name(english:\"KB4042895: Windows 10 October 2017 Cumulative Update (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4042895.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8726)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11798,\n CVE-2017-11799, CVE-2017-11800, CVE-2017-11802,\n CVE-2017-11804, CVE-2017-11808, CVE-2017-11811)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic to\n hosts on a WPA or WPA 2-protected wireless network.\n Multiple conditions would need to be met in order for an\n attacker to exploit the vulnerability the attacker would\n need to be within the physical proximity of the targeted\n user, and the user's computer would need to have\n wireless networking enabled. The attacker would then\n need to execute a man-in-the-middle (MitM) attack to\n intercept traffic between the target computer and\n wireless access point. The security update addresses the\n vulnerability by changing how Windows verifies wireless\n group key handshakes. (CVE-2017-13080)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\");\n # https://support.microsoft.com/en-us/help/4042895/windows-10-update-kb4042895\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bfbef494\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4042895.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4042895');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\nos_name=get_kb_item_or_exit(\"SMB/ProductName\");\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif(\"LTSB\" >!< os_name) audit(AUDIT_OS_NOT, \"Windows 10 version 1507 LTSB\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4042895])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:44:19", "description": "The remote Windows host is missing security update 4041689.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11798,\n CVE-2017-11799, CVE-2017-11800, CVE-2017-11802,\n CVE-2017-11804, CVE-2017-11808, CVE-2017-11811,\n CVE-2017-11812)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handle objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11785)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - A remote code execution vulnerability exists in the way\n affected Microsoft scripting engines render when\n handling objects in memory in Microsoft Edge. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8726)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "edition": 42, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-10T00:00:00", "title": "KB4041689: Windows 10 Version 1511 October 2017 Cumulative Update (KRACK)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11817", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11812", "CVE-2017-11800", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_OCT_4041689.NASL", "href": "https://www.tenable.com/plugins/nessus/103747", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103747);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-8689\",\n \"CVE-2017-8693\",\n \"CVE-2017-8694\",\n \"CVE-2017-8715\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-8726\",\n \"CVE-2017-8727\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11769\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11779\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11783\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11798\",\n \"CVE-2017-11799\",\n \"CVE-2017-11800\",\n \"CVE-2017-11802\",\n \"CVE-2017-11804\",\n \"CVE-2017-11808\",\n \"CVE-2017-11809\",\n \"CVE-2017-11810\",\n \"CVE-2017-11811\",\n \"CVE-2017-11812\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11818\",\n \"CVE-2017-11822\",\n \"CVE-2017-11823\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101084,\n 101093,\n 101094,\n 101095,\n 101096,\n 101099,\n 101100,\n 101101,\n 101102,\n 101108,\n 101109,\n 101110,\n 101111,\n 101112,\n 101114,\n 101116,\n 101122,\n 101125,\n 101126,\n 101127,\n 101128,\n 101130,\n 101131,\n 101135,\n 101136,\n 101137,\n 101138,\n 101139,\n 101140,\n 101141,\n 101142,\n 101144,\n 101149,\n 101161,\n 101162,\n 101163,\n 101166,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041689\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSFT\", value:\"MS17-4041689\");\n\n script_name(english:\"KB4041689: Windows 10 Version 1511 October 2017 Cumulative Update (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041689.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11798,\n CVE-2017-11799, CVE-2017-11800, CVE-2017-11802,\n CVE-2017-11804, CVE-2017-11808, CVE-2017-11811,\n CVE-2017-11812)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handle objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11785)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - A remote code execution vulnerability exists in the way\n affected Microsoft scripting engines render when\n handling objects in memory in Microsoft Edge. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8726)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\");\n # https://support.microsoft.com/en-us/help/4041689/windows-10-update-kb4041689\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?00992eb3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4041689.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041689');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041689])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:44:19", "description": "The remote Windows host is missing security update 4041676.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Delivery Optimization does not properly\n enforce file share permissions. An attacker who\n successfully exploited the vulnerability could overwrite\n files that require higher privileges than what the\n attacker already has. (CVE-2017-11829)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11792,\n CVE-2017-11796, CVE-2017-11798, CVE-2017-11799,\n CVE-2017-11802, CVE-2017-11804, CVE-2017-11805,\n CVE-2017-11806, CVE-2017-11807, CVE-2017-11808,\n CVE-2017-11811, CVE-2017-11812, CVE-2017-11821)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11794)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handle objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11785)\n\n - A denial of service vulnerability exists when Windows\n Subsystem for Linux improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could cause a denial of service against\n the local system. A attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how Windows Subsystem for Linux handles\n objects in memory. (CVE-2017-8703)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - A remote code execution vulnerability exists in the way\n affected Microsoft scripting engines render when\n handling objects in memory in Microsoft Edge. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8726)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "edition": 42, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-10T00:00:00", "title": "KB4041676: Windows 10 Version 1703 October 2017 Cumulative Update (KRACK)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-11793", "CVE-2017-8715", "CVE-2017-11809", "CVE-2017-11772", "CVE-2017-11796", "CVE-2017-11804", "CVE-2017-11765", "CVE-2017-13080", "CVE-2017-11794", "CVE-2017-11762", "CVE-2017-11785", "CVE-2017-11811", "CVE-2017-11802", "CVE-2017-11818", "CVE-2017-11824", "CVE-2017-8689", "CVE-2017-11829", "CVE-2017-11817", "CVE-2017-11806", "CVE-2017-8727", "CVE-2017-11798", "CVE-2017-11769", "CVE-2017-8717", "CVE-2017-11779", "CVE-2017-11812", "CVE-2017-8703", "CVE-2017-11792", "CVE-2017-11790", "CVE-2017-11815", "CVE-2017-11799", "CVE-2017-11807", "CVE-2017-11771", "CVE-2017-11814", "CVE-2017-8718", "CVE-2017-8694", "CVE-2017-11810", "CVE-2017-11780", "CVE-2017-11763", "CVE-2017-11783", "CVE-2017-11821", "CVE-2017-11808", "CVE-2017-8693", "CVE-2017-11823", "CVE-2017-11805", "CVE-2017-11781", "CVE-2017-11822", "CVE-2017-8726", "CVE-2017-11816"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_OCT_4041676.NASL", "href": "https://www.tenable.com/plugins/nessus/103745", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103745);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-8689\",\n \"CVE-2017-8693\",\n \"CVE-2017-8694\",\n \"CVE-2017-8703\",\n \"CVE-2017-8715\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-8726\",\n \"CVE-2017-8727\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11769\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11779\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11783\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11792\",\n \"CVE-2017-11793\",\n \"CVE-2017-11794\",\n \"CVE-2017-11796\",\n \"CVE-2017-11798\",\n \"CVE-2017-11799\",\n \"CVE-2017-11802\",\n \"CVE-2017-11804\",\n \"CVE-2017-11805\",\n \"CVE-2017-11806\",\n \"CVE-2017-11807\",\n \"CVE-2017-11808\",\n \"CVE-2017-11809\",\n \"CVE-2017-11810\",\n \"CVE-2017-11811\",\n \"CVE-2017-11812\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11818\",\n \"CVE-2017-11821\",\n \"CVE-2017-11822\",\n \"CVE-2017-11823\",\n \"CVE-2017-11824\",\n \"CVE-2017-11829\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 101077,\n 101078,\n 101079,\n 101080,\n 101081,\n 101084,\n 101093,\n 101094,\n 101095,\n 101096,\n 101099,\n 101100,\n 101101,\n 101102,\n 101108,\n 101109,\n 101110,\n 101111,\n 101112,\n 101114,\n 101116,\n 101122,\n 101123,\n 101125,\n 101126,\n 101128,\n 101130,\n 101131,\n 101132,\n 101133,\n 101134,\n 101135,\n 101136,\n 101137,\n 101138,\n 101139,\n 101140,\n 101141,\n 101142,\n 101144,\n 101149,\n 101161,\n 101162,\n 101163,\n 101164,\n 101166,\n 101213,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041676\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSFT\", value:\"MS17-4041676\");\n\n script_name(english:\"KB4041676: Windows 10 Version 1703 October 2017 Cumulative Update (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041676.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Delivery Optimization does not properly\n enforce file share permissions. An attacker who\n successfully exploited the vulnerability could overwrite\n files that require higher privileges than what the\n attacker already has. (CVE-2017-11829)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11792,\n CVE-2017-11796, CVE-2017-11798, CVE-2017-11799,\n CVE-2017-11802, CVE-2017-11804, CVE-2017-11805,\n CVE-2017-11806, CVE-2017-11807, CVE-2017-11808,\n CVE-2017-11811, CVE-2017-11812, CVE-2017-11821)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-11823, CVE-2017-8715)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11794)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8693)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handle objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11809)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11785)\n\n - A denial of service vulnerability exists when Windows\n Subsystem for Linux improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could cause a denial of service against\n the local system. A attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how Windows Subsystem for Linux handles\n objects in memory. (CVE-2017-8703)\n\n - A remote code execution vulnerability exists in the way\n that certain Windows components handle the loading of\n DLL files. An attacker who successfully exploited this\n vulnerability could take complete control of an affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11769)\n\n - A remote code execution vulnerability exists in the way\n affected Microsoft scripting engines render when\n handling objects in memory in Microsoft Edge. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8726)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\");\n # https://support.microsoft.com/en-us/help/4041676/windows-10-update-kb4041676\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0ea1407b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4041676.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041676');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041676])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2017-10-25T19:33:12", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11762", "CVE-2017-11763", "CVE-2017-11765", "CVE-2017-11769", "CVE-2017-11771", "CVE-2017-11772", "CVE-2017-11774", "CVE-2017-11775", "CVE-2017-11776", "CVE-2017-11777", "CVE-2017-11779", "CVE-2017-11780", "CVE-2017-11781", "CVE-2017-11782", "CVE-2017-11783", "CVE-2017-11784", "CVE-2017-11785", "CVE-2017-11786", "CVE-2017-11790", "CVE-2017-11792", "CVE-2017-11793", "CVE-2017-11794", "CVE-2017-11796", "CVE-2017-11797", "CVE-2017-11798", "CVE-2017-11799", "CVE-2017-11800", "CVE-2017-11801", "CVE-2017-11802", "CVE-2017-11804", "CVE-2017-11805", "CVE-2017-11806", "CVE-2017-11807", "CVE-2017-11808", "CVE-2017-11809", "CVE-2017-11810", "CVE-2017-11811", "CVE-2017-11812", "CVE-2017-11813", "CVE-2017-11814", "CVE-2017-11815", "CVE-2017-11816", "CVE-2017-11817", "CVE-2017-11818", "CVE-2017-11819", "CVE-2017-11820", "CVE-2017-11821", "CVE-2017-11822", "CVE-2017-11823", "CVE-2017-11824", "CVE-2017-11825", "CVE-2017-11826", "CVE-2017-11829", "CVE-2017-8689", "CVE-2017-8693", "CVE-2017-8694", "CVE-2017-8703", "CVE-2017-8715", "CVE-2017-8717", "CVE-2017-8718", "CVE-2017-8726", "CVE-2017-8727"], "description": "\n\nEven though \u201cPatch Tuesday\u201d isn\u2019t supposed to exist anymore, here I am blogging about it. As I looked at the October updates from Microsoft, the usual suspects were there. But this month was a little different. We usually see critical vulnerabilities on the browser side, but Microsoft Office is in the spotlight with [CVE-2017-11826](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826>) under active attack.\n\nThe scenario involves a specially crafted file with an affected version of Microsoft Office software. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. So, just imagine if a user is logged on with administrative user rights \u2013 an attacker could take over the system and install programs; view, change, or delete data; or create new accounts with full user rights. The table below highlights the Digital Vaccine\u00ae filters available for the Microsoft October updates.\n\n**Microsoft Update**\n\nThis week\u2019s Digital Vaccine\u00ae (DV) package includes coverage for Microsoft updates released on or before October 10, 2017. Microsoft had another big month with 62 security patches for September covering Windows, Internet Explorer (IE), Edge, Office, and Skype for Business. 27 of the patches are listed as Critical and 35 are rated Important. Eight of the Microsoft CVEs came through the Zero Day Initiative program. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an asterisk (*) shipped prior to this DV package, providing preemptive zero-day protection for customers. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [October 2017 Security Update Review](<https://www.zerodayinitiative.com/blog/2017/10/10/the-october-2017-security-update-review>) from the Zero Day Initiative:\n\n**CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|--- \nCVE-2017-11762 | *29152 | \nCVE-2017-11763 | 29698 | \nCVE-2017-11765 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11769 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11771 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11772 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11774 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11775 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11776 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11777 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11779 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11780 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11781 | *29694 | \nCVE-2017-11782 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11783 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11784 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11785 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11786 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11790 | *29151 | \nCVE-2017-11792 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11793 | 29705 | \nCVE-2017-11794 | *29687 | \nCVE-2017-11796 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11797 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11798 | 29706 | \nCVE-2017-11799 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11800 | 28925 | \nCVE-2017-11801 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11802 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11804 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11805 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11806 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11807 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11808 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11809 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11810 | 29707 | \nCVE-2017-11811 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11812 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11813 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11814 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11815 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11816 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11817 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11818 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11819 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11820 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11821 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11822 | 29704 | \nCVE-2017-11823 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11824 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11825 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11826 | | Insufficient information currently available \nCVE-2017-11829 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8689 | 29692 | \nCVE-2017-8693 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8694 | 29693 | \nCVE-2017-8703 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8715 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8717 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8718 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8726 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8727 | 29699 | \n \n \n\n**Zero-Day Filters**\n\nThere are four new zero-day filters covering two vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website. You can also follow the Zero Day Initiative on Twitter [@thezdi](<https://twitter.com/thezdi>) and on their [blog](<https://www.zerodayinitiative.com/blog>).\n\n**_Microsoft (2)_**\n\n| \n\n * 29695: ZDI-CAN-5067: Zero Day Initiative Vulnerability (Microsoft Chakra)\n * 29741: HTTP: Microsoft Windows WAV File Denial-of-Service Vulnerability (ZDI-17-838) \n---|--- \n| \n \n**_Trend Micro (2)_**\n\n| \n\n * 29701: HTTPS: Trend Micro Mobile Security Enterprise slink_id SQL Injection (ZDI-17-803)\n * 29710: HTTPS:Trend Micro InterScan Messaging Security Proxy Command Injection Vulnerability (ZDI-17-502,504) \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-october-2-2017/>).", "modified": "2017-10-13T14:03:59", "published": "2017-10-13T14:03:59", "id": "TRENDMICROBLOG:141C894C9A7CCB3BB2E580A6C8292E37", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-october-9-2017/", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of October 9, 2017", "type": "trendmicroblog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "talosblog": [{"lastseen": "2017-10-22T19:31:53", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11762", "CVE-2017-11763", "CVE-2017-11765", "CVE-2017-11767", "CVE-2017-11769", "CVE-2017-11771", "CVE-2017-11772", "CVE-2017-11774", "CVE-2017-11775", "CVE-2017-11776", "CVE-2017-11777", "CVE-2017-11779", "CVE-2017-11780", "CVE-2017-11781", "CVE-2017-11782", "CVE-2017-11783", "CVE-2017-11784", "CVE-2017-11785", "CVE-2017-11786", "CVE-2017-11790", "CVE-2017-11792", "CVE-2017-11793", "CVE-2017-11794", "CVE-2017-11796", "CVE-2017-11797", "CVE-2017-11798", "CVE-2017-11799", "CVE-2017-11800", "CVE-2017-11801", "CVE-2017-11802", "CVE-2017-11804", "CVE-2017-11805", "CVE-2017-11806", "CVE-2017-11807", "CVE-2017-11808", "CVE-2017-11809", "CVE-2017-11810", "CVE-2017-11811", "CVE-2017-11812", "CVE-2017-11813", "CVE-2017-11814", "CVE-2017-11815", "CVE-2017-11816", "CVE-2017-11817", "CVE-2017-11818", "CVE-2017-11819", "CVE-2017-11820", "CVE-2017-11821", "CVE-2017-11822", "CVE-2017-11823", "CVE-2017-11824", "CVE-2017-11825", "CVE-2017-11826", "CVE-2017-11829", "CVE-2017-8689", "CVE-2017-8693", "CVE-2017-8694", "CVE-2017-8703", "CVE-2017-8715", "CVE-2017-8717", "CVE-2017-8718", "CVE-2017-8726", "CVE-2017-8727"], "description": "Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 63 new vulnerabilities with 28 of them rated critical and 35 rated important. These vulnerabilities impact Graphics, Edge, Internet Explorer, Office, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more. <br /><br /><a name='more'></a><br /><h2 id=\"h.vyxocry7flp\">Vulnerabilities Rated Critical</h2><br />The following vulnerabilities are rated \"Critical\" by Microsoft: <br /><br /><ul><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11813\">CVE-2017-11813 - Internet Explorer Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11822\">CVE-2017-11822 - Internet Explorer Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11762\">CVE-2017-11762 - Microsoft Graphics Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11763\">CVE-2017-11763 - Microsoft Graphics Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11797\">CVE-2017-11797 - Scripting Engine Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11767\">CVE-2017-11767 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11792\">CVE-2017-11792 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11793\">CVE-2017-11793 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11796\">CVE-2017-11796 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11798\">CVE-2017-11798 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11799\">CVE-2017-11799 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11800\">CVE-2017-11800 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11801\">CVE-2017-11801 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11802\">CVE-2017-11802 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11804\">CVE-2017-11804 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11805\">CVE-2017-11805 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11806\">CVE-2017-11806 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11807\">CVE-2017-11807 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11808\">CVE-2017-11808 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11809\">CVE-2017-11809 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11810\">CVE-2017-11810 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11811\">CVE-2017-11811 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11812\">CVE-2017-11812 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11821\">CVE-2017-11821 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11779\">CVE-2017-11779 - Windows DNSAPI Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11771\">CVE-2017-11771 - Windows Search Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8727\">CVE-2017-8727 - Windows Shell Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11819\">CVE-2017-11819 - Windows Shell Remote Code Execution Vulnerability</a></li></ul><h3 id=\"h.9n0bk25dm78x\">CVE-2017-11813, CVE-2017-11822 - Internet Explorer Memory Corruption Vulnerability</h3><br />Two vulnerabilities have been identified in Internet Explorer that could result in remote code execution in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory when attempting to render a webpage. Both vulnerabilities could be exploited if, for example, a user visits a specially crafted webpage that exploits one of these flaws.<br /><br /><h3 id=\"h.p7pfodbbvqp3\">CVE-2017-11762, CVE-2017-11763 - Microsoft Graphics Remote Code Execution Vulnerability</h3><br />Two vulnerabilities have been identified in the font library of the Microsoft Graphics Component that could allow an attacker to execute arbitrary code. These vulnerabilities manifest due to the library incorrectly handling specialty embedded fonts within a web page or document. Exploitation of these two vulnerabilities could be achieved if a user navigates to a malicious web page or if the user opens a specially crafted document that exploits these vulnerabilities.<br /><br /><h3 id=\"h.2zd3ocgo4tir\">Multiple CVEs - Scripting Engine Memory Corruption Vulnerability</h3><br />Multiple vulnerabilities have been identified in the scripting engines of Edge and Internet Explorer that could allow an attacker to remotely execute arbitrary code. These vulnerabilities all manifest due to the scripting engines in Edge and Internet Explorer improperly handling objects in memory. As a result, successful exploitation could lead to arbitrary code execution in the context of the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of these vulnerabilities or, in some cases, opens a Microsoft Office document containing an embedded ActiveX control marked \"safe for initialization.\"<br /><br />The following is a list of CVEs related to these vulnerabilities:<br /><br /><ul><li>CVE-2017-11767</li><li>CVE-2017-11792</li><li>CVE-2017-11793</li><li>CVE-2017-11796</li><li>CVE-2017-11797</li><li>CVE-2017-11798</li><li>CVE-2017-11799</li><li>CVE-2017-11800</li><li>CVE-2017-11801</li><li>CVE-2017-11802</li><li>CVE-2017-11804</li><li>CVE-2017-11805</li><li>CVE-2017-11806</li><li>CVE-2017-11807</li><li>CVE-2017-11808</li><li>CVE-2017-11809</li><li>CVE-2017-11810</li><li>CVE-2017-11811</li><li>CVE-2017-11812</li><li>CVE-2017-11821</li></ul><h3 id=\"h.6zgalyi0vdh0\">CVE-2017-11779 - Windows DNSAPI Remote Code Execution Vulnerability</h3><br />A remote code execution vulnerability has been identified in Windows DNS that could allow an attacker to execute arbitrary code in the context of the Local System account. This vulnerability manifests in DNSAPI.dll as a result of improperly handling DNS responses. A scenario where this vulnerability could be exploited would be one where an attacker stand ups a malicious DNS server to transmit specially crafted DNS responses to the target.<br /><br /><h3 id=\"h.30w8s827zxf7\">CVE-2017-11771 - Windows Search Remote Code Execution Vulnerability</h3><br />An arbitrary code execution vulnerability has been identified in Window Search that could allow an attacker to elevate their privileges and subsequently execute code in the elevated context. This vulnerability manifests due to improper handling of objects in memory. For this vulnerability to be exploited, an attacker would need to either have access to the targeted host to exploit this vulnerability, or remotely trigger it through an SMB connection.<br /><br /><h3 id=\"h.vl6grtvoq51l\">CVE-2017-8727 - Windows Shell Memory Corruption Vulnerability</h3><br />A remote code execution vulnerability has been identified in Internet Explorer which could allow an attacker to execute arbitrary code in the context of the current user. This vulnerability manifests as a result of Internet Explorer improperly accessing objects in memory via the Microsoft Windows Text Services Framework. An attacker could create a specially crafted web page that exploits this vulnerability and subsequently socially engineer a user to visit the page to compromise users. Additionally, attackers could leverage vulnerable or compromised websites or sites that display user-provided content or advertisements to exploit and compromise users.<br /><br /><h3 id=\"h.idto8iab26ye\">CVE-2017-11819 - Windows Shell Remote Code Execution Vulnerability</h3><br />A remote code execution vulnerability has been identified in Microsoft web browsers which manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the current user. An attacker could leverage this vulnerability to exploit users by crafting a specially formed web page and socially engineering users to visit such a page. Other scenarios include an attacker leveraging vulnerable or compromised websites or sites that display user-provided content or advertisements to exploit this vulnerability and compromise users.<br /><br /><h2 id=\"h.ykle8if9gdqr\">Vulnerabilities Rated Important</h2><br />The following vulnerabilities are rated \"important\" by Microsoft:<br /><br /><ul><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11790\">CVE-2017-11790 - Internet Explorer Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11794\">CVE-2017-11794 - Microsoft Edge Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8726\">CVE-2017-8726 - Microsoft Edge Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8693\">CVE-2017-8693 - Microsoft Graphics Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8717\">CVE-2017-8717 - Microsoft JET Database Engine Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8718\">CVE-2017-8718 - Microsoft JET Database Engine Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826\">CVE-2017-11826 - Microsoft Office Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11825\">CVE-2017-11825 - Microsoft Office Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11775\">CVE-2017-11775 - Microsoft Office SharePoint XSS Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11777\">CVE-2017-11777 - Microsoft Office SharePoint XSS Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11820\">CVE-2017-11820 - Microsoft Office SharePoint XSS Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11776\">CVE-2017-11776 - Microsoft Outlook Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774\">CVE-2017-11774 - Microsoft Outlook Security Feature Bypass Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11772\">CVE-2017-11772 - Microsoft Search Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11823\">CVE-2017-11823 - Microsoft Windows Security Feature Bypass</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11786\">CVE-2017-11786 - Skype for Business Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11769\">CVE-2017-11769 - TRIE Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8689\">CVE-2017-8689 - Win32k Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8694\">CVE-2017-8694 - Win32k Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11783\">CVE-2017-11783 - Windows Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11816\">CVE-2017-11816 - Windows GDI Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11824\">CVE-2017-11824 - Windows Graphics Component Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11817\">CVE-2017-11817 - Windows Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11765\">CVE-2017-11765 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11784\">CVE-2017-11784 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11785\">CVE-2017-11785 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11814\">CVE-2017-11814 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8715\">CVE-2017-8715 - Windows Security Feature Bypass Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11781\">CVE-2017-11781 - Windows SMB Denial of Service Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11782\">CVE-2017-11782 - Windows SMB Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11815\">CVE-2017-11815 - Windows SMB Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11780\">CVE-2017-11780 - Windows SMB Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11818\">CVE-2017-11818 - Windows Storage Security Feature Bypass Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8703\">CVE-2017-8703 - Windows Subsystem for Linux Denial of Service Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11829\">CVE-2017-11829 - Windows Update Delivery Optimization Elevation of Privilege Vulnerability</a></li></ul><h3 id=\"h.g7oy1wnmoh\">CVE-2017-11790 - Internet Explorer Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in Internet Explorer that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Internet Explorer improperly handling objects in memory. A user who navigates to an attacker-controlled web page could be exploited. Additionally, users who navigate to site that hosts user-generated content could also be exploited.<br /><br /><h3 id=\"h.nb288lrlg1t0\">CVE-2017-11794 - Microsoft Edge Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in Edge that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Edge improperly handling objects in memory. A user who navigates to an attacker-controlled web page could be exploited. Additionally, users who navigate to site that hosts user-generated content could also be exploited.<br /><br /><h3 id=\"h.xeyotn6ksca2\">CVE-2017-8726 - Microsoft Edge Memory Corruption Vulnerability</h3><br />A remote code execution vulnerability has been identified in Edge that could allow an attacker to execute arbitrary code in the context of the user. This vulnerability manifests due to Edge improperly handling objects in memory. Possible scenarios where an attacker could compromise a user could include a web-based attacks where a user navigates to a specially crafted web page under the attacker's control. Other possibilities include a user opening a Microsoft Office document containing an embedded ActiveX control marked \"safe for initialization\".<br /><br /><h3 id=\"h.ljhh4ib6ascw\">CVE-2017-8693 - Microsoft Graphics Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in the Microsoft Windows Graphics Component that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the Graphics component improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability. <br /><br /><h3 id=\"h.b3tc5u640xdc\">CVE-2017-8717, CVE-2017-8718 - Microsoft JET Database Engine Remote Code Execution Vulnerability</h3><br />Two arbitrary code execution vulnerabilities have been identified in the Microsoft JET Database Engine that could allow an attacker to execute arbitrary code in the context of the current user. These vulnerabilities manifest as buffer overflow conditions when triggered. For an attacker to successfully exploit these vulnerabilities, a user would need to open or preview a specially crafted Microsoft Excel document on an affected version of Windows. An email-based attack where an attacker sends a victim a specially crafted Excel document is the most likely scenario where a user could be compromised.<br /><br /><h3 id=\"h.8jrdy5afh6a8\">CVE-2017-11826 - Microsoft Office Memory Corruption Vulnerability</h3><br />A vulnerability have been identified in Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Office improperly handling objects in memory. A users who opens a maliciously crafted Office document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document. Note that in certain conditions, the Preview Pane is an attack vector as well.<br /><br /><h3 id=\"h.ylhjbo1cr5qh\">CVE-2017-11825 - Microsoft Office Remote Code Execution Vulnerability</h3><br />A vulnerability has been identified in Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Office improperly handling objects in memory. A users who opens a maliciously crafted Office document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document.<br /><br /><h3 id=\"h.oxc5wddvo6jo\">Multiple CVEs - Microsoft Office SharePoint XSS Vulnerability</h3><br />Multiple vulnerabilities in Microsoft Office Sharepoint have been identified that could could allow an attacker to execute a cross-site scripting (XSS) attack. These vulnerabilities manifest due to Sharepoint Server improperly sanitizing specific web requests from a user. Successful exploitation of these flaws could allow an attacker to execute scripts in the context of the current user, read content that the attacker would not otherwise have permission to view, or execute actions on behalf of the affected user.<br /><br />The following CVEs reflect these vulnerabilities:<br /><br /><ul><li>CVE-2017-11775</li><li>CVE-2017-11777</li><li>CVE-2017-11820</li></ul><h3 id=\"h.c41fpdu70sl\">CVE-2017-11776 - Microsoft Outlook Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability in Microsoft Outlook has been identified that could leak sensitive information to third-parties. This vulnerability manifests when Outlook fails to establish a secure connection. An attacker who exploits this vulnerability could obtain the email content of a user.<br /><br /><h3 id=\"h.qzz1eubjito7\">CVE-2017-11774 - Microsoft Outlook Security Feature Bypass Vulnerability</h3><br />A security feature bypass vulnerability has been identified in Microsoft Outlook that could be used to execute arbitrary commands. This vulnerability manifests due to Office improperly handling objects in memory. A user who opens a specially crafted document file could be exploited. A scenario where this could occur would be in a file-sharing attack where an attacker gives the user a file and socially engineers them to open it.<br /><br /><h3 id=\"h.h7qopze2yjkx\">CVE-2017-11772 - Microsoft Search Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in Windows Search that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Window Search improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user sends specially crafted messages to the Window Search service. Alternatively, this vulnerability could be exploited remotely in an enterprise setting over an SMB connection from an unauthenticated attacker. <br /><br /><h3 id=\"h.vz622ye9nv6q\">CVE-2017-11823 - Microsoft Windows Security Feature Bypass</h3><br />A vulnerability had been identified in Device Guard that could allow an attacker bypass a security control and inject malicious code into a Windows Powershell session. This vulnerability manifests as a flaw in how the Device Guard Code Integrity policy is implemented. An attacker who has access to a local machine could inject malicious code into a script that is trusted by the Code Integrity policy. As a result, the injected code could be run with the same trust level as the script, bypassing the Code Integrity policy control.<br /><br /><h3 id=\"h.oakx7dmaktpr\">CVE-2017-11786 - Skype for Business Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in Skype for Business that could allow an authenticated attacker to potentially impersonate a user. This vulnerability manifests due to Skype for Business improperly handling specific authentication requests. An attacker who initiates an instant message session while a specially crafted profile image is set could exploit this vulnerability and steal an authentication hash that could be reused in different contexts. Successful exploitation would allow an attacker to perform actions that a user is permitted to do, resulting in various outcomes such as privilege escalation.<br /><br /><h3 id=\"h.m4vwz0vfvmia\">CVE-2017-11769 - TRIE Remote Code Execution Vulnerability</h3><br />An arbitrary code execution vulnerability has been identified in Windows that could allow an attacker to execute code in the context of the current user. This vulnerability manifests due to the way certain Windows components improperly handle loading DLL files. Successful exploitation could allow an attacker to perform actions or execute commands within the context of the current user.<br /><br /><h3 id=\"h.s3nuhh6mevtm\">CVE-2017-8689, CVE-2017-8694 - Win32k Elevation of Privilege Vulnerability</h3><br />Two vulnerabilities in Windows Kernel-Mode Drivers have been identified that could allow a privilege escalation attack to occur. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of these vulnerabilities would result in an attacker obtaining administrator privileges on the targeted system. Users who run a specifically crafted executable that exploits this vulnerability could leverage this vulnerability to perform actions as an administrator on the affected system.<br /><br /><h3 id=\"h.efo91ikgy106\">CVE-2017-11783 - Windows Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in Windows that could allow an authenticated attacker to elevate their privileges to that of an administrator. This vulnerability manifests due to Windows improperly handling calls to Advanced Local Procedure Call (ALPC). A user who creates a specially crafted application and executes it on an affected system could exploit this vulnerability.<br /><br /><h3 id=\"h.ctwd13favj7d\">CVE-2017-11816 - Windows GDI Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in the Microsoft Windows Graphics Device Interface (GDI) that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the GDI improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability. <br /><br /><h3 id=\"h.3ttkcyczmr38\">CVE-2017-11824 - Windows Graphics Component Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in the Microsoft Windows Graphics Component that could allow an attacker to elevate their privileges to that of an administrator. This vulnerability manifests due to the Graphics component improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability.<br /><br /><h3 id=\"h.xs6yd6lux2zt\">CVE-2017-11817 - Windows Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in the Windows kernel that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the kernel improperly initializing objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability. <br /><br /><h3 id=\"h.64j13moi1fp9\">CVE-2017-11784, CVE-2017-11785 - Windows Kernel Information Disclosure Vulnerability</h3><br />Two information disclosure vulnerabilities have been identified in the Windows kernel that could allow an attacker to obtain memory addresses and bypass Kernel Address Space Layout Randomization (KASLR). Exploitation of these vulnerabilities could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit them. <br /><br /><h3 id=\"h.7pxt6sdcvtyu\">CVE-2017-11765, CVE-2017-11814 - Windows Information Disclosure Vulnerability</h3><br />Two information disclosure vulnerabilities have been identified in the Windows kernel that could allow an attacker to obtain information that could be used to further compromise an affected system. These vulnerabilities manifest due to the kernel improperly initializing objects in memory. Exploitation of these vulnerabilities could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit them. <br /><br /><h3 id=\"h.cingn0ygtdh4\">CVE-2017-8715 - Windows Security Feature Bypass Vulnerability</h3><br />A vulnerability had been identified in Device Guard that could allow an attacker to bypass a security control and inject malicious code into a Windows Powershell session. This vulnerability manifests as a flaw in how the Device Guard Code Integrity policy is implemented. An attacker who has access to a local machine could inject malicious code into a script that is trusted by the Code Integrity policy. As a result, the injected code could be run with the same trust level as the script, bypassing the Code Integrity policy control.<br /><br /><h3 id=\"h.jfc0amtsn2gv\">CVE-2017-11781 - Windows SMB Denial of Service Vulnerability</h3><br />A denial of service vulnerability has been identified in Microsoft SMB that could allow an attacker to crash an affected host. This vulnerability manifests due to SMB improperly handling certain requests. An attacker who sends a vulnerable server specially crafted requests could exploit this vulnerability and create a denial of service condition for users.<br /><br /><h3 id=\"h.s6konclvij9e\">CVE-2017-11782 - Windows SMB Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in the default Windows SMB Server configuration that could allow anonymous users to access certain named pipes. These named pipes could be used to send specially crafted requests to services that accept requests via named pipes. An attacker who is able to send SMB messages to an affected SMB server could exploit this vulnerability.<br /><br /><h3 id=\"h.eu27t49sp7sb\">CVE-2017-11815 - Windows SMB Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in Windows SMB that could allow an attacker to access files they otherwise should not have access to. This vulnerability manifests due to SMB server improperly handling certain requests. An attacker who is able to authenticate to the SMB server and send it SMB messages could exploit this vulnerability.<br /><br /><h3 id=\"h.4pj6p2ufcvo6\">CVE-2017-11780 - Windows SMB Remote Code Execution Vulnerability</h3><br />A remote code execution vulnerability has been identified in Microsoft Server Message Block 1.0 (SMBv1) which could allow an attacker to compromise SMBv1 servers. This vulnerability manifests due to the way SMBv1 servers handle certain requests. Exploitation of this vulnerability could be achieved by an unauthenticated attacker by sending specially crafted requests to the affected server.<br /><br /><h3 id=\"h.faj8k2jjkgei\">CVE-2017-11818 - Windows Storage Security Feature Bypass Vulnerability</h3><br />A security feature bypass has been identified in Microsoft Windows storage which could allow an application with a certain integrity level to execute code at a different level. This vulnerability manifests due to Windows improperly validating an integrity-level check.<br /><br /><h3 id=\"h.xb5ohr1yadjd\">CVE-2017-8703 - Windows Subsystem for Linux Denial of Service Vulnerability</h3><br />A denial of service vulnerability has been identified in the Windows Subsystem for Linux (WSL). This vulnerability manifests as due to the WSL improperly handling objects in memory. An attacker who creates a specially crafted application and executes it on an affected system could exploit this vulnerability.<br /><br /><h3 id=\"h.4x4sjotidrnz\">CVE-2017-11829 - Windows Update Delivery Optimization Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in Windows Update Delivery Optimization that could allow an attacker to overwrite files of a higher privilege than what the attacker possesses. This vulnerability manifests due to Windows Update Delivery Optimization improperly enforcing file share permissions. An attacker who is able to log into the system and create a Delivery Optimization job could exploit this vulnerability.<br /><br /><h2 id=\"h.f970sl5g45g5\">Coverage</h2><br />In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.<br /><br />Snort Rules:<br /><br /><ul><li>44333-44334</li><li>44508-44519</li><li>44526-44529</li><li>44532-44533</li></ul><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=As9MZaE7IyE:eG0TMScPdq0:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/As9MZaE7IyE\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-10-10T20:25:22", "published": "2017-10-10T13:25:00", "id": "TALOSBLOG:D985A5A21B218B47A518D6D4AB858393", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/As9MZaE7IyE/ms-tuesday.html", "title": "Microsoft Patch Tuesday - October 2017", "type": "talosblog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
