ID MS:CVE-2017-0001 Type mscve Reporter Microsoft Modified 2017-03-14T07:00:00
Description
An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation.
{"id": "MS:CVE-2017-0001", "bulletinFamily": "microsoft", "title": "Windows GDI Elevation of Privilege Vulnerability", "description": "An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nThe update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0001", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0001"], "type": "mscve", "lastseen": "2020-08-07T11:45:33", "edition": 2, "viewCount": 8, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0001"]}, {"type": "symantec", "idList": ["SMNTC-96057"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786206"]}, {"type": "fireeye", "idList": ["FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "FIREEYE:35D0439B3D476357F4D2F51F3D5CD294"]}, {"type": "thn", "idList": ["THN:35CDED923C2A70050CA53879EA860398"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810811"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-013.NASL"]}, {"type": "mskb", "idList": ["KB4013075"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902"]}], "modified": "2020-08-07T11:45:33", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2020-08-07T11:45:33", "rev": 2}, "vulnersScore": 6.6}, "kbList": ["KB3213986", "KB4012217", "KB4012215", "KB3210721", "KB4012606", "KB4012216", "KB3205409", "KB3210720", "KB3205401", "KB4014077", "KB3204723", "KB4013198", "KB4012497", "KB3212646", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0001", "msAffectedSoftware": [{"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows Server 2012 R2 (Server Core installation)"}, {"kb": "KB4012606", "kbSupersedence": "KB3210720", "msplatform": "", "name": "Windows 10 for x64-based Systems"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows 8.1 for x64-based systems"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows Server 2016 (Server Core installation)"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows 7 for x64-based Systems Service Pack 1"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows 10 Version 1607 for 32-bit Systems"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows Server 2016"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1"}, {"kb": "KB4012497", "kbSupersedence": "KB3204723", "msplatform": "", "name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)"}, {"kb": "KB4013198", "kbSupersedence": "KB3210721", "msplatform": "", "name": "Windows 10 Version 1511 for x64-based Systems"}, {"kb": "KB4012497", "kbSupersedence": "KB3204723", "msplatform": "", "name": "Windows Server 2008 for x64-based Systems Service Pack 2"}, {"kb": "KB4012497", "kbSupersedence": "KB3204723", "msplatform": "", "name": "Windows Vista x64 Edition Service Pack 2"}, {"kb": "KB4012497", "kbSupersedence": "KB3204723", "msplatform": "", "name": "Windows Vista Service Pack 2"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows 8.1 for 32-bit systems"}, {"kb": "KB4012497", "kbSupersedence": "KB3204723", "msplatform": "", "name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2"}, {"kb": "KB4013198", "kbSupersedence": "KB3210721", "msplatform": "", "name": "Windows 10 Version 1511 for 32-bit Systems"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)"}, {"kb": "KB4012217", "kbSupersedence": "KB3205409", "msplatform": "", "name": "Windows Server 2012 (Server Core installation)"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows Server 2012 R2"}, {"kb": "KB4012497", "kbSupersedence": "KB3204723", "msplatform": "", "name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows 10 Version 1607 for x64-based Systems"}, {"kb": "KB4012217", "kbSupersedence": "KB3205409", "msplatform": "", "name": "Windows Server 2012"}, {"kb": "KB4012497", "kbSupersedence": "KB3204723", "msplatform": "", "name": "Windows Server 2008 for 32-bit Systems Service Pack 2"}, {"kb": "KB4012216", "kbSupersedence": "KB4014077", "msplatform": "", "name": "Windows RT 8.1"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows 7 for 32-bit Systems Service Pack 1"}, {"kb": "KB4012606", "kbSupersedence": "KB3210720", "msplatform": "", "name": "Windows 10 for 32-bit Systems"}], "scheme": null}
{"cve": [{"lastseen": "2020-10-03T13:07:29", "description": "The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka \"Windows GDI Elevation of Privilege Vulnerability.\" This vulnerability is different from those described in CVE-2017-0005, CVE-2017-0025, and CVE-2017-0047.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-17T00:59:00", "title": "CVE-2017-0001", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0001"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_7:*"], "id": "CVE-2017-0001", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0001", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2018-03-12T04:25:08", "bulletinFamily": "software", "cvelist": ["CVE-2017-0001"], "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code within the context of the kernel privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 for x64-based Systems \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2017-03-14T00:00:00", "published": "2017-03-14T00:00:00", "id": "SMNTC-96057", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/96057", "type": "symantec", "title": "Microsoft Windows Graphics CVE-2017-0001 Local Privilege Escalation Vulnerability", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2017-05-17T11:27:29", "bulletinFamily": "info", "cvelist": ["CVE-2017-0001", "CVE-2017-0263", "CVE-2016-7255", "CVE-2017-0262", "CVE-2017-0261"], "edition": 1, "description": "In 2015, FireEye released a Microsoft Office EPS\uff08Encapsulated PostScript in the two vulnerability details. Wherein, a is 0day vulnerabilities, one in the attack a few weeks before playing the patch. Recently, FireEye and Microsoft Office products in the discovery of three new 0day vulnerabilities, these vulnerabilities are being the attacker. \nIn 2017 at the end of 3, We detected another malicious file, which uses the EPS of the unknown vulnerabilities and the Windows Graphics Device Interface GDI in the recently patched vulnerability to deliver malicious software. Subsequently, Microsoft in the 2017 year 4 months to deactivate the EPS, but FireEye in EPS, and found a second unknown vulnerability. \nFireEye believes that there are two organizations Turla and another unknown financial criminal organizations is the use of the first EPS 0day Vulnerability CVE-2017-0261, and APT28, is to use the second EPS 0day Vulnerability CVE-2017-0262 and a new privilege escalation\uff08EOP\uff09 0day Vulnerability CVE-2017-0263 in. Turla and APT28 is Russian cyber espionage organizations, they will these 0day vulnerabilities applied to European Foreign and military Department. And this unidentified financial crime organizations are specifically targeted in the Middle East with offices of regional banks and global banks. In the following, we proceed with the introduction of EPS 0day vulnerabilities, related malware and new EOP 0day vulnerabilities. Each EPS 0day vulnerabilities are provided in the corresponding EOP exploit code, in order to provide the right, the code must bypass the sandbox, in order to perform the processing for the EPS FLTLDR. EXE instance. \nWe found that the malicious file is used for the delivery of three different payload. CVE-2017-0261 for delivery SHIRIME\uff08Turla and NETWIRE\uff08unknown financial crime organization, CVE-2017-0262 for delivery GAMEFISH\uff08APT28 it. CVE-2017-0263 for delivery GAMEFISH payload during the elevated privileges. \nFireEye the company's e-mail and network product detects these malicious files. \nIn these Vulnerability Information Disclosure, FireEye has been with the Microsoft Security Response Center MSRC for coordination. Microsoft recommends that all customers follow the security advice ADV170005 in the guidance, do a good job related security and Defense work. \nCVE-2017-0261--EPS\u201crestore\u201dUAF vulnerability \nOpen the Office document, FLTLDR. EXE will be used for rendering included the vulnerability of the embedded EPS image. Here the EPS file is a PostScript program, you can\u201crestore\u201doperation using the UAF vulnerability. \nAccording to the PostScript of the official Description:\u201ca local VM object allocation and the local VM in the existing objects of the modified called by the save and restore function is completed, in the name of the corresponding operation identifier, you can refer to them. save and restore can be used to package in the local VM in the PostScript language program related to the code. restore to be able to release the newly created object, and undo from the corresponding save operation after the existing object to modify.\u201d \nAs described above, the restore operation will be recovered from the save operation after the allocated memory. For the UAF vulnerability to say, when the forall operation of the combination, then it could not be better. Figure 1 shows the use of the save and restore operation of the pseudo-code. \n! [](/Article/UploadPic/2017-5/2017517184135487. png? www. myhack58. com) \nFigure 1: exploit the pseudo-code \nThe following operation allows the pseudo-code leaks the metadata, in order to achieve the Read/Write primitives: \n1\\. Create forall_proc array, only a single restore proc elements \n2\\. The EPS state is saved to eps_state \n3\\. In the Save created after the uaf_array \n4\\. Use forall operation to traverse uaf_array elements, for each element call forall_proc \n5\\. The uaf_array the first element is passed to the restore_proc of the call, the process contained in the forall_proc. \n6\\. restore_proc \nTo restore the initial state, the release uaf_array \nalloc_string process will be recycled to release the uaf_array \nforall_proc to call leak_proc \n7\\. forall operation of the follow-up calls for the recovery of uaf_array each element of the call leak_proc, these elements are now stored alloc_string the results of the process \nFigure 2 demonstrates in recovery after using uaf_array the debug log. \n! [](/Article/UploadPic/2017-5/2017517184136535. png? www. myhack58. com) \nFigure 2: uaf_array recycle the debug log \nThrough the operation of save operation after the identifier of the operation, the attacker can manipulate the memory layout, and the UAF vulnerability is converted to a read/write primitive. Figure 3 shows a forgery of the string, the length is set to 0x7fffffff, the cardinality is 0. \n! [](/Article/UploadPic/2017-5/2017517184136165. png? www. myhack58. com) \nFigure 3: Forge of the string object \nThe use of read and write arbitrary user memory capacity, The EPS program may further search the gadgets to build ROP chains, and create a file object. Figure 4 shows the in-memory fake file objects. \n! [](/Article/UploadPic/2017-5/2017517184136436. png? www. myhack58. com) \nFigure 4: with the ROP of the pseudo-file object \nBy Faking the file object call to closefile, the exploit code can be transferred to the ROP and start the shellcode with. Figure 5 shows closefile processing program part of the disassembly procedure. \n! [](/Article/UploadPic/2017-5/2017517184136717. png? www. myhack58. com) \nFigure 5: closefile Stack Pivot the disassembly code \nOnce executed, the malware will use the ROP chain to modify the stored shellcode memory region of the protection mechanisms. Thus, the shellcode will be able to perform FLTLDR. EXE running in a sandbox, and at the same time, in order to escape the sandbox detection, it also needs to further mention the right. \nAccording to FireEye found that the use of the vulnerability of the EPS program has two different versions. Wherein st07383. en17. docx using 32 or 64 bit version of CVE-2017-0001 to provide the right, and then perform a contains called SHIRIME malware inject the JavaScript payload. SHIRIME is Turla commonly used specially crafted JavaScript injector one, as the first stage of the payload into the target system, and implements the management and control functions. From the beginning of 2016 since we observed in the wild using the SHIRIME had many times revision, in this 0day vulnerability used in the attack was the latest version, v1. 0. 1004\uff09 \nThe second document Confirmation_letter. docx using 32 or 64 bit version of CVE-2016-7255 to mention the right, and then injected into the NETWIRE malware a new variant. According to our observation, the file is a different version of the file name is very similar. \nThese documents in the EPS program contains different logic to complete the ROP chain and shellcode construct. At the same time, it also uses a simple algorithm for the shellcode part of the obfuscation process, specifically as shown in Figure 6. \n\n\n**[1] [[2]](<86206_2.htm>) [[3]](<86206_3.htm>) [next](<86206_2.htm>)**\n", "modified": "2017-05-17T00:00:00", "published": "2017-05-17T00:00:00", "id": "MYHACK58:62201786206", "href": "http://www.myhack58.com/Article/html/3/62/2017/86206.htm", "title": "For the APT organization to use the EPS vulnerabilities in and mention the right vulnerability analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fireeye": [{"lastseen": "2018-08-31T00:18:21", "bulletinFamily": "info", "cvelist": ["CVE-2017-0001", "CVE-2017-0263", "CVE-2017-0199", "CVE-2016-7255", "CVE-2017-0262", "CVE-2017-0261"], "description": "In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a [zero-day](<https://www.fireeye.com/blog/threat-research/2015/09/attack_exploitingmi.html>) and one was [patched](<https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html>) weeks before the attack launched.\n\nRecently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.\n\nAt the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently [patched](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0001>) vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.\n\nFireEye believes that two actors \u2013 [Turla](<https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf>) and an unknown financially motivated actor \u2013 were using the first EPS zero-day ([CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>)), and [APT28](<https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html>) was using the second EPS zero-day ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) along with a new Escalation of Privilege (EOP) zero-day ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>)). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East. The following is a description of the EPS zero-days, associated malware, and the new EOP zero-day. Each EPS zero-day is accompanied by an EOP exploit, with the EOP being required to escape the sandbox that executes the FLTLDR.EXE instance used for EPS processing.\n\nThe malicious documents have been used to deliver three different payloads. CVE-2017-0261 was used to deliver SHIRIME (Turla) and NETWIRE (unknown financially motivated actor), and CVE-2017-0262 was used to deliver GAMEFISH (APT28). CVE-2017-0263 is used to escalate privileges during the delivery of the GAMEFISH payload.\n\nFireEye [email](<https://www.fireeye.com/products/ex-email-security-products.html>) and [network](<https://www.fireeye.com/products/nx-network-security-products.html>) products detected the malicious documents.\n\nFireEye has been coordinating with the Microsoft Security Response Center (MSRC) for the responsible disclosure of this information. Microsoft advises all customers to follow the guidance in [security advisory ADV170005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170005>) as a defense-in-depth measure against EPS filter vulnerabilities.\n\n#### CVE-2017-0261 \u2013 EPS _\"restore\"_ Use-After-Free\n\nUpon opening the Office document, the FLTLDR.EXE is utilized to render an embedded EPS image, which contains the exploit. The EPS file is a PostScript program, which leverages a Use-After-Free vulnerability in \u201c_restore_\u201d operand.\n\nFrom the [PostScript Manual](<https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf>): \u201cAllocations in local VM and modifications to existing objects in local VM are subject to a feature called **save** and **restore**, named after the operators that invoke it. **save** and **restore** bracket a section of a PostScript language program whose local VM activity is to be encapsulated. **restore** deallocates new objects and undoes modifications to existing objects that were made since the matching **save**.\u201d\n\nAs the manual described, the _restore_ operator will reclaim memory allocated since the _save_ operator. This makes a perfect condition of Use-After-Free, when combined with _forall_ operator. Figure 1 shows the pseudo code to exploit the save and restore operation.\n\nFigure 1: Pseudo code for the exploit\n\nThe following operations allow the Pseudo code to leak metadata enabling a read/write primitive:\n\n 1. forall_proc array is created with a single element of the restore proc\n 2. The EPS state is **_saved_** to eps_state\n 3. uaf_array is created after the save\n 4. The forall operator loops over the elements of the uaf_array calling forall_proc for each element\n 5. The first element of uaf_array is passed to a call of restore_proc, the procedure contained in forall_proc\n 6. restore_proc\n * **_restores_** the initial state freeing the uaf_array\n * The alloc_string procedure reclaims the freed uaf_array\n * The forall_proc is updated to call leak_proc\n 7. Subsequent calls by the forall operator call the leak_proc on each element of the reclaimed uaf_array which elements now contain the result of the alloc_string procedure\n\nFigure 2 demonstrates a debug log of the uaf_array being used after being reclaimed.\n\nFigure 2: uaf_array reclaimed debug log\n\nBy manipulating the operations after the _save_ operator, the attacker is able to manipulate the memory layouts and convert the Use-After-Free to create a read/write primitive. Figure 3 shows the faked string, with length set as 0x7fffffff, base as 0.\n\nFigure 3: Faked String Object\n\nLeveraging the power of reading and writing arbitrary user memory, the EPS program continues by searching for gadgets to build the ROP chain, and creates a **_file_** object. Figure 4 demonstrates the faked file object in memory.\n\nFigure 4: Fake File Object, with ROP\n\nBy calling **_closefile_** operand with the faked file object, the exploit pivots to the ROP and starts the shellcode. Figure 5 shows part of the disassembler of **_closefile_** operand handler.\n\nFigure 5: Stack Pivot disassembler of closefile\n\nOnce execution has been achieved, the malware uses the ROP chain to change the execution protection of the memory region containing the shellcode. At this point, the shellcode is running within a sandbox that was executing FLTLDR.EXE and an escalation of privilege is required to escape that sandbox.\n\nFireEye detected two different versions of the EPS program exploiting this vulnerability. The first, st07383.en17.docx, continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME. SHIRIME is one of multiple custom JavaScript implants used by Turla as a first stage payload to conduct initial profiling of a target system and implement command and control. Since early 2016, we have observed multiple iterations of SHIRIME used in the wild, having the most recent version (v1.0.1004) employed in this zero-day\n\nThe second document, Confirmation_letter.docx, continues by utilizing 32 or 64 bit versions of CVE-2016-7255 to escalate privilege before dropping a new variant of the NETWIRE malware family. Several versions of this document were seen with similar filenames.\n\nThe EPS programs contained within these documents contained different logic to perform the construction of the ROP chain as well as build the shellcode. The first took the additional step of using a simple algorithm, shown in Figure 6, to obfuscate sections of the shellcode.\n\nFigure 6: Shellcode obfuscation algorithm\n\n#### CVE-2017-0262 \u2013 Type Confusion in EPS\n\nThe second EPS vulnerability is a type confused procedure object of forall operator that can alter the execution flow allowing an attacker to control values onto the operand stack. This vulnerability was found in a document named \u201cTrump's_Attack_on_Syria_English.docx\u201d.\n\nBefore triggering the vulnerability, the EPS program sprays the memory with predefined data to occupy specific memory address and facilitate the exploitation. Figure 7 demonstrates the PostScript code snippet of spraying memory with a string.\n\nFigure 7: PostScript code snippet of spray\n\nAfter execution, the content of string occupies the memory at address 0x0d80d000, leading to the memory layout as shown in Figure 8. The exploit leverages this layout and the content to forge a procedure object and manipulate the code flow to store predefined value, in yellow, to the operator stack.\n\nFigure 8: Memory layout of the sprayed data\n\nAfter spraying the heap, the exploit goes on to call a code statement in the following format: _1 array 16#D80D020 forall_. It creates an Array object, sets the procedure as the hex number 0xD80D020, and calls the _forall_ operator. During the operation of the forged procedure within _forall_ operator, it precisely controls the execution flow to store values of the attacker's choices to operand stack. Figure 9 shows the major code flow consuming the forged procedure.\n\nFigure 9: Consuming the forged procedure\n\nAfter execution of _forall_, the contents on the stack are under the attacker's control. This is s shown in Figure 10.\n\nFigure 10: Stack after the forall execution\n\nSince the operand stack has been manipulated, the subsequent operations of _exch_ defines objects based on the data from the manipulated stack, as shown in Figure 11.\n\nFigure 11: Subsequent code to retrieve data from stack\n\nThe A18 is a string type object, which has a length field of 0x7ffffff0, based from 0. Within memory, the layout as shown in Figure 12.\n\nFigure 12: A18 String Object\n\nThe A19 is an array type object, with member values all purposely crafted. The exploit defines another array object and puts it into the forged array A19. By performing these operations, it puts the newly created array object pointer into A19. The exploit can then directly read the value from the predictable address, 0xD80D020 + 0x38, and leak its vftable and infer module base address of EPSIMP32.flt. Figure 13 shows code snippets of leaking EPSIMP32 base address.\n\nFigure 13: Code snippet of leaking module base\n\nFigure 14 shows the operand stack of calling _put_ operator and the forged Array A19 after finishing the _put_ operation.\n\nFigure 14: Array A19 after the put operation\n\nBy leveraging the RW primitive string and the leaked module base of EPSIMP32, the exploit continues by searching ROP gadgets, creating a fake file object, and pivoting to shellcode through the _bytesavailable_ operator. Figure 15 shows the forged file type object and disassembling of pivoting to ROP and shellcode.\n\nFigure 15: Pivots to ROP and Shellcode\n\nThe shellcode continues by using a previously unknown EOP, CVE-2017-0263, to escalate privileges to escape the sandbox running FLTLDR.EXE, and then drop and execute a GAMEFISH payload. Only a 32-bit version of CVE-2017-0263 is contained in the shellcode.\n\n#### CVE-2017-0263 \u2013 win32k!xxxDestroyWindow Use-After-Free\n\nThe EOP Exploit setup starts by suspending all threads other than the current thread and saving the thread handles to a table, as shown in Figure 16.\n\n\n\nFigure 16: Suspending Threads\n\nThe exploit then checks for OS version and uses that information to populate version specific fields such as token offset, syscall number, etc. An executable memory area is allocated and populated with kernel mode shellcode as wells as address information required by the shellcode. A new thread is created for triggering the vulnerability and further control of exploitation.\n\nThe exploit starts by creating three PopupMenus and appending menus to them, as shown in Figure 17. The exploit creates 0x100 windows with random classnames. The User32!HMValidateHandle trick is used to leak the tagWnd address, which is used as kernel information leak throughout the exploit.\n\nFigure 17: Popup menu creation\n\nRegisterClassExW is then used to register a window class \u201cMain_Window_Class\u201d with a WndProc pointing to a function, which calls DestroyWindow on window table created by EventHookProc, explained later in the blog. This function also shows the first popup menu, which was created earlier.\n\nTwo extra windows are created with class name as \u201cMain_Window_Class\u201d. SetWindowLong is used to change WndProc of second window, wnd2, to a shellcode address. An application defined hook, WindowHookProc, and an event hook, EventHookProc, are installed by SetWindowsHookExW and SetWinEventHook respectively. PostMessage is used to post 0xABCD to first window, wnd1.\n\nThe EventHookProc waits for EVENT_SYSTEM_MENUPOPUPSTART and saves the window\u2019s handle to a table. WindowHookProc looks for **SysShadow **classname and sets a new WndProc for the corresponding window. Inside this WndProc, NtUserMNDragLeave syscall is invoked and SendMessage is used to send 0x9f9f to wnd2, invoking the shellcode shown in Figure 18.\n\n\n\nFigure 18: Triggering the shellcode\n\nThe Use-After-Free happens inside WM_NCDESTROY event in kernel and overwrites wnd2\u2019s tagWnd structure, which sets bServerSideWindowProc flag. With bServerSideWindowProc set, the user mode WndProc is considered as a kernel callback and will be invoked from kernel context \u2013 in this case wnd2\u2019s WndProc is the shellcode.\n\nThe shellcode checks whether the memory corruption has occurred by checking if the code segment is not the user mode code segment. It also checks whether the message sent is 0x9f9f. Once the validation is completed, shellcode finds the TOKEN address of current process and TOKEN of system process (pid 4). The shellcode then copies the system process\u2019 token to current process, which elevates current process privilege to SYSTEM.\n\n#### Conclusion\n\n_EPS processing has become a ripe exploitation space for attackers._\n\nFireEye has discovered and analyzed two of these recent EPS zero-days with examples seen before and after Microsoft disabled EPS processing in the April 2017 Patch Tuesday. The documents explored utilize differing EPS exploits, ROP construction, shellcode, EOP exploits and final payloads. While these documents are detected by FireEye appliances, users should exercise caution because FLTLDR.EXE is not monitored by EMET.\n\n_Russian cyber espionage is a well-resourced, dynamic threat_\n\nThe use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary. Russian cyber espionage actors use zero-day exploits in addition to less complex measures. Though these actors have relied on credential phishing and macros to carry out operations previously, the use of these methods does not reflect a lack of resources. Rather, the use of less technically sophisticated methods \u2013 when sufficient \u2013 reflects operational maturity and the foresight to protect costly exploits until they are necessary.\n\n_A vibrant ecosystem of threats_\n\nCVE-2017-0261\u2019s use by multiple actors is further evidence that cyber espionage and criminal activity exist in a shared ecosystem. Nation state actors, such as those leveraging [CVE-2017-0199 to distribute FINSPY](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), often rely on the same sources for exploits as criminal actors. This shared ecosystem creates a proliferation problem for defenders concerned with either type of threat.\n\nCVE-2017-0261 was being used as a zero-day by both nation state and cyber crime actors, and we believe that both actors obtained the vulnerability from a common source. Following [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>), this is the second major vulnerability in as many months that has been used for both espionage and crime.\n\n**MD5**\n\n| \n\n**Filename**\n\n| \n\n**C2 Host** \n \n---|---|--- \n \n2abe3cc4bff46455a945d56c27e9fb45\n\n| \n\nConfirmation_letter.docx.bin\n\n(NETWIRE)\n\n| \n\n84.200.2.12 \n \ne091425d23b8db6082b40d25e938f871\n\n| \n\nConfirmation_letter.docx\n\n(NETWIRE)\n\n| \n\n138.201.44.30 \n \n006bdb19b6936329bffd4054e270dc6a\n\n| \n\nConfirmation_letter_ACM.docx\n\n(NETWIRE)\n\n| \n\n185.106.122.113 \n \n15660631e31c1172ba5a299a90938c02\n\n| \n\nst07383.en17.docx\n\n(SHIRIME)\n\n| \n\ntnsc.webredirect.org \n \nf8e92d8b5488ea76c40601c8f1a08790\n\n| \n\nTrump's_Attack_on_Syria_English.docx\n\n(GAMEFISH)\n\n| \n\nwmdmediacodecs.com \n \nTable 1: Source Exploit Documents\n\nTable 2: CVEs related to these attacks\n\n#### Acknowledgements\n\niSIGHT Intelligence Team, FLARE Team, FireEye Labs, Microsoft Security Response Center (MSRC).\n", "modified": "2017-05-09T13:00:00", "published": "2017-05-09T13:00:00", "id": "FIREEYE:35D0439B3D476357F4D2F51F3D5CD294", "href": "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", "type": "fireeye", "title": "EPS Processing Zero-Days Exploited by Multiple Threat Actors ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-06T23:14:39", "bulletinFamily": "info", "cvelist": ["CVE-2017-0001", "CVE-2017-0263", "CVE-2017-0199", "CVE-2016-7255", "CVE-2017-0262", "CVE-2017-0261"], "description": "In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a [zero-day](<https://www.fireeye.com/blog/threat-research/2015/09/attack_exploitingmi.html>) and one was [patched](<https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html>) weeks before the attack launched.\n\nRecently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.\n\nAt the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently [patched](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0001>) vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.\n\nFireEye believes that two actors \u2013 [Turla](<https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf>) and an unknown financially motivated actor \u2013 were using the first EPS zero-day ([CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>)), and [APT28](<https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html>) was using the second EPS zero-day ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) along with a new Escalation of Privilege (EOP) zero-day ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>)). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East. The following is a description of the EPS zero-days, associated malware, and the new EOP zero-day. Each EPS zero-day is accompanied by an EOP exploit, with the EOP being required to escape the sandbox that executes the FLTLDR.EXE instance used for EPS processing.\n\nThe malicious documents have been used to deliver three different payloads. CVE-2017-0261 was used to deliver SHIRIME (Turla) and NETWIRE (unknown financially motivated actor), and CVE-2017-0262 was used to deliver GAMEFISH (APT28). CVE-2017-0263 is used to escalate privileges during the delivery of the GAMEFISH payload.\n\nFireEye [email](<https://www.fireeye.com/products/ex-email-security-products.html>) and [network](<https://www.fireeye.com/products/nx-network-security-products.html>) products detected the malicious documents.\n\nFireEye has been coordinating with the Microsoft Security Response Center (MSRC) for the responsible disclosure of this information. Microsoft advises all customers to follow the guidance in [security advisory ADV170005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170005>) as a defense-in-depth measure against EPS filter vulnerabilities.\n\n#### CVE-2017-0261 \u2013 EPS _\"restore\"_ Use-After-Free\n\nUpon opening the Office document, the FLTLDR.EXE is utilized to render an embedded EPS image, which contains the exploit. The EPS file is a PostScript program, which leverages a Use-After-Free vulnerability in \u201c_restore_\u201d operand.\n\nFrom the [PostScript Manual](<https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf>): \u201cAllocations in local VM and modifications to existing objects in local VM are subject to a feature called **save** and **restore**, named after the operators that invoke it. **save** and **restore** bracket a section of a PostScript language program whose local VM activity is to be encapsulated. **restore** deallocates new objects and undoes modifications to existing objects that were made since the matching **save**.\u201d\n\nAs the manual described, the _restore_ operator will reclaim memory allocated since the _save_ operator. This makes a perfect condition of Use-After-Free, when combined with _forall_ operator. Figure 1 shows the pseudo code to exploit the save and restore operation.\n\nFigure 1: Pseudo code for the exploit\n\nThe following operations allow the Pseudo code to leak metadata enabling a read/write primitive:\n\n 1. forall_proc array is created with a single element of the restore proc\n 2. The EPS state is **_saved_** to eps_state\n 3. uaf_array is created after the save\n 4. The forall operator loops over the elements of the uaf_array calling forall_proc for each element\n 5. The first element of uaf_array is passed to a call of restore_proc, the procedure contained in forall_proc\n 6. restore_proc\n * **_restores_** the initial state freeing the uaf_array\n * The alloc_string procedure reclaims the freed uaf_array\n * The forall_proc is updated to call leak_proc\n 7. Subsequent calls by the forall operator call the leak_proc on each element of the reclaimed uaf_array which elements now contain the result of the alloc_string procedure\n\nFigure 2 demonstrates a debug log of the uaf_array being used after being reclaimed.\n\nFigure 2: uaf_array reclaimed debug log\n\nBy manipulating the operations after the _save_ operator, the attacker is able to manipulate the memory layouts and convert the Use-After-Free to create a read/write primitive. Figure 3 shows the faked string, with length set as 0x7fffffff, base as 0.\n\nFigure 3: Faked String Object\n\nLeveraging the power of reading and writing arbitrary user memory, the EPS program continues by searching for gadgets to build the ROP chain, and creates a **_file_** object. Figure 4 demonstrates the faked file object in memory.\n\nFigure 4: Fake File Object, with ROP\n\nBy calling **_closefile_** operand with the faked file object, the exploit pivots to the ROP and starts the shellcode. Figure 5 shows part of the disassembler of **_closefile_** operand handler.\n\nFigure 5: Stack Pivot disassembler of closefile\n\nOnce execution has been achieved, the malware uses the ROP chain to change the execution protection of the memory region containing the shellcode. At this point, the shellcode is running within a sandbox that was executing FLTLDR.EXE and an escalation of privilege is required to escape that sandbox.\n\nFireEye detected two different versions of the EPS program exploiting this vulnerability. The first, st07383.en17.docx, continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME. SHIRIME is one of multiple custom JavaScript implants used by Turla as a first stage payload to conduct initial profiling of a target system and implement command and control. Since early 2016, we have observed multiple iterations of SHIRIME used in the wild, having the most recent version (v1.0.1004) employed in this zero-day\n\nThe second document, Confirmation_letter.docx, continues by utilizing 32 or 64 bit versions of CVE-2016-7255 to escalate privilege before dropping a new variant of the NETWIRE malware family. Several versions of this document were seen with similar filenames.\n\nThe EPS programs contained within these documents contained different logic to perform the construction of the ROP chain as well as build the shellcode. The first took the additional step of using a simple algorithm, shown in Figure 6, to obfuscate sections of the shellcode.\n\nFigure 6: Shellcode obfuscation algorithm\n\n#### CVE-2017-0262 \u2013 Type Confusion in EPS\n\nThe second EPS vulnerability is a type confused procedure object of forall operator that can alter the execution flow allowing an attacker to control values onto the operand stack. This vulnerability was found in a document named \u201cTrump's_Attack_on_Syria_English.docx\u201d.\n\nBefore triggering the vulnerability, the EPS program sprays the memory with predefined data to occupy specific memory address and facilitate the exploitation. Figure 7 demonstrates the PostScript code snippet of spraying memory with a string.\n\nFigure 7: PostScript code snippet of spray\n\nAfter execution, the content of string occupies the memory at address 0x0d80d000, leading to the memory layout as shown in Figure 8. The exploit leverages this layout and the content to forge a procedure object and manipulate the code flow to store predefined value, in yellow, to the operator stack.\n\nFigure 8: Memory layout of the sprayed data\n\nAfter spraying the heap, the exploit goes on to call a code statement in the following format: _1 array 16#D80D020 forall_. It creates an Array object, sets the procedure as the hex number 0xD80D020, and calls the _forall_ operator. During the operation of the forged procedure within _forall_ operator, it precisely controls the execution flow to store values of the attacker's choices to operand stack. Figure 9 shows the major code flow consuming the forged procedure.\n\nFigure 9: Consuming the forged procedure\n\nAfter execution of _forall_, the contents on the stack are under the attacker's control. This is s shown in Figure 10.\n\nFigure 10: Stack after the forall execution\n\nSince the operand stack has been manipulated, the subsequent operations of _exch_ defines objects based on the data from the manipulated stack, as shown in Figure 11.\n\nFigure 11: Subsequent code to retrieve data from stack\n\nThe A18 is a string type object, which has a length field of 0x7ffffff0, based from 0. Within memory, the layout as shown in Figure 12.\n\nFigure 12: A18 String Object\n\nThe A19 is an array type object, with member values all purposely crafted. The exploit defines another array object and puts it into the forged array A19. By performing these operations, it puts the newly created array object pointer into A19. The exploit can then directly read the value from the predictable address, 0xD80D020 + 0x38, and leak its vftable and infer module base address of EPSIMP32.flt. Figure 13 shows code snippets of leaking EPSIMP32 base address.\n\nFigure 13: Code snippet of leaking module base\n\nFigure 14 shows the operand stack of calling _put_ operator and the forged Array A19 after finishing the _put_ operation.\n\nFigure 14: Array A19 after the put operation\n\nBy leveraging the RW primitive string and the leaked module base of EPSIMP32, the exploit continues by searching ROP gadgets, creating a fake file object, and pivoting to shellcode through the _bytesavailable_ operator. Figure 15 shows the forged file type object and disassembling of pivoting to ROP and shellcode.\n\nFigure 15: Pivots to ROP and Shellcode\n\nThe shellcode continues by using a previously unknown EOP, CVE-2017-0263, to escalate privileges to escape the sandbox running FLTLDR.EXE, and then drop and execute a GAMEFISH payload. Only a 32-bit version of CVE-2017-0263 is contained in the shellcode.\n\n#### CVE-2017-0263 \u2013 win32k!xxxDestroyWindow Use-After-Free\n\nThe EOP Exploit setup starts by suspending all threads other than the current thread and saving the thread handles to a table, as shown in Figure 16.\n\n\n\nFigure 16: Suspending Threads\n\nThe exploit then checks for OS version and uses that information to populate version specific fields such as token offset, syscall number, etc. An executable memory area is allocated and populated with kernel mode shellcode as wells as address information required by the shellcode. A new thread is created for triggering the vulnerability and further control of exploitation.\n\nThe exploit starts by creating three PopupMenus and appending menus to them, as shown in Figure 17. The exploit creates 0x100 windows with random classnames. The User32!HMValidateHandle trick is used to leak the tagWnd address, which is used as kernel information leak throughout the exploit.\n\nFigure 17: Popup menu creation\n\nRegisterClassExW is then used to register a window class \u201cMain_Window_Class\u201d with a WndProc pointing to a function, which calls DestroyWindow on window table created by EventHookProc, explained later in the blog. This function also shows the first popup menu, which was created earlier.\n\nTwo extra windows are created with class name as \u201cMain_Window_Class\u201d. SetWindowLong is used to change WndProc of second window, wnd2, to a shellcode address. An application defined hook, WindowHookProc, and an event hook, EventHookProc, are installed by SetWindowsHookExW and SetWinEventHook respectively. PostMessage is used to post 0xABCD to first window, wnd1.\n\nThe EventHookProc waits for EVENT_SYSTEM_MENUPOPUPSTART and saves the window\u2019s handle to a table. WindowHookProc looks for **SysShadow **classname and sets a new WndProc for the corresponding window. Inside this WndProc, NtUserMNDragLeave syscall is invoked and SendMessage is used to send 0x9f9f to wnd2, invoking the shellcode shown in Figure 18.\n\n\n\nFigure 18: Triggering the shellcode\n\nThe Use-After-Free happens inside WM_NCDESTROY event in kernel and overwrites wnd2\u2019s tagWnd structure, which sets bServerSideWindowProc flag. With bServerSideWindowProc set, the user mode WndProc is considered as a kernel callback and will be invoked from kernel context \u2013 in this case wnd2\u2019s WndProc is the shellcode.\n\nThe shellcode checks whether the memory corruption has occurred by checking if the code segment is not the user mode code segment. It also checks whether the message sent is 0x9f9f. Once the validation is completed, shellcode finds the TOKEN address of current process and TOKEN of system process (pid 4). The shellcode then copies the system process\u2019 token to current process, which elevates current process privilege to SYSTEM.\n\n#### Conclusion\n\n_EPS processing has become a ripe exploitation space for attackers._\n\nFireEye has discovered and analyzed two of these recent EPS zero-days with examples seen before and after Microsoft disabled EPS processing in the April 2017 Patch Tuesday. The documents explored utilize differing EPS exploits, ROP construction, shellcode, EOP exploits and final payloads. While these documents are detected by FireEye appliances, users should exercise caution because FLTLDR.EXE is not monitored by EMET.\n\n_Russian cyber espionage is a well-resourced, dynamic threat_\n\nThe use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary. Russian cyber espionage actors use zero-day exploits in addition to less complex measures. Though these actors have relied on credential phishing and macros to carry out operations previously, the use of these methods does not reflect a lack of resources. Rather, the use of less technically sophisticated methods \u2013 when sufficient \u2013 reflects operational maturity and the foresight to protect costly exploits until they are necessary.\n\n_A vibrant ecosystem of threats_\n\nCVE-2017-0261\u2019s use by multiple actors is further evidence that cyber espionage and criminal activity exist in a shared ecosystem. Nation state actors, such as those leveraging [CVE-2017-0199 to distribute FINSPY](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), often rely on the same sources for exploits as criminal actors. This shared ecosystem creates a proliferation problem for defenders concerned with either type of threat.\n\nCVE-2017-0261 was being used as a zero-day by both nation state and cyber crime actors, and we believe that both actors obtained the vulnerability from a common source. Following [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>), this is the second major vulnerability in as many months that has been used for both espionage and crime.\n\n**MD5**\n\n| \n\n**Filename**\n\n| \n\n**C2 Host** \n \n---|---|--- \n \n2abe3cc4bff46455a945d56c27e9fb45\n\n| \n\nConfirmation_letter.docx.bin\n\n(NETWIRE)\n\n| \n\n84.200.2.12 \n \ne091425d23b8db6082b40d25e938f871\n\n| \n\nConfirmation_letter.docx\n\n(NETWIRE)\n\n| \n\n138.201.44.30 \n \n006bdb19b6936329bffd4054e270dc6a\n\n| \n\nConfirmation_letter_ACM.docx\n\n(NETWIRE)\n\n| \n\n185.106.122.113 \n \n15660631e31c1172ba5a299a90938c02\n\n| \n\nst07383.en17.docx\n\n(SHIRIME)\n\n| \n\ntnsc.webredirect.org \n \nf8e92d8b5488ea76c40601c8f1a08790\n\n| \n\nTrump's_Attack_on_Syria_English.docx\n\n(GAMEFISH)\n\n| \n\nwmdmediacodecs.com \n \nTable 1: Source Exploit Documents\n\nTable 2: CVEs related to these attacks\n\n#### Acknowledgements\n\niSIGHT Intelligence Team, FLARE Team, FireEye Labs, Microsoft Security Response Center (MSRC).\n", "modified": "2017-05-09T13:00:00", "published": "2017-05-09T13:00:00", "id": "FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "href": "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", "type": "fireeye", "title": "EPS Processing Zero-Days Exploited by Multiple Threat Actors ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:17:39", "bulletinFamily": "info", "cvelist": ["CVE-2017-0001", "CVE-2017-0290", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0263", "CVE-2017-0278", "CVE-2017-0277", "CVE-2017-0222", "CVE-2017-0262", "CVE-2017-0261"], "description": "[](<https://1.bp.blogspot.com/-vpXxMS5a1OQ/WRLsUKCC4II/AAAAAAAAsiw/8zkd69jstykdsFIkaYYDa9lAVVLKnZO2QCLcB/s1600/windows-zero-day-exploit.png>)\n\n \nAs part of this month's Patch Tuesday, Microsoft has released security patches for a total of 55 vulnerabilities across its products, including fixes for four zero-day vulnerabilities being exploited in the wild. \n \nJust yesterday, Microsoft released an [emergency out-of-band update](<https://thehackernews.com/2017/05/windows-defender-rce-flaw.html>) separately to patch a remote execution bug ([CVE-2017-0290](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0290>)) in Microsoft's Antivirus Engine that comes enabled by default on Windows 7, 8.1, RT, 10 and Server 2016 operating systems. \n \nThe vulnerability, reported by Google Project Zero researchers, could allow an attacker to take over your Windows PC with just an email, which you haven't even opened yet. \n \n**_May 2017 Patch Tuesday_ \u2014** Out of 55 vulnerabilities, 17 have been rated as critical and affect the company's main operating systems, along with other products like Office, Edge, Internet Explorer, and the malware protection engine used in most of the Microsoft's anti-malware products. \n \nSysadmins all over the world should prioritize the May's Patch Tuesday as it addresses four critical zero-day vulnerabilities, three of which being actively exploited by cyber-espionage groups in targeted attacks over the past few months. \n \n\n\n### 3 Zero-Days Were Exploited in the Wild by Russian Cyber-Espionage Group\n\n \n**_First Zero-Day Vulnerability ([CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>))_ \u2014** It affects the 32- and 64-bit versions of Microsoft Office 2010, 2013 and 2016, and resides in how Office handles Encapsulated PostScript (EPS) image files, leading to remote code execution (RCE) on the system. \n \nThis Office vulnerability could be exploited by tricking victims into opening a file containing a malformed graphics image in an email. The attack also exploits a Windows privilege escalation bug ([CVE-2017-0001](<https://technet.microsoft.com/en-us/library/security/ms17-013.aspx>)) that the company patched on March 14 to gain full control over the system \u2013 essentially allowing attackers to install spyware and other malware. \n \nAccording to the [FireEye](<https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html>) researchers, the CVE-2017-0261 flaw has been exploited since late March by an unknown group of financially motivated hackers and by a Russian cyber espionage group called Turla, also known as Snake or Uroburos. \n \n**Second Zero-Day Vulnerability ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) \u2014 **FireEye and [ESET](<https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/>) researchers believe that the APT28 hacking group, also known as Fancy Bear, or Pawn Storm, was actively using this EPS-related Microsoft Office zero-day vulnerability which leads to remote code execution on opening a malformed file. \n \n**_Third Zero-Day Vulnerability ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>))_ \u2014 **The third zero-day bug is an elevation of privilege (EoP) vulnerability in all supported versions of Microsoft's Windows operating system. \n \nThis vulnerability exists in the way Windows kernel-mode driver handles objects in memory, allowing attackers to run arbitrary code in kernel mode and then install malware, view, change, or delete data, and even create new accounts with full user rights. \n \nResearchers believe that the Russian cyber-espionage group was also actively exploiting this flaw (CVE-2017-0263) along with the second zero-day vulnerability (CVE-2017-0262). \n \n**_Fourth Zero-Day Vulnerability ([CVE-2017-0222](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0222>))_ \u2014 **Another zero-day vulnerability affects Internet Explorer 10 and 11 and resides in how Internet Explorer handles objects in memory. \n \nOpening a malicious web page can corrupt memory to trigger remote code execution, allowing attackers to take control of an affected system. According to the tech giant, this issue was also exploited in the wild. \n \n**_Patches for Other Critical Vulnerabilities_ \u2014** This month's security updates also fix critical vulnerabilities in both Edge and Internet Explorer (IE) that could lead to remote code execution by tricking victims into visiting malicious websites or viewing specially crafted advertisements inside the browsers. \n \nBesides this, Microsoft also addresses four critical remote code execution bugs ([CVE-2017-0272](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0272>), [CVE-2017-0277](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0277>), [CVE-2017-0278](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0278>), and [CVE-2017-0279](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0279>)) in Windows SMB network file-sharing protocol, which affects Windows 7 through 10 and Windows Server 2008 through 2016. \n \nThese vulnerabilities put Windows PCs and server installations at risk of hacking if they use SMBv1, though there have been no reports of any of these flaws exploited in the wild. \n \nAs usual, Adobe Flash Players patches are also included in the security update to address [7 CVE-listed flaws](<https://helpx.adobe.com/security/products/flash-player/apsb17-15.html>) in the Windows, macOS, and Linux. \n \nWindows users are strongly advised to install the latest updates as soon as possible in order to protect themselves against the active attacks in the wild.\n", "modified": "2017-05-10T10:37:40", "published": "2017-05-09T23:37:00", "id": "THN:35CDED923C2A70050CA53879EA860398", "href": "https://thehackernews.com/2017/05/patch-windows-zero-days.html", "type": "thn", "title": "Microsoft Issues Patches for Another Four Zero-Day Vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mskb": [{"lastseen": "2021-01-01T22:51:28", "bulletinFamily": "microsoft", "cvelist": ["CVE-2017-0001", "CVE-2017-0073", "CVE-2017-0060", "CVE-2017-0025", "CVE-2017-0047", "CVE-2017-0061", "CVE-2017-0014", "CVE-2017-0063", "CVE-2017-0005", "CVE-2017-0038", "CVE-2017-0108", "CVE-2017-0062"], "description": "<html><body><p>Resolves vulnerabilities in the Microsoft Graphics Component on Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.</p><h2>Summary</h2><p>This security update resolves <span>vulnerabilities </span> in the Microsoft Graphics Component on <span>Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync</span>. These <span>vulnerabilities</span> could allow <span>remote code execution if a user either visits a specially crafted website or opens a specially crafted document</span>. To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/MS17-013\" managed-link=\"\">Microsoft Security Bulletin MS17-013</a>.</p><h2>Additional information about this security update</h2><p>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.</p><h3>Microsoft Windows</h3><ul><li><span><a data-content-id=\"4017018\" data-content-type=\"article\" href=\"\" managed-link=\"\">4017018</a> Security update for Microsoft Graphics Component: April 11, 2017</span></li><li><span><a data-content-id=\"4012584\" data-content-type=\"article\" href=\"\" managed-link=\"\">4012584</a> MS17-013: Description of the security update for Microsoft Graphics Component: March 14, 2017</span></li><li><span><a data-content-id=\"4012497\" data-content-type=\"article\" href=\"\" managed-link=\"\">4012497</a> MS17-018 and MS17-013: Description of the security update for Windows Kernel-Mode Drivers and for Microsoft Graphics Component: March 14, 2017</span></li><li><span><a data-content-id=\"4012212\" data-content-type=\"article\" href=\"\" managed-link=\"\">4012212</a> March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1</span></li><li><span><a data-content-id=\"4012215\" data-content-type=\"article\" href=\"\" managed-link=\"\">4012215</a> March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1</span></li><li><span><a data-content-id=\"4012213\" data-content-type=\"article\" href=\"\" managed-link=\"\">4012213</a> March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2</span></li><li><span><a data-content-id=\"4012216\" data-content-type=\"article\" href=\"\" managed-link=\"\">4012216</a> March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2</span></li><li><span><a data-content-id=\"4012214\" data-content-type=\"article\" href=\"\" managed-link=\"\">4012214</a> March 2017 Security Only Quality Update for Windows Server 2012</span></li><li><span><a data-content-id=\"4012217\" data-content-type=\"article\" href=\"\" managed-link=\"\">4012217</a> March 2017 Security Monthly Quality Rollup for Windows Server 2012</span></li><li><a data-content-id=\"4012606\" data-content-type=\"article\" href=\"\" managed-link=\"\"><span>4012606</span></a><span> March 14, 2017\u2014KB4012606 (OS Build 17312)</span></li><li><a data-content-id=\"4013198\" data-content-type=\"article\" href=\"\" managed-link=\"\"><span>4013198</span></a><span> March 14, 2017\u2014KB4013198 (OS Build 830)</span></li><li><a data-content-id=\"4013429\" data-content-type=\"article\" href=\"\" managed-link=\"\"><span>4013429</span></a><span> March 13, 2017\u2014KB4013429 (OS Build 933)</span></li></ul><h3>Microsoft Office</h3><ul><li><span><a data-content-id=\"3127945\" data-content-type=\"article\" href=\"\" managed-link=\"\">3127945</a> MS17-013: Description of the security update for 2007 Microsoft Office Suite: March 14, 2017</span></li><li><span><a data-content-id=\"3141535\" data-content-type=\"article\" href=\"\" managed-link=\"\">3141535</a> MS17-013: Description of the security update for 2007 Microsoft Office Suite: March 14, 2017</span></li><li><span><a data-content-id=\"3127958\" data-content-type=\"article\" href=\"\" managed-link=\"\">3127958</a> MS17-013: Description of the security update for Office 2010: March 14, 2017</span></li><li><span><a data-content-id=\"3178688\" data-content-type=\"article\" href=\"\" managed-link=\"\">3178688</a> MS17-013: Description of the security update for Office 2010: March 14, 2017</span></li><li><p><span><a data-content-id=\"3178693\" data-content-type=\"article\" href=\"\" managed-link=\"\">3178693</a> MS17-013: Description of the security update for Word Viewer: March 14, 2017</span></p></li><li><p><a data-content-id=\"3178653\" data-content-type=\"article\" href=\"\" managed-link=\"\">3178653</a> MS17-013: Description of the security update for Word Viewer: March 14, 2017</p></li></ul><h3>Microsoft Communications Platforms and Software</h3><ul><li><span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1488465606268_23836768258523966\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1488465616136_8587837880022898\">\ufeff</span><a bookmark-id=\"\" data-content-id=\"4010299\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"\">4010299</a><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1488465616135_20135987119110604\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1488465606265_4522627963893642\">\ufeff</span> MS17-013: Description of the security update for Microsoft Graphics Component on Lync 2010: March 14, 2017</span></li><li><span><a bookmark-id=\"\" data-content-id=\"4010300\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"\">4010300</a> MS17-013: Description of the security update for Microsoft Graphics Component on Lync 2010 Attendee\u00a0(user level install): March 14, 2017</span></li><li><span><a bookmark-id=\"\" data-content-id=\"4010301\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"\">4010301</a> MS17-013: Description of the security update for Microsoft Graphics Component on Lync 2010 Attendee\u00a0(admin level install): March 14, 2017</span></li><li><span><a bookmark-id=\"\" data-content-id=\"4010303\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"\">4010303</a> MS17-013: Description of the security update for Microsoft Graphics Component on Live Meeting 2007 Console: March 14, 2017</span></li><li><a data-content-id=\"4010304\" data-content-type=\"article\" href=\"\" managed-link=\"\">4010304</a> MS17-013: Description of the security update for Microsoft Graphics Component on Live Meeting Add-in: March 14, 2017</li><li><a data-content-id=\"3172539\" data-content-type=\"article\" href=\"\" managed-link=\"\">3172539</a> MS17-013: Description of the security update for Lync 2013 (Skype for Business): March 14, 2017</li><li><a data-content-id=\"3178656\" data-content-type=\"article\" href=\"\" managed-link=\"\">3178656</a> MS17-013: Description of the security update for Skype for Business 2016: March 14, 2017</li></ul><h3><span>Microsoft Developer Tools and Software</span></h3><ul><li><span><a data-content-id=\"4013867\" data-content-type=\"article\" href=\"\" managed-link=\"\">4013867</a> MS17-013: Description of the security update for Microsoft Graphics Component on Microsoft Silverlight 5: March 14, 2017</span></li></ul><h2>Security update deployment information</h2><h3><strong>Windows Vista (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software.</p><table class=\"table\"><tbody><tr><td width=\"26%\"><p><strong>Security update file names</strong></p></td><td width=\"73%\"><p>For all supported 32-bit editions of Windows Vista:<br/><strong>Windows6.0-KB4017018-x86.msu<br/>Windows6.0-KB4012584-x86.msu<br/>Windows6.0-KB4012497-x86.msu</strong></p></td></tr><tr><td width=\"26%\"><p>\u00a0</p></td><td width=\"73%\"><p>For all supported x64-based editions of Windows Vista:<br/><strong>Windows6.0-KB4017018-x64.msu<br/>Windows6.0-KB4012584-x64.msu<br/>Windows6.0-KB4012497-x64.msu</strong></p></td></tr><tr><td width=\"26%\"><p><strong>Installation switches</strong></p></td><td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td></tr><tr><td width=\"26%\"><p><strong>Restart requirement</strong></p></td><td width=\"73%\"><p>A system restart is required after you apply this security update.</p></td></tr><tr><td width=\"26%\"><p><strong>Removal information</strong></p></td><td width=\"73%\"><ol start=\"10\"><li value=\"3307\">does not support uninstall of updates. To uninstall an update installed by WUSA, click <strong>Control Panel</strong>, and then click <strong>Security</strong>. Under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates.</li></ol></td></tr><tr><td width=\"26%\"><p><strong>File information</strong></p></td><td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/4017018\"><u>Microsoft Knowledge Base article 4017018</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012584\"><u>Microsoft Knowledge Base article 4012584</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012497\"><u>Microsoft Knowledge Base article 4012497</u></a></p></td></tr><tr><td width=\"26%\"><p><strong>Registry key verification</strong></p></td><td width=\"73%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update.</p></td></tr></tbody></table><p>\u00a0</p><p>\u00a0</p><h3><strong>Windows Server 2008 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software.</p><table class=\"table\"><tbody><tr><td width=\"26%\"><p><strong>Security update file names</strong></p></td><td width=\"73%\"><p>For all supported 32-bit editions of Windows Server 2008:<br/><strong>Windows6.0-KB4017018-x86.msu<br/>Windows6.0-KB4012584-x86.msu<br/>Windows6.0-KB4012497-x86.msu</strong></p></td></tr><tr><td width=\"26%\"><p>\u00a0</p></td><td width=\"73%\"><p>For all supported x64-based editions of Windows Server 2008:<br/><strong>Windows6.0-KB4017018-x64.msu<br/>Windows6.0-KB4012584-x64.msu<br/>Windows6.0-KB4012497-x64.msu</strong></p></td></tr><tr><td width=\"26%\"><p>\u00a0</p></td><td width=\"73%\"><p>For all supported Itanium-based editions of Windows Server 2008<br/><strong>Windows6.0-KB4017018-ia64.msu<br/>Windows6.0-KB4012584-ia64.msu<br/>Windows6.0-KB4012497-ia64.msu</strong></p></td></tr><tr><td width=\"26%\"><p><strong>Installation switches</strong></p></td><td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td></tr><tr><td width=\"26%\"><p><strong>Restart requirement</strong></p></td><td width=\"73%\"><p>A system restart is required after you apply this security update.</p></td></tr><tr><td width=\"26%\"><p><strong>Removal information</strong></p></td><td width=\"73%\"><p>WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <strong>Control Panel</strong>, and then click <strong>Security</strong>. Under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates.</p></td></tr><tr><td width=\"26%\"><p><strong>File information</strong></p></td><td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/4017018\"><u>Microsoft Knowledge Base article 4017018</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012584\"><u>Microsoft Knowledge Base article 4012584</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012497\"><u>Microsoft Knowledge Base article 4012497</u></a></p></td></tr><tr><td width=\"26%\"><p><strong>Registry key verification</strong></p></td><td width=\"73%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update.</p></td></tr></tbody></table><p>\u00a0</p><h3><strong>Windows 7 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software.</p><table class=\"table\"><tbody><tr><td width=\"29%\"><p><strong>Security update file name</strong></p></td><td width=\"70%\"><p>For all supported x64-based editions of Windows 7:<br/><strong>indows6.1-KB4012212-x64.msu</strong><br/>Security only</p></td></tr><tr><td width=\"29%\"><p>\u00a0</p></td><td width=\"70%\"><p>For all supported x64-based editions of Windows 7:<br/><strong>Windows6.1-KB4012215-x64.msu</strong><br/>Monthly rollup</p></td></tr><tr><td width=\"29%\"><p><strong>Installation switches</strong></p></td><td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a><u> </u></p></td></tr><tr><td width=\"29%\"><p><strong>Restart requirement</strong></p></td><td width=\"70%\"><p>A system restart is required after you apply this security update.</p></td></tr><tr><td width=\"29%\"><p><strong>Removal information</strong></p></td><td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall </strong>setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, and then under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates.</p></td></tr><tr><td width=\"29%\"><p><strong>File information</strong></p></td><td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012212\"><u>Microsoft Knowledge Base article 4012212</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012215\"><u>Microsoft Knowledge Base article 4012215</u></a></p></td></tr><tr><td width=\"29%\"><p><strong>Registry key verification</strong></p></td><td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update.</p></td></tr></tbody></table><p>\u00a0</p><h3><strong>Windows Server 2008 R2 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software.</p><table class=\"table\"><tbody><tr><td width=\"29%\"><p><strong>Security update file name</strong></p></td><td width=\"70%\"><p>For all supported x64-based editions of Windows Server 2008 R2:<br/><strong>Windows6.1-KB4012212-x64.msu</strong><br/>Security only</p></td></tr><tr><td width=\"29%\"><p>\u00a0</p></td><td width=\"70%\"><p>For all supported x64-based editions of Windows Server 2008 R2:<br/><strong>Windows6.1-KB4012215-x64.msu</strong><br/>Monthly rollup</p></td></tr><tr><td width=\"29%\"><p><strong>Installation switches</strong></p></td><td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td></tr><tr><td width=\"29%\"><p><strong>Restart requirement</strong></p></td><td width=\"70%\"><p>A system restart is required after you apply this security update.</p></td></tr><tr><td width=\"29%\"><p><strong>Removal information</strong></p></td><td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, and then under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates.</p></td></tr><tr><td width=\"29%\"><p><strong>File information</strong></p></td><td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012212\"><u>Microsoft Knowledge Base article 4012212</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012215\"><u>Microsoft Knowledge Base article 4012215</u></a></p></td></tr><tr><td width=\"29%\"><p><strong>Registry key verification</strong></p></td><td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update.</p></td></tr></tbody></table><p>\u00a0</p><h3><strong>Windows 8.1 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software.</p><table class=\"table\"><tbody><tr><td width=\"29%\"><p><strong>Security update file name</strong></p></td><td width=\"70%\"><p>For all supported x64-based editions of Windows 8.1:<br/><strong>Windows8.1-KB4012213-x64.msu</strong><br/>Security only</p></td></tr><tr><td width=\"29%\"><p>\u00a0</p></td><td width=\"70%\"><p>For all supported x64-based editions of Windows 8.1:<br/><strong>Windows8.1-KB4012216-x64.msu</strong><br/>Monthly rollup</p></td></tr><tr><td width=\"29%\"><p><strong>Installation switches</strong></p></td><td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td></tr><tr><td width=\"29%\"><p><strong>Restart requirement</strong></p></td><td width=\"70%\"><p>A system restart is required after you apply this security update.</p></td></tr><tr><td width=\"29%\"><p><strong>Removal information</strong></p></td><td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates.</p></td></tr><tr><td width=\"29%\"><p><strong>File information</strong></p></td><td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012216\"><u>Microsoft Knowledge Base article 4012216</u></a></p></td></tr><tr><td width=\"29%\"><p><strong>Registry key verification</strong></p></td><td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update.</p></td></tr></tbody></table><p>\u00a0</p><h3><strong>Windows RT 8.1 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software.</p><table class=\"table\"><tbody><tr><td width=\"29%\"><p><strong>Deployment</strong></p></td><td width=\"71%\"><p>The 4012216 monthly rollup update is available via <a href=\"http://go.microsoft.com/fwlink/?LinkId=21130\"><u>Windows Update</u></a> only.</p></td></tr><tr><td width=\"29%\"><p><strong>Restart requirement</strong></p></td><td width=\"71%\"><p>A system restart is required after you apply this security update.</p></td></tr><tr><td width=\"29%\"><p><strong>Removal information</strong></p></td><td width=\"71%\"><p>Click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates.</p></td></tr><tr><td width=\"29%\"><p><strong>File information</strong></p></td><td width=\"71%\"><p>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a></p></td></tr></tbody></table><h3><strong>Windows Server 2012 and Windows Server 2012 R2 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software.</p><table class=\"table\"><tbody><tr><td width=\"29%\"><p><strong>Security update file name</strong></p></td><td width=\"70%\"><p>For all supported editions of Windows Server 2012:<br/><strong>Windows8-RT-KB4012214-x64.msu</strong><br/>Security only</p></td></tr><tr><td width=\"29%\"><p>\u00a0</p></td><td width=\"70%\"><p>For all supported editions of Windows Server 2012:<br/><strong>Windows8-RT-KB4012217-x64.msu</strong><br/>Monthly rollup</p></td></tr><tr><td width=\"29%\"><p>\u00a0</p></td><td width=\"70%\"><p>For all supported editions of Windows Server 2012 R2:<br/><strong>Windows8.1-KB4012213-x64.msu</strong><br/>Security only</p></td></tr><tr><td width=\"29%\"><p>\u00a0</p></td><td width=\"70%\"><p>For all supported editions of Windows Server 2012 R2:<br/><strong>Windows8.1-KB4012216-x64.msu</strong><br/>Monthly rollup</p></td></tr><tr><td width=\"29%\"><p><strong>Installation switches</strong></p></td><td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td></tr><tr><td width=\"29%\"><p><strong>Restart requirement</strong></p></td><td width=\"70%\"><p>A system restart is required after you apply this security update.</p></td></tr><tr><td width=\"29%\"><p><strong>Removal information</strong></p></td><td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates.</p></td></tr><tr><td width=\"29%\"><p><strong>File information</strong></p></td><td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012214\"><u>Microsoft Knowledge Base article 4012214</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012217\"><u>Microsoft Knowledge Base article 4012217</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012216\"><u>Microsoft Knowledge Base article 4012216</u></a></p></td></tr><tr><td width=\"29%\"><p><strong>Registry key verification</strong></p></td><td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update.</p></td></tr></tbody></table><p>\u00a0</p><h3><strong>Windows 10 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software.</p><table class=\"table\"><tbody><tr><td width=\"30%\"><p><strong>Security update file name</strong></p></td><td width=\"70%\"><p>For all supported x64-based editions of Windows 10:<br/><strong>Windows10.0-KB4012606-x64.msu</strong></p></td></tr><tr><td width=\"30%\"><p>\u00a0</p></td><td width=\"70%\"><p>For all supported x64-based editions of Windows 10 Version 1511:<br/><strong>Windows10.0-KB4013198-x64.msu</strong></p></td></tr><tr><td width=\"30%\"><p>\u00a0</p></td><td width=\"70%\"><p>For all supported x64-based editions of Windows 10 Version 1607:<br/><strong>Windows10.0-KB4013429-x64.msu</strong></p></td></tr><tr><td width=\"30%\"><p><strong>Installation switches</strong></p></td><td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td></tr><tr><td width=\"30%\"><p><strong>Restart requirement</strong></p></td><td width=\"70%\"><p>A system restart is required after you apply this security update.</p></td></tr><tr><td width=\"30%\"><p><strong>Removal information</strong></p></td><td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates.</p></td></tr><tr><td width=\"30%\"><p><strong>File information</strong></p></td><td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/en-sg/help/12387/windows-10-update-history\" target=\"_self\"><u>Windows 10 and Windows Server 2016 update history</u></a>.</p></td></tr><tr><td width=\"30%\"><p><strong>Registry key verification</strong></p></td><td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update.</p></td></tr></tbody></table><p>\u00a0</p><h3><strong>Windows Server 2016 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software.</p><table class=\"table\"><tbody><tr><td width=\"30%\"><p><strong>Security update file name</strong></p></td><td width=\"70%\"><p>For all supported editions of Windows Server 2016:<br/><strong>Windows10.0-KB4013429-x64.msu</strong></p></td></tr><tr><td width=\"30%\"><p><strong>Installation switches</strong></p></td><td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td></tr><tr><td width=\"30%\"><p><strong>Restart requirement</strong></p></td><td width=\"70%\"><p>A system restart is required after you apply this security update.</p></td></tr><tr><td width=\"30%\"><p><strong>Removal information</strong></p></td><td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates.</p></td></tr><tr><td width=\"30%\"><p><strong>File information</strong></p></td><td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/en-sg/help/12387/windows-10-update-history\" target=\"_self\"><u>Windows 10 and Windows Server 2016 update history</u></a>.</p></td></tr><tr><td width=\"30%\"><p><strong>Registry key verification</strong></p></td><td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update.</p></td></tr></tbody></table><p>\u00a0</p><p>\u00a0</p><h3><strong>Microsoft Office 2007 (all editions) and Other Software</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software.</p><table class=\"table\"><tbody><tr><td width=\"182\"><p><strong>Security update file name</strong></p></td><td width=\"335\"><p><span>For Microsoft Office 2007 Service Pack 3:<br/><strong>ogl2007-kb3127945-fullfile-x86-glb.exe</strong></span></p></td></tr><tr><td width=\"182\"><p>\u00a0</p></td><td width=\"335\"><p><span>For Microsoft Office 2007 Service Pack 3:<br/><strong>usp102007-kb3141535-fullfile-x86-glb.exe</strong></span></p></td></tr><tr><td width=\"182\"><p>\u00a0</p></td><td width=\"335\"><p>For Microsoft Word Viewer:<br/><strong>office2003-kb3178693-fullfile-enu.exe</strong></p></td></tr><tr><td width=\"182\"><p>\u00a0</p></td><td width=\"335\"><p>For Microsoft Word Viewer:<br/><strong>office2003-kb3178653-fullfile-enu.exe</strong></p></td></tr><tr><td width=\"182\"><p><strong>Installation switches</strong></p></td><td width=\"335\"><p>See <a href=\"https://support.microsoft.com/kb/912203\"><u>Microsoft Knowledge Base article 912203</u></a></p></td></tr><tr><td width=\"182\"><p><strong>Restart requirement</strong></p></td><td width=\"335\"><p>In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.<br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"https://support.microsoft.com/kb/887012\"><u>Microsoft Knowledge Base article 887012</u></a>.</p></td></tr><tr><td width=\"182\"><p><strong>Removal information</strong></p></td><td width=\"335\"><p>Use the <strong>Add or Remove Programs</strong> item in <strong>Control Panel</strong>.</p></td></tr><tr><td width=\"182\"><p><strong>File information</strong></p></td><td width=\"335\"><p>See <a href=\"https://support.microsoft.com/kb/3127945\"><u>Microsoft Knowledge Base article 3127945</u></a><br/>See <a href=\"https://support.microsoft.com/kb/3141535\"><u>Microsoft Knowledge Base article 3141535</u></a><br/>See <a href=\"https://support.microsoft.com/kb/3178693\"><u>Microsoft Knowledge Base article 3178693</u></a><br/>See <a href=\"https://support.microsoft.com/kb/3178653\"><u>Microsoft Knowledge Base article 3178653</u></a></p></td></tr><tr><td width=\"182\"><p><strong>Registry key verification</strong></p></td><td width=\"335\"><p>Not applicable</p></td></tr></tbody></table><p>\u00a0</p><h3><strong>Microsoft Office 2010 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software.</p><table class=\"table\"><tbody><tr><td width=\"184\"><p><strong>Security update file name</strong></p></td><td width=\"333\"><p><span>For Microsoft Office 2010 Service Pack 2 (32-bit editions):<br/><strong>ogl2010-kb3127958-fullfile-x86-glb.exe</strong></span></p></td></tr><tr><td width=\"184\"><p>\u00a0</p></td><td width=\"333\"><p><span>For Microsoft Office 2010 Service Pack 2 (64-bit editions):<br/><strong>ogl2010-kb3127958-fullfile-x64-glb.exe</strong></span></p></td></tr><tr><td width=\"184\"><p>\u00a0</p></td><td width=\"333\"><p><span>For Microsoft Office 2010 Service Pack 2 (32-bit editions):<br/><strong>usp102010-kb3178688-fullfile-x86-glb.exe</strong></span></p></td></tr><tr><td width=\"184\"><p>\u00a0</p></td><td width=\"333\"><p><span>For Microsoft Office 2010 Service Pack 2 (64-bit editions):<br/><strong>usp102010-kb3178688-fullfile-x64-glb.exe</strong></span></p></td></tr><tr><td width=\"184\"><p><strong>Installation switches</strong></p></td><td width=\"333\"><p>See <a href=\"https://support.microsoft.com/kb/912203\"><u>Microsoft Knowledge Base article 912203</u></a></p></td></tr><tr><td width=\"184\"><p><strong>Restart requirement </strong></p></td><td width=\"333\"><p>In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.<br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"https://support.microsoft.com/kb/887012\"><u>Microsoft Knowledge Base article 887012</u></a>.</p></td></tr><tr><td width=\"184\"><p><strong>Removal information</strong></p></td><td width=\"333\"><p>Use the <strong>Add or Remove Programs</strong> item in <strong>Control Panel</strong>.</p></td></tr><tr><td width=\"184\"><p><strong>File information</strong></p></td><td width=\"333\"><p>See <a href=\"https://support.microsoft.com/kb/3127958\"><u>Microsoft Knowledge Base article 3127958</u></a><br/>See <a href=\"https://support.microsoft.com/kb/3178688\"><u>Microsoft Knowledge Base article 3178688</u></a></p></td></tr><tr><td width=\"184\"><p><strong>Registry key verification</strong></p></td><td width=\"333\"><p>Not applicable</p></td></tr></tbody></table><p>\u00a0</p><h3><strong>Microsoft Live Meeting 2007, Microsoft Lync 2010, Microsoft Lync 2010 Attendee, Microsoft Lync 2013 (Skype for Business), and Microsoft Lync Basic 2013 (Skype for Business Basic) </strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software.</p><table class=\"table\"><tbody><tr><td width=\"25%\"><p><strong>Security update file name</strong></p></td><td width=\"74%\"><p>For Microsoft Live Meeting 2007 Console (4010303):<br/><strong>LMSetup.exe</strong></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Microsoft Live Meeting 2007 Add-in (4010304)<br/><strong>ConfAddins_Setup.exe</strong></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Microsoft Lync 2010 (32-bit) (4010299):<br/><strong>lync.msp</strong></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Microsoft Lync 2010 (64-bit) (4010299):<br/><strong>lync.msp</strong></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Microsoft Lync 2010 Attendee (user level install) (4010300):<br/><strong>AttendeeUser.msp</strong></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Microsoft Lync 2010 Attendee (admin level install) (4010301):<br/><strong>AttendeeAdmin.msp</strong></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For all supported editions of Microsoft Lync 2013 (Skype for Business) (32-bit) and Microsoft Lync Basic 2013 (Skype for Business Basic) (32-bit):<br/><strong>lync2013-kb3172539-fullfile-x86-glb.exe</strong></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For all supported editions of Microsoft Lync 2013 (Skype for Business) (64-bit) and Microsoft Lync Basic 2013 (Skype for Business Basic) (64-bit):<br/><strong>lync2013-kb3172539-fullfile-x64-glb.exe</strong></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For all supported 32-bit editions of Skype for Business 2016 and Skype for Business Basic 2016:<br/><strong>lync2016-kb3178656-fullfile-x86-glb.exe</strong></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For all supported 64-bit editions of Skype for Business Basic 2016:<br/><strong>lync2016-kb3178656-fullfile-x64-glb.exe</strong></p></td></tr><tr><td width=\"25%\"><p><strong>Installation switches</strong></p></td><td width=\"74%\"><p>See <a href=\"http://support.microsoft.com/kb/912203\"><u>Microsoft Knowledge Base article 912203</u></a></p></td></tr><tr><td width=\"25%\"><p><strong>Restart requirement</strong></p></td><td width=\"74%\"><p>In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.<br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"http://support.microsoft.com/kb/887012\"><u>Microsoft Knowledge Base article 887012</u></a>.</p></td></tr><tr><td width=\"25%\"><p><strong>Removal information</strong></p></td><td width=\"74%\"><p>Use the <strong>Add or Remove Programs</strong> item in Control Panel.</p></td></tr><tr><td width=\"25%\"><p><strong>File information</strong></p></td><td width=\"74%\"><p>For Microsoft Live Meeting 2007 Console:<br/>See <a href=\"http://support.microsoft.com/kb/4010303\"><u>Microsoft Knowledge Base article 4010303</u></a></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Microsoft Live Meeting 2007 Add-In:<br/>See <a href=\"http://support.microsoft.com/kb/4010304\"><u>Microsoft Knowledge Base article 4010304</u></a></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For all supported editions of Microsoft Lync 2010:<br/>See <a href=\"http://support.microsoft.com/kb/4010299\"><u>Microsoft Knowledge Base article 4010299</u></a></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Microsoft Lync 2010 Attendee (user level install):<br/>See <a href=\"http://support.microsoft.com/kb/4010300\"><u>Microsoft Knowledge Base article 4010300</u></a></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Microsoft Lync 2010 Attendee (admin level install):<br/>See <a href=\"http://support.microsoft.com/kb/4010301\"><u>Microsoft Knowledge Base article 4010301</u></a></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Microsoft Link 2013 (Skype for Business) and Microsoft Link Basic 2013 (Skype for Business Basic):<br/>See <a href=\"http://support.microsoft.com/kb/3172539\"><u>Microsoft Knowledge Base article 3172539</u></a></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Skype for Business 2016 and Skype for Business Basic 2016:<br/>See <a href=\"http://support.microsoft.com/kb/3178656\"><u>Microsoft Knowledge Base article 3178656</u></a></p></td></tr><tr><td width=\"25%\"><p><strong>Registry key verification</strong></p></td><td width=\"74%\"><p>For Microsoft Live Meeting 2007 Console:<br/>Not applicable</p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Microsoft Lync 2010 (32-bit):<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{0EEB34F6-991D-4a1b-8EEB-772DA0EADB22}<br/>Version = <strong>7577.4525</strong></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Microsoft Lync 2010 (64-bit):<br/>HKEY_LOCAL_MACHINE\\ SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\{0EEB34F6-991D-4a1b-8EEB-772DA0EADB22}<br/>Version = <strong>7577. 4525</strong></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Microsoft Lync 2010 Attendee (user level install):<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{0EEB34F6-991D-4a1b-8EEB-772DA0EADB22}<br/>Version = <strong>7577. 4525</strong></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Microsoft Lync 2010 Attendee (admin level install):<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\94E53390F8C13794999249B19E6CFE33\\InstallProperties\\DisplayVersion = <strong>4.0.7577. 4525</strong></p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Microsoft Lync 2013 (Skype for Business) and Microsoft Lync Basic 2013 (Skype for Business Basic):<br/>Not applicable</p></td></tr><tr><td width=\"25%\"><p>\u00a0</p></td><td width=\"74%\"><p>For Skype for Business 2016 and Skype for Business Basic 2016:<br/>Not applicable</p></td></tr></tbody></table><p>\u00a0</p><h3><strong>Silverlight 5 for Windows (all supported releases)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software.</p><table class=\"table\"><tbody><tr><td width=\"17%\"><p><strong>Security update file names</strong></p></td><td width=\"82%\"><p>For Microsoft Silverlight 5 when installed on all supported 32-bit releases of Microsoft Windows:<br/><strong>silverlight.exe</strong></p></td></tr><tr><td width=\"17%\"><p>\u00a0</p></td><td width=\"82%\"><p>For Microsoft Silverlight 5 Developer Runtime when installed on all supported 32-bit releases of Microsoft Windows:<br/><strong>silverlight_developer.exe</strong></p></td></tr><tr><td width=\"17%\"><p>\u00a0</p></td><td width=\"82%\"><p>For Microsoft Silverlight 5 when installed on all supported 64-bit releases of Microsoft Windows:<br/><strong>silverlight_x64.exe</strong></p></td></tr><tr><td width=\"17%\"><p>\u00a0</p></td><td width=\"82%\"><p>For Microsoft Silverlight 5 Developer Runtime when installed on all supported 64-bit releases of Microsoft Windows:<br/><strong>silverlight_developer_x64.exe</strong></p></td></tr><tr><td width=\"17%\"><p><strong>Installation switches</strong></p></td><td width=\"82%\"><p>See the <a href=\"http://download.microsoft.com/download/C/D/5/CD5AAAE3-21F7-47A8-B7D5-39E36BAF9AC8/Silverlight_Deployment_Guide.docx\"><u>Silverlight Enterprise Deployment Guide</u></a></p></td></tr><tr><td width=\"17%\"><p><strong>Restart requirement</strong></p></td><td width=\"82%\"><p>This update does not require a restart.</p></td></tr><tr><td width=\"17%\"><p><strong>Removal information</strong></p></td><td width=\"82%\"><p>Use <strong>Add or Remove Programs</strong> item in Control Panel. (Note that the update cannot be removed without removing Silverlight.)</p></td></tr><tr><td width=\"17%\"><p><strong>File information</strong></p></td><td width=\"82%\"><p>See <a href=\"http://support.microsoft.com/kb/3193713\"><u>Microsoft Knowledge Base article 3193713</u></a></p></td></tr><tr><td width=\"17%\"><p><strong>Registry key verification</strong></p></td><td width=\"82%\"><p>For 32-bit installations of Microsoft Silverlight 5:<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Silverlight \"Version\" = \"<span>5.1.</span> 50905<span>.0</span>\"</p></td></tr><tr><td width=\"17%\"><p>\u00a0</p></td><td width=\"82%\"><p>For 64-bit installations of Microsoft Silverlight 5:<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Silverlight \"Version\" = \"<span>5.1.50901.0</span>\"<br/>and<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Silverlight \"Version\" = \"<span>5.1.</span> 50905<span>.0</span>\"</p></td></tr></tbody></table><h2>How to obtain help and support for this security update</h2><p>Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" managed-link=\"\">Support for Microsoft Update</a></p><p>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\">TechNet Security Troubleshooting and Support</a></p><p>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\">Virus Solution and Security Center</a></p><p>Local support according to your country: <a href=\"http://support.microsoft.com/\" managed-link=\"\">International Support</a></p></body></html>", "edition": 3, "modified": "2017-05-10T00:17:43", "id": "KB4013075", "href": "https://support.microsoft.com/en-us/help/4013075/", "published": "2017-03-14T00:00:00", "title": "MS17-013: Security Update for Microsoft Graphics Component: March 14, 2017", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:43:57", "description": "The remote Windows host is missing a security update. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows Graphics Device Interface (GDI) component\n due to improper handling of objects in memory. A local\n attacker can exploit these vulnerabilities, via a\n specially crafted application, to execute arbitrary code\n in kernel mode. (CVE-2017-0001, CVE-2017-0005,\n CVE-2017-0025, CVE-2017-0047)\n\n - Multiple remote code execution vulnerabilities exist in\n the Windows Graphics component due to improper handling\n of objects in memory. An unauthenticated, remote\n attacker can exploit these vulnerabilities, by\n convincing a user to visit a specially crafted web page\n or open a specially crafted document, to execute\n arbitrary code. (CVE-2017-0014, CVE-2017-0108)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics Device Interface (GDI) component due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted web page\n or open a specially crafted document, to disclose the\n contents of memory. (CVE-2017-0038)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows Graphics Device Interface (GDI) component\n due to improper handling of memory addresses. A local\n attacker can exploit these vulnerabilities, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0060, CVE-2017-0062,\n CVE-2017-0073)\n\n - Multiple information disclosure vulnerabilities exist in\n the Color Management Module (ICM32.dll) due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted web page, to disclose\n sensitive information and bypass usermode Address Space\n Layout Randomization (ASLR). (CVE-2017-0061,\n CVE-2017-0063)", "edition": 36, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-03-17T00:00:00", "title": "MS17-013: Security Update for Microsoft Graphics Component (4013075)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0001", "CVE-2017-0073", "CVE-2017-0060", "CVE-2017-0025", "CVE-2017-0047", "CVE-2017-0061", "CVE-2017-0014", "CVE-2017-0063", "CVE-2017-0005", "CVE-2017-0038", "CVE-2017-0108", "CVE-2017-0062"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:microsoft:skype_for_business", "cpe:/a:microsoft:lync_basic", "cpe:/o:microsoft:windows", "cpe:/a:microsoft:word_viewer", "cpe:/a:microsoft:silverlight", "cpe:/a:microsoft:office", "cpe:/a:microsoft:lync_attendee", "cpe:/a:microsoft:live_meeting_console", "cpe:/a:microsoft:lync"], "id": "SMB_NT_MS17-013.NASL", "href": "https://www.tenable.com/plugins/nessus/97794", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97794);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0001\",\n \"CVE-2017-0005\",\n \"CVE-2017-0014\",\n \"CVE-2017-0025\",\n \"CVE-2017-0038\",\n \"CVE-2017-0047\",\n \"CVE-2017-0060\",\n \"CVE-2017-0061\",\n \"CVE-2017-0062\",\n \"CVE-2017-0063\",\n \"CVE-2017-0073\",\n \"CVE-2017-0108\"\n );\n script_bugtraq_id(\n 96013,\n 96023,\n 96033,\n 96034,\n 96057,\n 96626,\n 96637,\n 96638,\n 96643,\n 96713,\n 96715,\n 96722\n );\n script_xref(name:\"MSFT\", value:\"MS17-013\");\n script_xref(name:\"MSKB\", value:\"3127945\");\n script_xref(name:\"MSKB\", value:\"3127958\");\n script_xref(name:\"MSKB\", value:\"3141535\");\n script_xref(name:\"MSKB\", value:\"3172539\");\n script_xref(name:\"MSKB\", value:\"3178653\");\n script_xref(name:\"MSKB\", value:\"3178656\");\n script_xref(name:\"MSKB\", value:\"3178688\");\n script_xref(name:\"MSKB\", value:\"3178693\");\n script_xref(name:\"MSKB\", value:\"4010096\");\n script_xref(name:\"MSKB\", value:\"4010299\");\n script_xref(name:\"MSKB\", value:\"4010300\");\n script_xref(name:\"MSKB\", value:\"4010301\");\n script_xref(name:\"MSKB\", value:\"4010303\");\n script_xref(name:\"MSKB\", value:\"4010304\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012497\");\n script_xref(name:\"MSKB\", value:\"4012583\");\n script_xref(name:\"MSKB\", value:\"4017018\");\n script_xref(name:\"MSKB\", value:\"4012584\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4013867\");\n script_xref(name:\"IAVA\", value:\"2017-A-0063\");\n\n script_name(english:\"MS17-013: Security Update for Microsoft Graphics Component (4013075)\");\n script_summary(english:\"Checks the version of win32k.sys or the installed rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows Graphics Device Interface (GDI) component\n due to improper handling of objects in memory. A local\n attacker can exploit these vulnerabilities, via a\n specially crafted application, to execute arbitrary code\n in kernel mode. (CVE-2017-0001, CVE-2017-0005,\n CVE-2017-0025, CVE-2017-0047)\n\n - Multiple remote code execution vulnerabilities exist in\n the Windows Graphics component due to improper handling\n of objects in memory. An unauthenticated, remote\n attacker can exploit these vulnerabilities, by\n convincing a user to visit a specially crafted web page\n or open a specially crafted document, to execute\n arbitrary code. (CVE-2017-0014, CVE-2017-0108)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics Device Interface (GDI) component due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted web page\n or open a specially crafted document, to disclose the\n contents of memory. (CVE-2017-0038)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows Graphics Device Interface (GDI) component\n due to improper handling of memory addresses. A local\n attacker can exploit these vulnerabilities, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0060, CVE-2017-0062,\n CVE-2017-0073)\n\n - Multiple information disclosure vulnerabilities exist in\n the Color Management Module (ICM32.dll) due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted web page, to disclose\n sensitive information and bypass usermode Address Space\n Layout Randomization (ASLR). (CVE-2017-0061,\n CVE-2017-0063)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-013\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows XP, 2003, Vista,\n2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016.\nAdditionally, Microsoft has released a set of patches for Office 2007,\nOffice 2010, Word Viewer, Skype for Business 2016, Lync 2010, Lync\n2010 Attendee, Lync 2013, Lync Basic 2013, Live Meeting 2007 Console,\nand Silverlight 5.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0108\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:live_meeting_console\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:lync\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:lync_basic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:lync_attendee\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:skype_for_business\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:silverlight\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"silverlight_detect.nasl\", \"microsoft_lync_server_installed.nasl\", \"smb_hotfixes.nasl\", \"office_installed.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\n\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nkbs = make_list('3127945',\n '3127958',\n '3141535',\n '3172539',\n '3178653',\n '3178656',\n '3178688',\n '3178693',\n '4010096',\n '4010299',\n '4010300',\n '4010301',\n '4010303',\n '4010304',\n '4012212',\n '4012213',\n '4012214',\n '4012215',\n '4012216',\n '4012217',\n '4012497',\n '4012583',\n '4017018',\n '4012584',\n '4012606',\n '4013198',\n '4013429',\n '4013867'\n);\n\nbulletin = 'MS17-013';\ncommon_office_path = '';\n\nfunction perform_office_checks() {\n local_var office_vers, office_sp, common_path, path, prod, kb, vuln, installs;\n office_vers = hotfix_check_office_version();\n vuln = 0;\n # Office 2003 checks\n if (office_vers[\"11.0\"])\n {\n local_var wvchecks = {\n \"11.0\": {\"version\" : \"11.0.8440.0\",\n \"kb\" : \"3178693\"}\n };\n\n # check if Word Viewer is installed\n installs = get_kb_list(\"SMB/Office/WordViewer/*/ProductPath\");\n\n # install checks only if found\n if (keys(installs))\n {\n if (hotfix_check_office_product(product:\"WordViewer\",\n display_name:\"Word Viewer\",\n checks:wvchecks,\n bulletin:bulletin))\n vuln++;\n\n # word viewer DLL check in common files dir\n common_path = hotfix_get_officecommonfilesdir(officever:\"11.0\");\n path = hotfix_append_path(path:common_path, value:\"Microsoft Shared\\Office11\");\n if (hotfix_check_fversion(file:\"usp10.dll\",\n version:\"1.0626.6002.24058\",\n min_version:\"1.0.0.0\",\n path:path,\n bulletin:bulletin,\n kb:\"3178653\",\n product:\"Microsoft Word Viewer\") == HCF_OLDER)\n vuln++;\n }\n }\n # Office 2007 checks\n if (office_vers[\"12.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n prod = \"Microsoft Office 2007 SP3\";\n common_path = hotfix_get_officecommonfilesdir(officever:\"12.0\");\n path = hotfix_append_path(path:common_path, value:\"Microsoft Shared\\Office12\");\n if (hotfix_check_fversion(file:\"ogl.dll\",\n version:\"12.0.6764.5000\",\n min_version:\"12.0.0.0\",\n path:path,\n bulletin:bulletin,\n kb:\"3127945\",\n product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:\"usp10.dll\",\n version:\"1.0626.6002.24058\",\n min_version:\"1.0.0.0\",\n path:path,\n bulletin:bulletin,\n kb:\"3141535\",\n product:prod) == HCF_OLDER)\n vuln++;\n path = common_path + \"\\Live Meeting 8\\Addins\\\";\n if (hotfix_check_fversion(file:\"LMAddins.dll\",\n version:\"8.0.6362.264\",\n min_version:\"8.0.0.0\",\n path:path,\n bulletin:bulletin,\n kb:\"4010304\",\n product: \"Live Meeting 2007 Add-in\") == HCF_OLDER)\n vuln ++;\n } # end of SP3 checks\n } # end of Office 2007 checks\n if (office_vers[\"14.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && office_sp == 2)\n {\n prod = \"Microsoft Office 2010 SP2\";\n common_path = hotfix_get_officecommonfilesdir(officever:\"14.0\");\n path = hotfix_append_path(path:common_path, value:\"Microsoft Shared\\Office14\");\n if ((hotfix_check_fversion(file:\"ogl.dll\",\n version:\"14.0.7179.5000\",\n min_version:\"14.0.0.0\",\n path:path,\n bulletin:bulletin,\n kb:\"3127958\",\n product:prod) == HCF_OLDER) ||\n (hotfix_check_fversion(file:\"usp10.dll\",\n version:\"1.0626.7601.23668\",\n min_version:\"1.0.0.0\",\n path:path,\n bulletin:bulletin,\n kb:\"3178688\",\n product:prod) == HCF_OLDER))\n vuln++;\n } # end sp2\n\n } # end office 2010`\n return vuln;\n}\n\nfunction lync_is_vuln()\n{\n local_var vuln, lync_count, lync_installs, lync_install;\n local_var lync = \"Microsoft Lync\";\n lync_count = get_install_count(app_name:lync);\n vuln = 0;\n if (int(lync_count) <= 0)\n return FALSE;\n\n lync_installs = get_installs(app_name:lync);\n\n foreach (lync_install in lync_installs[1])\n {\n if ((\"Live Meeting 2007 Console\" >< lync_install[\"Product\"]) &&\n (hotfix_check_fversion(file:\"pubutil.dll\",\n version:\"8.0.6362.264\",\n min_version:\"8.0.0.0\",\n path:lync_install[\"path\"],\n bulletin:bulletin,\n kb:\"4010303\",\n product:\"Live Meeting 2007 Console\") == HCF_OLDER))\n vuln++;\n # the same check works for both Microsoft Lync 2010 and\n # Microsoft Lync 2010 Attendee (Ocpptview.dll, v.4.0.7577.4525)\n if ((\"Microsoft Lync 2010\" >< lync_install[\"Product\"]) &&\n (hotfix_check_fversion(file:\"Ocpptview.dll\",\n version:\"4.0.7577.4525\",\n min_version:\"4.0.0.0\",\n path:lync_install[\"path\"],\n kb:\"4010299\",\n product:\"Microsoft Lync 2010\") == HCF_OLDER))\n vuln++;\n if ((lync_install[\"version\"] =~ \"^4\\.0\\.\" && \"Server\" >!< lync_install[\"Product\"]\n && \"Attendee\" >< lync_install[\"Product\"]))\n {\n if(\"user level\" >< lync_install[\"Product\"] &&\n hotfix_check_fversion(file:\"MeetingJoinAxAOC.DLL\",\n version:\"4.0.7577.4525\",\n min_version:\"4.0.0.0\",\n path:lync_install[\"path\"],\n kb:\"4010300\",\n product:\"Microsoft Lync 2010 Attendee\") == HCF_OLDER)\n vuln++;\n else if (hotfix_check_fversion(file:\"MeetingJoinAxAOC.DLL\",\n version:\"4.0.7577.4525\",\n min_version:\"4.0.0.0\",\n path:lync_install[\"path\"],\n kb:\"4010301\",\n product:\"Microsoft Lync 2010 Attendee\") == HCF_OLDER)\n vuln++;\n }\n if(\"Microsoft Lync\" >< lync_install[\"Product\"] && lync_install[\"version\"] =~ \"^15\\.\" &&\n (hotfix_check_fversion(file:\"Lync.exe\",\n version:\"15.0.4911.1000\",\n min_version:\"15.0.0.0\",\n path:lync_install[\"path\"],\n kb:\"3172539\",\n product:\"Microsoft Lync 2013\") == HCF_OLDER))\n vuln++;\n # Skype for business\n if ((lync_install[\"version\"] =~ \"^16\\.0\\.\" && \"Server\" >!< lync_install[\"Product\"]) &&\n (hotfix_check_fversion(file:\"Lync.exe\",\n version:\"16.0.4510.1000\",\n min_version:\"16.0.0.0\",\n path:lync_install[\"path\"],\n kb:\"3178656\",\n product:\"Skype for Business 2016\") == HCF_OLDER))\n vuln++;\n }\n\n return vuln;\n}\n\nfunction silverlight_is_vuln()\n{\n local_var silver, path, report, fix;\n local_var vuln = 0;\n silver = get_kb_item(\"SMB/Silverlight/Version\");\n if (!isnull(silver) && silver =~ \"^5\\.\")\n {\n fix = \"5.1.50905.0\";\n if (ver_compare(ver:silver, fix:fix) == -1)\n {\n path = get_kb_item(\"SMB/Silverlight/Path\");\n if (isnull(path)) path = 'n/a';\n\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + silver +\n '\\n Fixed version : ' + fix +\n '\\n';\n hotfix_add_report(report, bulletin:bulletin, kb:\"4013867\");\n vuln++;\n }\n }\n return vuln;\n}\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# double check this\nif (hotfix_check_sp_range(xp:'2,3', win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nwin_8 = (\"Windows 8\" >< productname && \"8.1\" >!< productname);\n\nvuln = 0;\nvuln += lync_is_vuln();\nvuln += perform_office_checks();\nvuln += silverlight_is_vuln();\n\nif (\n # Windows XP SP3 (x86)\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"gdi32.dll\", version:\"5.1.2600.7209\", min_version:\"5.1.2600.5000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4012583\", arch:\"x86\") ||\n # Windows Server 2003 SP2 (x64) / Windows XP SP2 (x64)\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"gdi32.dll\", version:\"5.2.3790.6022\", min_version:\"5.2.3790.3000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4012583\", arch:\"x64\") ||\n\n # Vista / 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Gdi32.dll\", version:\"6.0.6002.24081\", min_version:\"6.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4017018\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Gdi32.dll\", version:\"6.0.6002.19758\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4017018\") ||\n hotfix_is_vulnerable(os:'6.0', sp:2, file:'Icm32.dll', version:'6.0.6002.24065', min_version:'6.0.6002.23000', dir:\"\\system32\", bulletin:bulletin, kb:\"4012584\") ||\n hotfix_is_vulnerable(os:'6.0', sp:2, file:'Icm32.dll', version:'6.0.6002.19741', min_version:'6.0.6002.18000', dir:\"\\system32\", bulletin:bulletin, kb:\"4012584\") ||\n hotfix_is_vulnerable(os:'6.0', sp:2, file:'Win32k.sys', version:'6.0.6002.24065', min_version:'6.0.6002.23000', dir:\"\\system32\", bulletin:bulletin, kb:\"4012497\") ||\n hotfix_is_vulnerable(os:'6.0', sp:2, file:'Win32k.sys', version:'6.0.6002.19741', min_version:'6.0.6002.18000', dir:\"\\system32\", bulletin:bulletin, kb:\"4012497\") ||\n\n # Windows 8\n hotfix_is_vulnerable(os:'6.2', file:'gdiplus.dll', version:'6.2.9200.22082', min_version:'6.2.9200.17000', dir:\"\\system32\", bulletin:bulletin, kb:\"4012583\") ||\n\n # 7 SP1 / 2008 R2 SP1\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"03_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # 8.1 / 2012 R2\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date: \"03_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4012213, 4012216)) ||\n # 2012\n (smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date: \"03_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4012214, 4012217)) &&\n (!win_8) # must be 2012, not Win 8 to check rollup\n ) ||\n # 2012 R2\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date: \"03_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4012213, 4012216)) ||\n # 10 (1507)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date: \"03_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4012606)) ||\n # 10 (1511)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date: \"03_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4013198)) ||\n # 10 (1607)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date: \"03_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4013429)) ||\n vuln\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-08T23:26:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0001", "CVE-2017-0073", "CVE-2017-0060", "CVE-2017-0025", "CVE-2017-0047", "CVE-2017-0061", "CVE-2017-0014", "CVE-2017-0063", "CVE-2017-0005", "CVE-2017-0038", "CVE-2017-0108", "CVE-2017-0062"], "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS17-013.", "modified": "2020-06-04T00:00:00", "published": "2017-03-15T00:00:00", "id": "OPENVAS:1361412562310810811", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810811", "type": "openvas", "title": "Microsoft Graphics Component Multiple Vulnerabilities (4013075)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Graphics Component Multiple Vulnerabilities (4013075)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810811\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0001\", \"CVE-2017-0005\", \"CVE-2017-0025\", \"CVE-2017-0047\",\n \"CVE-2017-0060\", \"CVE-2017-0062\", \"CVE-2017-0073\", \"CVE-2017-0061\",\n \"CVE-2017-0063\", \"CVE-2017-0038\", \"CVE-2017-0108\", \"CVE-2017-0014\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 11:04:14 +0530 (Wed, 15 Mar 2017)\");\n script_name(\"Microsoft Graphics Component Multiple Vulnerabilities (4013075)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS17-013.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to\n\n - The way the Windows Graphics Device Interface (GDI) handles objects in memory.\n\n - The Windows GDI component improperly discloses the contents of its memory.\n\n - The way that the Color Management Module (ICM32.dll) handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to perform remote code execution, gain access to potentially sensitive\n information and gain elevated privileges.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8 x86/x64\n\n - Microsoft Windows XP SP2 x64 / SP3 x86\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows 10/1511/1607 x32/x64\n\n - Microsoft Windows Server 2012/2012R2/2016\n\n - Microsoft Windows Vista x32/x64 Edition Service Pack 2\n\n - Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2\n\n - Microsoft Windows 7 x32/x64 Edition Service Pack 1\n\n - Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1\n\n - Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/4013075\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS17-013\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, winVistax64:3, win7:2, win7x64:2, win2008:3, win2008r2:2,\n win2008x64:3, win2012:1, win2012R2:1, win8_1:1, win8_1x64:1, win10:1,\n win10x64:1, win2016:1, win8:1, win8x64:1, xp:4, xpx64:3, win2003:3,\n win2003x64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nuspVer = fetch_file_version(sysPath:sysPath, file_name:\"Usp10.dll\");\nwinVer = fetch_file_version(sysPath:sysPath, file_name:\"Win32k.sys\");\nicmVer = fetch_file_version(sysPath:sysPath, file_name:\"icm32.dll\");\ngdiVer = fetch_file_version(sysPath:sysPath, file_name:\"gdi32.dll\");\n\nif(!uspVer && !winVer && !icmVer && !gdiVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n{\n ## Presently GDR information is not available.\n if(winVer && version_is_less(version:winVer, test_version:\"6.1.7601.23677\"))\n {\n Vulnerable_range = \"Less than 6.1.7601.23677\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(winVer && version_is_less(version:winVer, test_version:\"6.0.6002.19741\"))\n {\n Vulnerable_range = \"Less than 6.0.6002.19741\";\n VULN = TRUE ;\n }\n\n else if(winVer && version_in_range(version:winVer, test_version:\"6.0.6002.24000\", test_version2:\"6.0.6002.24064\"))\n {\n Vulnerable_range = \"6.0.6002.24000 - 6.0.6002.24064\";\n VULN = TRUE ;\n }\n\n else if(uspVer && version_is_less(version:uspVer, test_version:\"1.626.6002.19743\"))\n {\n Vulnerable_range1 = \"Less than 1.626.6002.19743\";\n VULN1 = TRUE ;\n }\n\n else if(uspVer && version_in_range(version:uspVer, test_version:\"1.626.6002.24000\", test_version2:\"1.626.6002.24066\"))\n {\n Vulnerable_range1 = \"1.626.6002.24000 - 1.626.6002.24066\";\n VULN1 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(winVistax64:3, win2008x64:3) > 0)\n{\n if(icmVer && version_is_less(version:icmVer, test_version:\"6.0.6002.19741\"))\n {\n Vulnerable_range2 = \"Less than 6.0.6002.19741\";\n VULN2 = TRUE ;\n }\n\n else if(winVer && version_in_range(version:icmVer, test_version:\"6.0.6002.24000\", test_version2:\"6.0.6002.24064\"))\n {\n Vulnerable_range2 = \"6.0.6002.24000 - 6.0.6002.24064\";\n VULN2 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win2012:1) > 0)\n{\n if(winVer && version_is_less(version:winVer, test_version:\"6.2.9200.22097\"))\n {\n Vulnerable_range = \"Less than 6.2.9200.22097\";\n VULN = TRUE ;\n }\n}\n\n## Win 8.1 and win2012R2\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n{\n if(winVer && version_is_less(version:winVer, test_version:\"6.3.9600.18603\"))\n {\n Vulnerable_range = \"Less than 6.3.9600.18603\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win10:1, win10x64:1, win2016:1) > 0)\n{\n if(winVer && version_is_less(version:winVer, test_version:\"10.0.10240.16384\") )\n {\n Vulnerable_range = \"Less than 10.0.10240.16384\";\n VULN = TRUE;\n }\n\n else if(winVer && version_in_range(version:winVer, test_version:\"10.0.10586.0\", test_version2:\"10.0.10586.19\"))\n {\n Vulnerable_range = \"10.0.10586.0 - 10.0.10586.19\";\n VULN = TRUE ;\n }\n\n else if( winVer && version_in_range(version:winVer, test_version:\"10.0.14393.0\", test_version2:\"10.0.14393.593\"))\n {\n Vulnerable_range = \"10.0.14393.0 - 10.0.14393.593\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(xp:4) > 0)\n{\n if(gdiVer && version_is_less(version:gdiVer, test_version:\"5.1.2600.7209\"))\n {\n Vulnerable_range3 = \"Less than 5.1.2600.7209\";\n VULN3 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win2003:3, win2003x64:3, xpx64:3) > 0)\n{\n if(gdiVer && version_is_less(version:gdiVer, test_version:\"5.2.3790.6022\"))\n {\n Vulnerable_range3 = \"Less than 5.2.3790.6022\";\n VULN3 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win8:1, win8x64:1) > 0)\n{\n if(gdiVer && version_is_less(version:gdiVer, test_version:\"6.2.9200.22084\"))\n {\n Vulnerable_range3 = \"Less than 6.2.9200.22084\";\n VULN3 = TRUE ;\n }\n}\n\n\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\Win32k.sys\" + '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nelse if(VULN1)\n{\n report = 'File checked: ' + sysPath + \"\\Usp10.dll\" + '\\n' +\n 'File version: ' + uspVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range1 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nelse if(VULN2)\n{\n report = 'File checked: ' + sysPath + \"\\icm32.dll\" + '\\n' +\n 'File version: ' + icmVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range2 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nelse if(VULN3)\n{\n report = 'File checked: ' + sysPath + \"\\gdi32.dll\" + '\\n' +\n 'File version: ' + gdiVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range3 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:53:03", "bulletinFamily": "info", "cvelist": ["CVE-2017-0099", "CVE-2017-0008", "CVE-2017-0101", "CVE-2017-0118", "CVE-2017-0084", "CVE-2017-0117", "CVE-2017-0001", "CVE-2017-0055", "CVE-2017-0073", "CVE-2017-0045", "CVE-2017-0102", "CVE-2017-0125", "CVE-2017-0090", "CVE-2017-0104", "CVE-2017-0089", "CVE-2017-0091", "CVE-2017-0115", "CVE-2017-0096", "CVE-2017-0121", "CVE-2017-0040", "CVE-2017-0050", "CVE-2017-0144", "CVE-2017-0060", "CVE-2017-0116", "CVE-2017-0009", "CVE-2017-0120", "CVE-2017-0025", "CVE-2017-0075", "CVE-2017-0086", "CVE-2017-0124", "CVE-2017-0109", "CVE-2017-0148", "CVE-2017-0119", "CVE-2017-0126", "CVE-2017-0130", "CVE-2017-0113", "CVE-2017-0097", "CVE-2017-0147", "CVE-2017-0112", "CVE-2017-0083", "CVE-2017-0042", "CVE-2017-0047", "CVE-2017-0056", "CVE-2017-0087", "CVE-2017-0123", "CVE-2017-0092", "CVE-2017-0085", "CVE-2017-0103", "CVE-2017-0043", "CVE-2017-0061", "CVE-2017-0014", "CVE-2017-0100", "CVE-2017-0122", "CVE-2017-0063", "CVE-2017-0005", "CVE-2017-0088", "CVE-2017-0128", "CVE-2017-0072", "CVE-2017-0114", "CVE-2017-0146", "CVE-2017-0076", "CVE-2017-0111", "CVE-2017-0038", "CVE-2017-0143", "CVE-2017-0149", "CVE-2017-0108", "CVE-2017-0059", "CVE-2017-0039", "CVE-2017-0062", "CVE-2017-0145", "CVE-2017-0022", "CVE-2017-0127"], "description": "### *Detect date*:\n03/14/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, obtain sensitive information, cause denial of service.\n\n### *Exploitation*:\nThis vulnerability can be exploited by the following malware:\n\n### *Affected products*:\nMicrosoft Silverlight 5 when installed on Microsoft Windows (x64-based) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows Vista x64 Edition Service Pack 2 \nInternet Explorer 9 \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2012 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nMicrosoft Office 2010 Service Pack 2 (32-bit editions) \nSkype for Business 2016 (64-bit) \nWindows 8.1 for x64-based systems \nWindows 8.1 for 32-bit systems \nWindows Vista Service Pack 2 \nMicrosoft XML Core Services 3.0 \nMicrosoft Lync 2013 Service Pack 1 (64-bit) \nMicrosoft Office 2010 Service Pack 2 (64-bit editions) \nInternet Explorer 11 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nMicrosoft Lync Basic 2013 Service Pack 1 (64-bit) \nWindows Server 2016 \nMicrosoft Lync 2010 Attendee (admin level install) \nSkype for Business 2016 Basic (32-bit) \nMicrosoft Live Meeting 2007 Add-in \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows RT 8.1 \nSkype for Business 2016 (32-bit) \nMicrosoft Lync 2010 Attendee (user level install) \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nMicrosoft Lync 2010 (64-bit) \nMicrosoft Office Word Viewer \nMicrosoft Live Meeting 2007 Console \nMicrosoft Silverlight 5 Developer Runtime when installed on Microsoft Windows (32-bit) \nMicrosoft Edge (EdgeHTML-based) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nMicrosoft Silverlight 5 Developer Runtime when installed on Microsoft Windows (x64-based) \nMicrosoft Office 2007 Service Pack 3 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nSkype for Business 2016 Basic (64-bit) \nMicrosoft Lync Basic 2013 Service Pack 1 (32-bit) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nInternet Explorer 10 \nMicrosoft Lync 2010 (32-bit) \nMicrosoft Silverlight 5 when installed on Microsoft Windows (32-bit) \nWindows Server 2012 R2 \nMicrosoft Lync 2013 Service Pack 1 (32-bit)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-0108](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0108>) \n[CVE-2017-0109](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0109>) \n[CVE-2017-0072](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0072>) \n[CVE-2017-0100](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0100>) \n[CVE-2017-0101](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0101>) \n[CVE-2017-0102](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0102>) \n[CVE-2017-0143](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0143>) \n[CVE-2017-0104](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0104>) \n[CVE-2017-0022](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0022>) \n[CVE-2017-0001](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0001>) \n[CVE-2017-0145](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0145>) \n[CVE-2017-0120](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0120>) \n[CVE-2017-0147](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0147>) \n[CVE-2017-0005](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0005>) \n[CVE-2017-0127](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0127>) \n[CVE-2017-0124](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0124>) \n[CVE-2017-0125](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0125>) \n[CVE-2017-0009](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0009>) \n[CVE-2017-0008](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0008>) \n[CVE-2017-0047](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0047>) \n[CVE-2017-0060](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0060>) \n[CVE-2017-0148](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0148>) \n[CVE-2017-0061](<https://nvd.nist.gov/vuln/detail/CVE-2017-0061>) \n[CVE-2017-0043](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0043>) \n[CVE-2017-0042](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0042>) \n[CVE-2017-0045](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0045>) \n[CVE-2017-0119](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0119>) \n[CVE-2017-0062](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0062>) \n[CVE-2017-0149](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0149>) \n[CVE-2017-0099](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0099>) \n[CVE-2017-0144](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0144>) \n[CVE-2017-0040](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0040>) \n[CVE-2017-0090](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0090>) \n[CVE-2017-0091](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0091>) \n[CVE-2017-0096](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0096>) \n[CVE-2017-0097](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0097>) \n[CVE-2017-0038](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0038>) \n[CVE-2017-0039](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0039>) \n[CVE-2017-0103](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0103>) \n[CVE-2017-0063](<https://nvd.nist.gov/vuln/detail/CVE-2017-0063>) \n[CVE-2017-0118](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0118>) \n[CVE-2017-0117](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0117>) \n[CVE-2017-0116](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0116>) \n[CVE-2017-0115](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0115>) \n[CVE-2017-0114](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0114>) \n[CVE-2017-0113](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0113>) \n[CVE-2017-0112](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0112>) \n[CVE-2017-0111](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0111>) \n[CVE-2017-0092](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0092>) \n[CVE-2017-0076](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0076>) \n[CVE-2017-0014](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0014>) \n[CVE-2017-0059](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0059>) \n[CVE-2017-0056](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0056>) \n[CVE-2017-0055](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0055>) \n[CVE-2017-0050](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0050>) \n[CVE-2017-0123](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0123>) \n[CVE-2017-0122](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0122>) \n[CVE-2017-0073](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0073>) \n[CVE-2017-0075](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0075>) \n[CVE-2017-0025](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0025>) \n[CVE-2017-0146](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0146>) \n[CVE-2017-0128](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0128>) \n[CVE-2017-0089](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0089>) \n[CVE-2017-0088](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0088>) \n[CVE-2017-0121](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0121>) \n[CVE-2017-0130](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0130>) \n[CVE-2017-0126](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0126>) \n[CVE-2017-0083](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0083>) \n[CVE-2017-0085](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0085>) \n[CVE-2017-0084](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0084>) \n[CVE-2017-0087](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0087>) \n[CVE-2017-0086](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0086>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2017-0042](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0042>)0.0Unknown \n[CVE-2017-0096](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0096>)0.0Unknown \n[CVE-2017-0097](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0097>)0.0Unknown \n[CVE-2017-0099](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0099>)0.0Unknown \n[CVE-2017-0109](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0109>)0.0Unknown \n[CVE-2017-0075](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0075>)0.0Unknown \n[CVE-2017-0076](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0076>)0.0Unknown \n[CVE-2017-0055](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0055>)0.0Unknown \n[CVE-2017-0102](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0102>)0.0Unknown \n[CVE-2017-0103](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0103>)0.0Unknown \n[CVE-2017-0101](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0101>)0.0Unknown \n[CVE-2017-0050](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0050>)0.0Unknown \n[CVE-2017-0056](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0056>)0.0Unknown \n[CVE-2017-0043](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0043>)0.0Unknown \n[CVE-2017-0045](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0045>)0.0Unknown \n[CVE-2017-0022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0022>)0.0Unknown \n[CVE-2017-0143](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>)0.0Unknown \n[CVE-2017-0144](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>)0.0Unknown \n[CVE-2017-0145](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>)0.0Unknown \n[CVE-2017-0146](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146>)0.0Unknown \n[CVE-2017-0147](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147>)0.0Unknown \n[CVE-2017-0148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148>)0.0Unknown \n[CVE-2017-0014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0014>)0.0Unknown \n[CVE-2017-0060](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0060>)0.0Unknown \n[CVE-2017-0061](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0061>)0.0Unknown \n[CVE-2017-0062](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0062>)0.0Unknown \n[CVE-2017-0063](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0063>)0.0Unknown \n[CVE-2017-0025](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0025>)0.0Unknown \n[CVE-2017-0073](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0073>)0.0Unknown \n[CVE-2017-0108](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0108>)0.0Unknown \n[CVE-2017-0038](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0038>)0.0Unknown \n[CVE-2017-0001](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0001>)0.0Unknown \n[CVE-2017-0005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0005>)0.0Unknown \n[CVE-2017-0047](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0047>)0.0Unknown \n[CVE-2017-0072](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0072>)0.0Unknown \n[CVE-2017-0083](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0083>)0.0Unknown \n[CVE-2017-0084](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0084>)0.0Unknown \n[CVE-2017-0085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0085>)0.0Unknown \n[CVE-2017-0086](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0086>)0.0Unknown \n[CVE-2017-0087](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0087>)0.0Unknown \n[CVE-2017-0088](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0088>)0.0Unknown \n[CVE-2017-0089](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0089>)0.0Unknown \n[CVE-2017-0090](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0090>)0.0Unknown \n[CVE-2017-0091](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0091>)0.0Unknown \n[CVE-2017-0092](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0092>)0.0Unknown \n[CVE-2017-0111](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0111>)0.0Unknown \n[CVE-2017-0112](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0112>)0.0Unknown \n[CVE-2017-0113](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0113>)0.0Unknown \n[CVE-2017-0114](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0114>)0.0Unknown \n[CVE-2017-0115](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0115>)0.0Unknown \n[CVE-2017-0116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0116>)0.0Unknown \n[CVE-2017-0117](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0117>)0.0Unknown \n[CVE-2017-0118](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0118>)0.0Unknown \n[CVE-2017-0119](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0119>)0.0Unknown \n[CVE-2017-0120](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0120>)0.0Unknown \n[CVE-2017-0121](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0121>)0.0Unknown \n[CVE-2017-0122](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0122>)0.0Unknown \n[CVE-2017-0123](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0123>)0.0Unknown \n[CVE-2017-0124](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0124>)0.0Unknown \n[CVE-2017-0125](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0125>)0.0Unknown \n[CVE-2017-0126](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0126>)0.0Unknown \n[CVE-2017-0127](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0127>)0.0Unknown \n[CVE-2017-0128](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0128>)0.0Unknown \n[CVE-2017-0009](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0009>)0.0Unknown \n[CVE-2017-0059](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0059>)0.0Unknown \n[CVE-2017-0130](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0130>)0.0Unknown \n[CVE-2017-0149](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0149>)0.0Unknown \n[CVE-2017-0008](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0008>)0.0Unknown \n[CVE-2017-0040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0040>)0.0Unknown \n[CVE-2017-0100](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0100>)0.0Unknown \n[CVE-2017-0104](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0104>)0.0Unknown \n[CVE-2017-0039](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0039>)0.0Unknown\n\n### *KB list*:\n[4012204](<http://support.microsoft.com/kb/4012204>) \n[4012215](<http://support.microsoft.com/kb/4012215>) \n[3211306](<http://support.microsoft.com/kb/3211306>) \n[4012212](<http://support.microsoft.com/kb/4012212>) \n[4012598](<http://support.microsoft.com/kb/4012598>) \n[4012583](<http://support.microsoft.com/kb/4012583>) \n[3217587](<http://support.microsoft.com/kb/3217587>) \n[4012021](<http://support.microsoft.com/kb/4012021>) \n[4012373](<http://support.microsoft.com/kb/4012373>) \n[4012497](<http://support.microsoft.com/kb/4012497>) \n[4017018](<http://support.microsoft.com/kb/4017018>) \n[4012584](<http://support.microsoft.com/kb/4012584>) \n[3218362](<http://support.microsoft.com/kb/3218362>) \n[4011981](<http://support.microsoft.com/kb/4011981>) \n[3217882](<http://support.microsoft.com/kb/3217882>) \n[3214051](<http://support.microsoft.com/kb/3214051>)\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-07-22T00:00:00", "published": "2017-03-14T00:00:00", "id": "KLA11902", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11902", "title": "\r KLA11902Multiple vulnerabilities in Microsoft Products (ESU) ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-03T07:12:30", "bulletinFamily": "info", "cvelist": ["CVE-2017-0098", "CVE-2017-0099", "CVE-2017-0008", "CVE-2017-0101", "CVE-2017-0078", "CVE-2017-0118", "CVE-2017-0051", "CVE-2017-0084", "CVE-2017-0117", "CVE-2017-0081", "CVE-2017-0001", "CVE-2017-0080", "CVE-2017-0055", "CVE-2017-0073", "CVE-2017-0045", "CVE-2017-0102", "CVE-2017-0125", "CVE-2017-0021", "CVE-2017-0090", "CVE-2017-0104", "CVE-2017-0089", "CVE-2017-0091", "CVE-2017-0115", "CVE-2017-0096", "CVE-2017-0024", "CVE-2017-0121", "CVE-2017-0050", "CVE-2017-0144", "CVE-2017-0060", "CVE-2017-0116", "CVE-2017-0082", "CVE-2017-0120", "CVE-2017-0007", "CVE-2017-0025", "CVE-2017-0075", "CVE-2017-0086", "CVE-2017-0016", "CVE-2017-0124", "CVE-2017-0109", "CVE-2017-0148", "CVE-2017-0119", "CVE-2017-0126", "CVE-2017-0130", "CVE-2017-0113", "CVE-2017-0097", "CVE-2017-0147", "CVE-2017-0112", "CVE-2017-0083", "CVE-2017-0047", "CVE-2017-0057", "CVE-2017-0095", "CVE-2017-0056", "CVE-2017-0087", "CVE-2017-0079", "CVE-2017-0123", "CVE-2017-0092", "CVE-2017-0026", "CVE-2017-0085", "CVE-2017-0103", "CVE-2017-0043", "CVE-2017-0061", "CVE-2017-0014", "CVE-2017-0100", "CVE-2017-0122", "CVE-2017-0063", "CVE-2017-0005", "CVE-2017-0088", "CVE-2017-0128", "CVE-2017-0072", "CVE-2017-0114", "CVE-2017-0146", "CVE-2017-0076", "CVE-2017-0111", "CVE-2017-0074", "CVE-2017-0038", "CVE-2017-0143", "CVE-2017-0108", "CVE-2017-0039", "CVE-2017-0062", "CVE-2017-0145", "CVE-2017-0022", "CVE-2017-0127"], "description": "### *Detect date*:\n03/14/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, gain privileges, obtain sensitive information and cause a denial of service.\n\n### *Affected products*:\nMicrosoft Windows Vista Service Pack 2 \nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows 8.1 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows 10 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS17-012](<https://technet.microsoft.com/library/security/MS17-012>) \n[CVE-2017-0051](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0051>) \n[CVE-2017-0021](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0021>) \n[CVE-2017-0095](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0095>) \n[CVE-2017-0096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0096>) \n[CVE-2017-0097](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0097>) \n[CVE-2017-0098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0098>) \n[CVE-2017-0099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0099>) \n[CVE-2017-0109](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0109>) \n[CVE-2017-0074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0074>) \n[CVE-2017-0075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0075>) \n[CVE-2017-0076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0076>) \n[CVE-2017-0055](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0055>) \n[CVE-2017-0102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0102>) \n[CVE-2017-0103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0103>) \n[CVE-2017-0101](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0101>) \n[CVE-2017-0050](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0050>) \n[CVE-2017-0056](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0056>) \n[CVE-2017-0024](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0024>) \n[CVE-2017-0026](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0026>) \n[CVE-2017-0078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0078>) \n[CVE-2017-0079](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0079>) \n[CVE-2017-0080](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0080>) \n[CVE-2017-0081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0081>) \n[CVE-2017-0082](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0082>) \n[CVE-2017-0043](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0043>) \n[CVE-2017-0045](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0045>) \n[CVE-2017-0022](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0022>) \n[CVE-2017-0143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143>) \n[CVE-2017-0144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144>) \n[CVE-2017-0145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145>) \n[CVE-2017-0146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146>) \n[CVE-2017-0147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147>) \n[CVE-2017-0148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148>) \n[CVE-2017-0014](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0014>) \n[CVE-2017-0060](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0060>) \n[CVE-2017-0061](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0061>) \n[CVE-2017-0062](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0062>) \n[CVE-2017-0063](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0063>) \n[CVE-2017-0025](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0025>) \n[CVE-2017-0073](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0073>) \n[CVE-2017-0108](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0108>) \n[CVE-2017-0038](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0038>) \n[CVE-2017-0001](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0001>) \n[CVE-2017-0005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0005>) \n[CVE-2017-0047](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0047>) \n[CVE-2017-0072](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0072>) \n[CVE-2017-0083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0083>) \n[CVE-2017-0084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0084>) \n[CVE-2017-0085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0085>) \n[CVE-2017-0086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0086>) \n[CVE-2017-0087](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0087>) \n[CVE-2017-0088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0088>) \n[CVE-2017-0089](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0089>) \n[CVE-2017-0090](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0090>) \n[CVE-2017-0091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0091>) \n[CVE-2017-0092](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0092>) \n[CVE-2017-0111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0111>) \n[CVE-2017-0112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0112>) \n[CVE-2017-0113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0113>) \n[CVE-2017-0114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0114>) \n[CVE-2017-0115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0115>) \n[CVE-2017-0116](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0116>) \n[CVE-2017-0117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0117>) \n[CVE-2017-0118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0118>) \n[CVE-2017-0119](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0119>) \n[CVE-2017-0120](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0120>) \n[CVE-2017-0121](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0121>) \n[CVE-2017-0122](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0122>) \n[CVE-2017-0123](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0123>) \n[CVE-2017-0124](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0124>) \n[CVE-2017-0125](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0125>) \n[CVE-2017-0126](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0126>) \n[CVE-2017-0127](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0127>) \n[CVE-2017-0128](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0128>) \n[CVE-2017-0130](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0130>) \n[CVE-2017-0008](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0008>) \n[CVE-2017-0057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0057>) \n[CVE-2017-0100](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0100>) \n[CVE-2017-0104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0104>) \n[CVE-2017-0007](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0007>) \n[CVE-2017-0016](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0016>) \n[CVE-2017-0039](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0039>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2017-0051](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0051>)2.9Warning \n[CVE-2017-0021](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0021>)7.7Critical \n[CVE-2017-0095](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0095>)7.9Critical \n[CVE-2017-0096](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0096>)2.3Warning \n[CVE-2017-0097](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0097>)2.3Warning \n[CVE-2017-0098](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0098>)2.9Warning \n[CVE-2017-0099](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0099>)2.3Warning \n[CVE-2017-0109](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0109>)7.4High \n[CVE-2017-0074](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0074>)2.3Warning \n[CVE-2017-0075](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0075>)7.4High \n[CVE-2017-0076](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0076>)2.9Warning \n[CVE-2017-0055](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0055>)4.3Warning \n[CVE-2017-0102](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0102>)4.6Warning \n[CVE-2017-0103](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0103>)4.4Warning \n[CVE-2017-0101](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0101>)6.8High \n[CVE-2017-0050](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0050>)7.2High \n[CVE-2017-0056](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0056>)7.2High \n[CVE-2017-0024](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0024>)7.2High \n[CVE-2017-0026](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0026>)7.2High \n[CVE-2017-0078](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0078>)7.2High \n[CVE-2017-0079](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0079>)7.2High \n[CVE-2017-0080](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0080>)7.2High \n[CVE-2017-0081](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0081>)7.2High \n[CVE-2017-0082](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0082>)7.2High \n[CVE-2017-0043](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0043>)2.9Warning \n[CVE-2017-0045](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0045>)4.3Warning \n[CVE-2017-0022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0022>)4.3Warning \n[CVE-2017-0143](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>)9.3Critical \n[CVE-2017-0144](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>)9.3Critical \n[CVE-2017-0145](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>)9.3Critical \n[CVE-2017-0146](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146>)9.3Critical \n[CVE-2017-0147](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147>)4.3Warning \n[CVE-2017-0148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148>)9.3Critical \n[CVE-2017-0014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0014>)7.6Critical \n[CVE-2017-0060](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0060>)1.9Warning \n[CVE-2017-0061](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0061>)2.6Warning \n[CVE-2017-0062](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0062>)1.9Warning \n[CVE-2017-0063](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0063>)4.3Warning \n[CVE-2017-0025](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0025>)7.2High \n[CVE-2017-0073](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0073>)4.3Warning \n[CVE-2017-0108](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0108>)9.3Critical \n[CVE-2017-0038](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0038>)4.3Warning \n[CVE-2017-0001](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0001>)7.2High \n[CVE-2017-0005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0005>)6.9High \n[CVE-2017-0047](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0047>)7.2High \n[CVE-2017-0072](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0072>)9.3Critical \n[CVE-2017-0083](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0083>)9.3Critical \n[CVE-2017-0084](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0084>)9.3Critical \n[CVE-2017-0085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0085>)4.3Warning \n[CVE-2017-0086](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0086>)9.3Critical \n[CVE-2017-0087](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0087>)9.3Critical \n[CVE-2017-0088](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0088>)9.3Critical \n[CVE-2017-0089](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0089>)9.3Critical \n[CVE-2017-0090](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0090>)9.3Critical \n[CVE-2017-0091](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0091>)4.3Warning \n[CVE-2017-0092](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0092>)4.3Warning \n[CVE-2017-0111](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0111>)4.3Warning \n[CVE-2017-0112](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0112>)4.3Warning \n[CVE-2017-0113](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0113>)4.3Warning \n[CVE-2017-0114](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0114>)4.3Warning \n[CVE-2017-0115](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0115>)4.3Warning \n[CVE-2017-0116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0116>)4.3Warning \n[CVE-2017-0117](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0117>)4.3Warning \n[CVE-2017-0118](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0118>)4.3Warning \n[CVE-2017-0119](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0119>)4.3Warning \n[CVE-2017-0120](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0120>)4.3Warning \n[CVE-2017-0121](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0121>)4.3Warning \n[CVE-2017-0122](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0122>)4.3Warning \n[CVE-2017-0123](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0123>)4.3Warning \n[CVE-2017-0124](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0124>)4.3Warning \n[CVE-2017-0125](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0125>)4.3Warning \n[CVE-2017-0126](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0126>)4.3Warning \n[CVE-2017-0127](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0127>)4.3Warning \n[CVE-2017-0128](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0128>)4.3Warning \n[CVE-2017-0130](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0130>)7.6Critical \n[CVE-2017-0008](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0008>)4.3Warning \n[CVE-2017-0057](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0057>)4.3Warning \n[CVE-2017-0100](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0100>)4.4Warning \n[CVE-2017-0104](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0104>)9.3Critical \n[CVE-2017-0007](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0007>)2.1Warning \n[CVE-2017-0016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0016>)7.1High \n[CVE-2017-0039](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0039>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4012217](<http://support.microsoft.com/kb/4012217>) \n[4012215](<http://support.microsoft.com/kb/4012215>) \n[4012216](<http://support.microsoft.com/kb/4012216>) \n[4012606](<http://support.microsoft.com/kb/4012606>) \n[4013198](<http://support.microsoft.com/kb/4013198>) \n[4013429](<http://support.microsoft.com/kb/4013429>) \n[3211306](<http://support.microsoft.com/kb/3211306>) \n[4012212](<http://support.microsoft.com/kb/4012212>) \n[4012214](<http://support.microsoft.com/kb/4012214>) \n[4012213](<http://support.microsoft.com/kb/4012213>) \n[4012598](<http://support.microsoft.com/kb/4012598>) \n[4012583](<http://support.microsoft.com/kb/4012583>) \n[3217587](<http://support.microsoft.com/kb/3217587>) \n[4012021](<http://support.microsoft.com/kb/4012021>) \n[4012373](<http://support.microsoft.com/kb/4012373>) \n[4012497](<http://support.microsoft.com/kb/4012497>) \n[4017018](<http://support.microsoft.com/kb/4017018>) \n[4012584](<http://support.microsoft.com/kb/4012584>) \n[3218362](<http://support.microsoft.com/kb/3218362>) \n[3205715](<http://support.microsoft.com/kb/3205715>) \n[4011981](<http://support.microsoft.com/kb/4011981>) \n[3217882](<http://support.microsoft.com/kb/3217882>)\n\n### *Exploitation*:\nThis vulnerability can be exploited by the following malware:", "edition": 45, "modified": "2020-11-30T00:00:00", "published": "2017-03-14T00:00:00", "id": "KLA10979", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10979", "title": "\r KLA10979Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
