Windows Uniscribe Remote Code Execution Vulnerability

2017-03-14T07:00:00

Description

A remote code execution vulnerability exists due to the way Windows Uniscribe handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit this vulnerability: * In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website, or by opening an attachment sent through email. * In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit this vulnerability and then convince a user to open the document file. The security update addresses the vulnerability by correcting how Windows Uniscribe handles objects in memory.

{"id": "MS:CVE-2017-0072", "bulletinFamily": "microsoft", "title": "Windows Uniscribe Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists due to the way Windows Uniscribe handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nThere are multiple ways an attacker could exploit this vulnerability:\n\n * In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website, or by opening an attachment sent through email.\n\n * In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit this vulnerability and then convince a user to open the document file.\n\nThe security update addresses the vulnerability by correcting how Windows Uniscribe handles objects in memory.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0072", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0072"], "immutableFields": [], "type": "mscve", "lastseen": "2022-10-26T18:28:16", "edition": 1, "viewCount": 4, "enchantments": {"backreferences": {"references": [{"idList": ["CISA:574A6E25827684C587359C37EF1D5132"], "type": "cisa"}, {"idList": ["1337DAY-ID-27364"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810812"], "type": "openvas"}, {"idList": ["MSF:ILITIES/MSFT-CVE-2017-0072/"], "type": "metasploit"}, {"idList": ["KLA10978", "KLA10979"], "type": "kaspersky"}, {"idList": ["KB4013076"], "type": "mskb"}, {"idList": ["CPAI-2017-0176"], "type": "checkpoint_advisories"}, {"idList": ["CVE-2017-0072"], "type": "cve"}, {"idList": ["THREATPOST:2C2827FBF9D900F4194802CE8C471B4C"], "type": "threatpost"}, {"idList": ["GOOGLEPROJECTZERO:482174747A63E1F94C13FCE5E9F3FB55"], "type": "googleprojectzero"}]}, "dependencies": {"references": [{"idList": ["SMNTC-96599"], "type": "symantec"}, {"idList": ["KLA11902", "KLA10978", "KLA10979"], "type": "kaspersky"}, {"idList": ["1337DAY-ID-27364"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810812"], "type": "openvas"}, {"idList": ["KB4013076"], "type": "mskb"}, {"idList": ["CPAI-2017-0176"], "type": "checkpoint_advisories"}, {"idList": ["CVE-2017-0084", "CVE-2017-0090", "CVE-2017-0089", "CVE-2017-0086", "CVE-2017-0083", "CVE-2017-0087", "CVE-2017-0072"], "type": "cve"}, {"idList": ["SMB_NT_MS17-011.NASL"], "type": "nessus"}, {"idList": ["GOOGLEPROJECTZERO:482174747A63E1F94C13FCE5E9F3FB55"], "type": "googleprojectzero"}]}, "exploitation": null, "score": {"value": 2.3, "vector": "NONE"}, "vulnersScore": 2.3}, "_state": {"dependencies": 1666809388, "score": 1666809538}, "_internal": {"score_hash": "a005ab9bd190ab2d6d78789db57d7902"}, "kbList": ["KB4012212", "KB4012215", "KB4012583", "KB3196348", "KB3212646"], "msrc": "", "mscve": "CVE-2017-0072", "msAffectedSoftware": [{"kb": "KB4012583", "kbSupersedence": "KB3196348", "msplatform": "", "name": "windows vista x64 edition service pack 2", "operator": "", "version": ""}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "windows server 2008 r2 for x64-based systems service pack 1 (server core installation)", "operator": "", "version": ""}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "windows server 2008 r2 for itanium-based systems service pack 1", "operator": "", "version": ""}, {"kb": "KB4012583", "kbSupersedence": "KB3196348", "msplatform": "", "name": "windows vista service pack 2", "operator": "", "version": ""}, {"kb": "KB4012583", "kbSupersedence": "KB3196348", "msplatform": "", "name": "windows server 2008 for x64-based systems service pack 2 (server core installation)", "operator": "", "version": ""}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "windows 7 for 32-bit systems service pack 1", "operator": "", "version": ""}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "windows server 2008 r2 for x64-based systems service pack 1", "operator": "", "version": ""}, {"kb": "KB4012212", "kbSupersedence": "", "msplatform": "", "name": "windows server 2008 r2 for x64-based systems service pack 1", "operator": "", "version": ""}, {"kb": "KB4012212", "kbSupersedence": "", "msplatform": "", "name": "windows server 2008 r2 for x64-based systems service pack 1 (server core installation)", "operator": "", "version": ""}, {"kb": "KB4012212", "kbSupersedence": "", "msplatform": "", "name": "windows 7 for x64-based systems service pack 1", "operator": "", "version": ""}, {"kb": "KB4012583", "kbSupersedence": "KB3196348", "msplatform": "", "name": "windows server 2008 for 32-bit systems service pack 2 (server core installation)", "operator": "", "version": ""}, {"kb": "KB4012583", "kbSupersedence": "KB3196348", "msplatform": "", "name": "windows server 2008 for x64-based systems service pack 2", "operator": "", "version": ""}, {"kb": "KB4012212", "kbSupersedence": "", "msplatform": "", "name": "windows 7 for 32-bit systems service pack 1", "operator": "", "version": ""}, {"kb": "KB4012212", "kbSupersedence": "", "msplatform": "", "name": "windows server 2008 r2 for itanium-based systems service pack 1", "operator": "", "version": ""}, {"kb": "KB4012583", "kbSupersedence": "KB3196348", "msplatform": "", "name": "windows server 2008 for itanium-based systems service pack 2", "operator": "", "version": ""}, {"kb": "KB4012583", "kbSupersedence": "KB3196348", "msplatform": "", "name": "windows server 2008 for 32-bit systems service pack 2", "operator": "", "version": ""}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "windows 7 for x64-based systems service pack 1", "operator": "", "version": ""}], "vendorCvss": {"baseScore": "8.8", "temporalScore": "7.9", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}}

{"checkpoint_advisories": [{"lastseen": "2021-12-17T11:36:19", "description": "A remote code execution vulnerability exists in Microsoft Windows. The vulnerability is due to the way Windows Uniscribe handles objects in the memory. A remote attacker can exploit this vulnerability by enticing the target user to open a specially crafted file.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Uniscribe Remote Code Execution (MS17-011: CVE-2017-0072)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0072"], "modified": "2017-03-14T00:00:00", "id": "CPAI-2017-0176", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2021-06-08T19:05:21", "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. An attacker can exploit this issue by enticing an unsuspecting user to open a malicious file or webpage. An attacker can exploit this issue to execute arbitrary code in the context of an affected system. Failed exploit attempts may result in a denial of service condition; this can result in the attacker gaining complete control of the affected system.\n\n### Technologies Affected\n\n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit. \n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful attacks, never handle or open files from unknown sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of successful exploits, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.\n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code. Host-based intrusion-prevention systems may also help prevent exploits. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "symantec", "title": "Microsoft Windows Uniscribe CVE-2017-0072 Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-0072"], "modified": "2017-03-14T00:00:00", "id": "SMNTC-96599", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/96599", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-03T05:00:44", "description": "Exploit for windows platform in category dos / poc", "cvss3": {}, "published": "2017-03-20T00:00:00", "type": "zdt", "title": "Microsoft Windows - Uniscribe Font Processing Buffer Overflow in USP10!FillAlternatesList (MS17-011)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0072"], "modified": "2017-03-20T00:00:00", "id": "1337DAY-ID-27364", "href": "https://0day.today/exploit/description/27364", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1030\r\n \r\nWe have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!FillAlternatesList function, while trying to request a list of alternate glyphs for a specific glyph in a corrupted font file:\r\n \r\n---\r\n(4bfc.c60): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=0000000d ebx=0021006f ecx=00000010 edx=00000018 esi=07b4bfe8 edi=0021f620\r\neip=75232fe1 esp=0021f550 ebp=0021f5b8 iopl=0 nv up ei pl nz na po nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202\r\nUSP10!FillAlternatesList+0x2d1:\r\n75232fe1 66891c32 mov word ptr [edx+esi],bx ds:002b:07b4c000=????\r\n0:000> kb\r\nChildEBP RetAddr Args to Child \r\n0021f5b8 7522eb56 09312db6 00000000 00000003 USP10!FillAlternatesList+0x2d1\r\n0021f5ec 75208b38 0021f640 0021f614 746c6161 USP10!GetOtlGlyphAlternates+0x86\r\n0021f770 7520f214 0021f9d8 6e74616c 746c6664 USP10!OtlGetAlternateGlyphList+0x108\r\n0021f7a0 00dc4557 30011a14 00000001 00000000 USP10!ScriptGetFontAlternateGlyphs+0xb4\r\n[...]\r\n---\r\n \r\nIn our test harness, we set the cMaxAlternates parameter of the ScriptGetFontAlternateGlyphs function to 10, indicating that this is the maximum number of values which can be written to the output pAlternateGlyphs array. However, the API function does not seem to respect the argument and attempts to write more data into the buffer -- in this case, 29 WORDs. The vulnerability can also be confirmed by looking at the output value of pcAlternates, which should never exceed 10 in this case, but is indeed set to 29. As a result, the bug may lead to corruption of various memory areas, including stack, heap, and static memory, depending on the type of pointer passed to the function by its caller.\r\n \r\nThe issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled and the output buffer allocated from the heap. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which calls the vulnerable API function.\r\n \r\nAttached is a proof of concept malformed font file which triggers the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41654.zip\n\n# 0day.today [2018-01-03] #", "sourceHref": "https://0day.today/exploit/27364", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T11:48:12", "description": "Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka \"Uniscribe Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0083, CVE-2017-0084, CVE-2017-0086, CVE-2017-0087, CVE-2017-0088, CVE-2017-0089, and CVE-2017-0090.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-03-17T00:59:00", "type": "cve", "title": "CVE-2017-0072", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0072", "CVE-2017-0083", "CVE-2017-0084", "CVE-2017-0086", "CVE-2017-0087", "CVE-2017-0088", "CVE-2017-0089", "CVE-2017-0090"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2017-0072", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0072", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:48:31", "description": "Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka \"Uniscribe Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0072, CVE-2017-0083, CVE-2017-0084, CVE-2017-0086, CVE-2017-0087, CVE-2017-0088, and CVE-2017-0089.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-03-17T00:59:00", "type": "cve", "title": "CVE-2017-0090", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0072", "CVE-2017-0083", "CVE-2017-0084", "CVE-2017-0086", "CVE-2017-0087", "CVE-2017-0088", "CVE-2017-0089", "CVE-2017-0090"], "modified": "2017-08-16T01:29:00", "cpe": ["cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2017-0090", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0090", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:48:25", "description": "Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows remote attackers to execute arbitrary code via a crafted web site, aka \"Windows Uniscribe Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0072, CVE-2017-0083, CVE-2017-0086, CVE-2017-0087, CVE-2017-0088, CVE-2017-0089, and CVE-2017-0090.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-03-17T00:59:00", "type": "cve", "title": "CVE-2017-0084", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0072", "CVE-2017-0083", "CVE-2017-0084", "CVE-2017-0086", "CVE-2017-0087", "CVE-2017-0088", "CVE-2017-0089", "CVE-2017-0090"], "modified": "2017-08-16T01:29:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0084", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0084", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:48:27", "description": "Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka \"Uniscribe Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0072, CVE-2017-0083, CVE-2017-0084, CVE-2017-0087, CVE-2017-0088, CVE-2017-0089, and CVE-2017-0090.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-03-17T00:59:00", "type": "cve", "title": "CVE-2017-0086", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0072", "CVE-2017-0083", "CVE-2017-0084", "CVE-2017-0086", "CVE-2017-0087", "CVE-2017-0088", "CVE-2017-0089", "CVE-2017-0090"], "modified": "2017-08-16T01:29:00", "cpe": ["cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2017-0086", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0086", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:48:28", "description": "Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka \"Uniscribe Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0072, CVE-2017-0083, CVE-2017-0084, CVE-2017-0086, CVE-2017-0088, CVE-2017-0089, and CVE-2017-0090.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-03-17T00:59:00", "type": "cve", "title": "CVE-2017-0087", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0072", "CVE-2017-0083", "CVE-2017-0084", "CVE-2017-0086", "CVE-2017-0087", "CVE-2017-0088", "CVE-2017-0089", "CVE-2017-0090"], "modified": "2017-08-16T01:29:00", "cpe": ["cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_server_2008:*"], "id": "CVE-2017-0087", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0087", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:48:31", "description": "Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka \"Uniscribe Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0072, CVE-2017-0083, CVE-2017-0084, CVE-2017-0086, CVE-2017-0087, CVE-2017-0088, and CVE-2017-0090.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-03-17T00:59:00", "type": "cve", "title": "CVE-2017-0089", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0072", "CVE-2017-0083", "CVE-2017-0084", "CVE-2017-0086", "CVE-2017-0087", "CVE-2017-0088", "CVE-2017-0089", "CVE-2017-0090"], "modified": "2017-08-16T01:29:00", "cpe": ["cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_server_2008:*"], "id": "CVE-2017-0089", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0089", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:48:24", "description": "Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka \"Uniscribe Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0072, CVE-2017-0084, CVE-2017-0086, CVE-2017-0087, CVE-2017-0088, CVE-2017-0089, and CVE-2017-0090.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-03-17T00:59:00", "type": "cve", "title": "CVE-2017-0083", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0072", "CVE-2017-0083", "CVE-2017-0084", "CVE-2017-0086", "CVE-2017-0087", "CVE-2017-0088", "CVE-2017-0089", "CVE-2017-0090"], "modified": "2017-08-16T01:29:00", "cpe": ["cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2017-0083", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0083", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*"]}], "googleprojectzero": [{"lastseen": "2020-12-14T19:21:38", "description": "Posted by Mateusz Jurczyk of Google Project Zero\n\n** \n**\n\nAmong the total of 119 vulnerabilities with CVEs fixed by Microsoft in the [March Patch Tuesday](<https://technet.microsoft.com/en-us/library/security/ms17-mar.aspx>) a few weeks ago, there were 29 bugs reported by us in the font-handling code of the Uniscribe library. Admittedly the subject of font-related security has already been extensively discussed on this blog both in the context of manual analysis [[1]](<https://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html>)[[2]](<https://googleprojectzero.blogspot.com/2015/09/enabling-qr-codes-in-internet-explorer.html>) and fuzzing [[3]](<https://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html>)[[4]](<https://googleprojectzero.blogspot.com/2016/07/a-year-of-windows-kernel-font-fuzzing-2.html>). However, what makes this effort a bit different from the previous ones is the fact that Uniscribe is a little-known user-mode component, which had not been widely recognized as a viable attack vector before, as opposed to the kernel-mode font implementations included in the win32k.sys and ATMFD.DLL drivers. In this post, we outline a brief history and description of Uniscribe, explain how we approached at-scale fuzzing of the library, and highlight some of the more interesting discoveries we have made so far. All the raw reports of the bugs we\u2019re referring to (as they were submitted to Microsoft), together with the corresponding proof-of-concept samples, can be found in the official Project Zero bug tracker [[5]](<https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=product%3Auniscribe+fixed%3A2017-mar-14>). Enjoy!\n\n## Introduction\n\nIt was November 2016 when we started yet another iteration of our Windows font fuzzing job (whose architecture was thoroughly described in [[4]](<https://googleprojectzero.blogspot.com/2016/07/a-year-of-windows-kernel-font-fuzzing-2.html>)). At that point, the kernel attack surface was mostly fuzz-clean with regards to the techniques we were using, but we still like to play with the configuration and input corpus from time to time to see if we can squeeze out any more bugs with the existing infrastructure. What we ended up with a several days later were a bunch of samples which supposedly crashed the guest Windows system running inside of Bochs. When we fed them to our reproduction pipeline, none of the bugchecks occurred again for unclear reasons. As disappointing as that was, there also was one interesting and unexpected result: for one of the test cases, the user-mode harness crashed itself, without bringing the whole OS down at the same time. This could indicate either that there was a bug in our code, or that there was some unanticipated font parsing going on in ring-3. When we started digging deeper, we found out that the unhandled exception took place in the following context:\n\n** \n**\n\n(4464.11b4): Access violation - code c0000005 (first chance)\n\nFirst chance exceptions are reported before any exception handling.\n\nThis exception may be expected and handled.\n\neax=0933d8bf ebx=00000000 ecx=09340ffc edx=00001b9f esi=0026ecac edi=00000009\n\neip=752378f3 esp=0026ec24 ebp=0026ec2c iopl=0 nv up ei pl zr na pe nc\n\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246\n\nUSP10!ScriptPositionSingleGlyph+0x28533:\n\n752378f3 668b4c5002 mov cx,word ptr [eax+edx*2+2] ds:002b:09340fff=????\n\n** \n**\n\nUntil that moment, we didn\u2019t fully realize that our tools were triggering any font-handling code beyond the well-known kernel implementation (despite some related bugs having been publicly fixed in the past, e.g. CVE-2016-7274 [[6]](<http://blogs.flexerasoftware.com/secunia-research/2016/12/microsoft_windows_loaduvstable_heap_based_buffer_overflow_vulnerability.html>)). As a result, the fuzzing system was not prepared to catch user-mode faults, and thus any such crashes had remained completely undetected in favor of system bugchecks, which caused full machine restarts.\n\n** \n**\n\nWe quickly determined that the usp10.dll library corresponded to \u201cUniscribe Unicode script processor\u201d (in Microsoft\u2019s own words) [[7]](<https://msdn.microsoft.com/pl-pl/library/windows/desktop/dd374091\\(v=vs.85\\).aspx>). It is a relatively large module (600-800 kB depending on system version and bitness) responsible for rendering Unicode-encoded text, as the name suggests. From a security perspective, it\u2019s important that the code base dates back to Windows 2000, and includes a C++ implementation of the parsing of various complex TrueType/OpenType structures, in addition to what is already implemented in the kernel. The specific tables that Uniscribe touches on are primarily Advanced Typography Tables (\u201cGDEF\u201d, \u201cGSUB\u201d, \u201cGPOS\u201d, \u201cBASE\u201d, \u201cJSTF\u201d), but also \u201cOS/2\u201d, \u201ccmap\u201d and \u201cmaxp\u201d to some extent. What\u2019s equally significant is that the code can be reached simply by calling the DrawText [[8]](<https://msdn.microsoft.com/pl-pl/library/windows/desktop/dd162498%28v=vs.85%29.aspx>) or other equivalent API with Unicode-encoded text and an attacker-controlled font. Since no special calls other than the typical ones are necessary to execute the most exposed areas of the library, it makes for a great attack vector in applications which use GDI to render text with fonts originating from untrusted sources. This is also evidenced by the stack trace of the original crash, and the fact that it occurred in a program which didn\u2019t include any usp10-specific code:\n\n** \n**\n\n0:000> kb\n\nChildEBP RetAddr\n\n0026ec2c 09340ffc USP10!otlChainRuleSetTable::rule+0x13\n\n0026eccc 0133d7d2 USP10!otlChainingLookup::apply+0x7d3\n\n0026ed48 0026f09c USP10!ApplyLookup+0x261\n\n0026ef4c 0026f078 USP10!ApplyFeatures+0x481\n\n0026ef98 09342f40 USP10!SubstituteOtlGlyphs+0x1bf\n\n0026efd4 0026f0b4 USP10!SubstituteOtlChars+0x220\n\n0026f250 0026f370 USP10!HebrewEngineGetGlyphs+0x690\n\n0026f310 0026f370 USP10!ShapingGetGlyphs+0x36a\n\n0026f3fc 09316318 USP10!ShlShape+0x2ef\n\n0026f440 09316318 USP10!ScriptShape+0x15f\n\n0026f4a0 0026f520 USP10!RenderItemNoFallback+0xfa\n\n0026f4cc 0026f520 USP10!RenderItemWithFallback+0x104\n\n0026f4f0 09316124 USP10!RenderItem+0x22\n\n0026f534 2d011da2 USP10!ScriptStringAnalyzeGlyphs+0x1e9\n\n0026f54c 0000000a USP10!ScriptStringAnalyse+0x284\n\n0026f598 0000000a LPK!LpkStringAnalyse+0xe5\n\n0026f694 00000000 LPK!LpkCharsetDraw+0x332\n\n0026f6c8 00000000 LPK!LpkDrawTextEx+0x40\n\n0026f708 00000000 USER32!DT_DrawStr+0x13c\n\n0026f754 0026fa30 USER32!DT_GetLineBreak+0x78\n\n0026f800 0000000a USER32!DrawTextExWorker+0x255\n\n0026f824 ffffffff USER32!DrawTextExW+0x1e\n\n** \n**\n\nAs can be seen here, the Uniscribe functionality was invoked internally by user32.dll through the lpk.dll (Language Pack) library. As soon as we learned about this new attack vector, we jumped at the first chance to fuzz it. Most of the infrastructure was already in place, since both user- and kernel-mode font fuzzing share a large number of the pieces. The extra work that we had to do was mostly related to filtering the input corpus, fiddling with the mutator configuration, adjusting the system configuration and implementing logic for the detection of user-mode crashes (both in the test harness and Bochs instrumentation). All of these steps are discussed in detail below. After a few days, we had everything working as planned, and after another couple, there were already over 80 crashes at unique addresses waiting for triage. Below is a summary of the issues that were found in the first fuzzing run and reported to Microsoft in December 2016.\n\n## Results at a glance\n\nSince ~80 was still a fairly manageable number of crashes to triage manually, we tried to reproduce each of them by hand, deduplicating them and writing down their details at the same time. When we finished, we ended up with 8 separate high-severity issues that could potentially allow remote code execution:\n\n** \n**\n\nTracker ID\n\n| \n\nMemory access type at crash\n\n| \n\nCrashing function\n\n| \n\nCVE \n \n---|---|---|--- \n \n[1022](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1022>)\n\n| \n\nInvalid write of n bytes (memcpy)\n\n| \n\nusp10!otlList::insertAt\n\n| \n\nCVE-2017-0108 \n \n[1023](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1023>)\n\n| \n\nInvalid read / write of 2 bytes\n\n| \n\nusp10!AssignGlyphTypes\n\n| \n\nCVE-2017-0084 \n \n[1025](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1025>)\n\n| \n\nInvalid write of n bytes (memset)\n\n| \n\nusp10!otlCacheManager::GlyphsSubstituted\n\n| \n\nCVE-2017-0086 \n \n[1026](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1026>)\n\n| \n\nInvalid write of n bytes (memcpy)\n\n| \n\nusp10!MergeLigRecords\n\n| \n\nCVE-2017-0087 \n \n[1027](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1027>)\n\n| \n\nInvalid write of 2 bytes\n\n| \n\nusp10!ttoGetTableData\n\n| \n\nCVE-2017-0088 \n \n[1028](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1028>)\n\n| \n\nInvalid write of 2 bytes\n\n| \n\nusp10!UpdateGlyphFlags\n\n| \n\nCVE-2017-0089 \n \n[1029](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1029>)\n\n| \n\nInvalid write of n bytes\n\n| \n\nusp10!BuildFSM and nearby functions\n\n| \n\nCVE-2017-0090 \n \n[1030](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1030>)\n\n| \n\nInvalid write of n bytes\n\n| \n\nusp10!FillAlternatesList\n\n| \n\nCVE-2017-0072 \n \n** \n**\n\nAll of the bugs but one were triggered through a standard DrawText call and resulted in heap memory corruption. The one exception was the [#1030](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1030>) issue, which resided in a documented Uniscribe-specific [ScriptGetFontAlternateGlyphs](<https://msdn.microsoft.com/en-us/library/windows/desktop/dd368546%28v=vs.85%29.aspx>) API function. The routine is responsible for retrieving a list of alternate glyphs for a specified character, and the interesting fact about the bug is that it wasn\u2019t a problem with operating on any internal structures. Instead, the function failed to honor the value of the cMaxAlternates argument, and could therefore write more output data to the pAlternateGlyphs buffer than was allowed by the function caller. This meant that the buffer overflow was not specific to any particular memory type \u2013 depending on what pointer the client passed in, the overflow would take place on the stack, heap or static memory. The exploitability of such a bug would greatly depend on the program design and compilation options used to build it. We must admit, however, that it is unclear what the real-world clients of the function are, and whether any of them would meet the requirements to become a viable attack target.\n\n** \n**\n\nFurthermore, we extracted 27 unique crashes caused by invalid memory reads from non-NULL addresses, which could potentially lead to information disclosure of secrets stored in the process address space. Due to the large volume of these crashes, we were unable to analyze each of them in much detail or perform any advanced deduplication. Instead, we partitioned them by the top-level exception address, and filed all of them as a single entry [#1031](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1031>) in the bug tracker:\n\n** \n**\n\n 1. usp10!otlMultiSubstLookup::apply+0xa8\n\n 2. usp10!otlSingleSubstLookup::applyToSingleGlyph+0x98\n\n 3. usp10!otlSingleSubstLookup::apply+0xa9\n\n 4. usp10!otlMultiSubstLookup::getCoverageTable+0x2c\n\n 5. usp10!otlMark2Array::mark2Anchor+0x18\n\n 6. usp10!GetSubstGlyph+0x2e\n\n 7. usp10!BuildTableCache+0x1ca\n\n 8. usp10!otlMkMkPosLookup::apply+0x1b4\n\n 9. usp10!otlLookupTable::markFilteringSet+0x1a\n\n 10. usp10!otlSinglePosLookup::getCoverageTable+0x12\n\n 11. usp10!BuildTableCache+0x1e7\n\n 12. usp10!otlChainingLookup::getCoverageTable+0x15\n\n 13. usp10!otlReverseChainingLookup::getCoverageTable+0x15\n\n 14. usp10!otlLigCaretListTable::coverage+0x7\n\n 15. usp10!otlMultiSubstLookup::apply+0x99\n\n 16. usp10!otlTableCacheData::FindLookupList+0x9\n\n 17. usp10!ttoGetTableData+0x4b4\n\n 18. usp10!GetSubtableCoverage+0x1ab\n\n 19. usp10!otlChainingLookup::apply+0x2d\n\n 20. usp10!MergeLigRecords+0x132\n\n 21. usp10!otlLookupTable::subTable+0x23\n\n 22. usp10!GetMaxParameter+0x53\n\n 23. usp10!ApplyLookup+0xc3\n\n 24. usp10!ApplyLookupToSingleGlyph+0x6f\n\n 25. usp10!ttoGetTableData+0x19f6\n\n 26. usp10!otlExtensionLookup::extensionSubTable+0x1d\n\n 27. usp10!ttoGetTableData+0x1a77\n\n** \n**\n\nIn the end, it turned out that these 27 crashes manifested 21 actual bugs, which were fixed by Microsoft as CVE-2017-0083, CVE-2017-0091, CVE-2017-0092 and CVE-2017-0111 to CVE-2017-0128 in the [MS17-011](<https://technet.microsoft.com/en-us/library/security/MS17-011>) security bulletin.\n\n** \n**\n\nLastly, we also reported 7 unique NULL pointer dereference issues with no deadline, with the hope that having any of them fixed would potentially enable our fuzzer to discover other, more severe bugs. On March 17th, MSRC responded that they investigated the cases and concluded that they were low-severity DoS problems only, and would not be fixed as part of a security bulletin in the near future. \n\n## Input corpus, mutation configuration and adjusting the test harness\n\nGathering a solid corpus of input samples is arguably one of the most important parts of fuzzing preparation, especially if code coverage feedback is not involved, making it impossible for the corpus to gradually evolve into a more optimal form. We were lucky enough to already have had several font corpora at our disposal from previous fuzzing runs. We decided to use the same set of files that had helped us discover [18](<https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=status%3Afixed+finder%3Amjurczyk+product%3Akernel+font+opened%3E2015-1-1+-namedescape>) Windows kernel bugs in the past (see the \u201cPreparing the input corpus\u201d section of [[4]](<https://googleprojectzero.blogspot.com/2016/07/a-year-of-windows-kernel-font-fuzzing-2.html>)). It was originally generated by running a corpus distillation algorithm over a large number of fonts crawled off the web, using an instrumented build of the FreeType2 open-source library, and consisted of 14848 TrueType and 4659 OpenType files, for a total of 2.4G of disk space. In order to tailor the corpus better for Uniscribe, we reduced it to just the files that contained at least one of the \u201cGDEF\u201d, \u201cGSUB\u201d, \u201cGPOS\u201d, \u201cBASE\u201d or \u201cJSTF\u201d tables, which are parsed by the library. This left us with 3768 TrueType and 2520 OpenType fonts consuming 1.68G on disk, which were much more likely to expose bugs in Uniscribe than any of the removed ones. That was the final corpus that we worked with.\n\n** \n**\n\nThe mutator configuration was also pretty similar to what we did for the kernel: we used the same five standard bitflipping, byteflipping, chunkspew, special ints and binary arithmetic algorithms with the precalculated per-table mutation ratio ranges. The only change made specifically for Uniscribe was to add mutations for the \u201cBASE\u201d and \u201cJSTF\u201d tables, which were previously not accounted for.\n\n** \n**\n\nLast but not least, we extended the functionality of the guest fuzzing harness, responsible for invoking the tested font-related API (mostly displaying all of the font\u2019s glyphs at various point sizes, but also querying a number of properties etc.). While it was clear that some of the relevant code was executed automatically through user32!DrawText with no modifications required, we wanted to maximize the coverage of Uniscribe code as much possible. A full reference of all its externally available functions can be found on MSDN [[9]](<https://msdn.microsoft.com/pl-pl/library/windows/desktop/dd374093\\(v=vs.85\\).aspx>). After skimming through the documentation, we added calls to [ScriptCacheGetHeight](<https://msdn.microsoft.com/en-us/library/windows/desktop/dd319119\\(v=vs.85\\).aspx>), [ScriptGetFontProperties](<https://msdn.microsoft.com/en-us/library/windows/desktop/dd368549\\(v=vs.85\\).aspx>), [ScriptGetCMap](<https://msdn.microsoft.com/en-us/library/windows/desktop/dd319122\\(v=vs.85\\).aspx>), [ScriptGetFontAlternateGlyphs](<https://msdn.microsoft.com/en-us/library/windows/desktop/dd368546\\(v=vs.85\\).aspx>), [ScriptSubstituteSingleGlyph](<https://msdn.microsoft.com/en-us/library/dd368794\\(v=vs.85\\).aspx>) and [ScriptFreeCache](<https://msdn.microsoft.com/en-us/library/windows/desktop/dd319121\\(v=vs.85\\).aspx>). This quickly proved to be a successful idea, as it allowed us to discover the aforementioned generic bug in ScriptGetFontAlternateGlyphs. Furthermore, we decided to remove invocations of the [GetKerningPairs](<https://msdn.microsoft.com/pl-pl/library/windows/desktop/dd144895\\(v=vs.85\\).aspx>) and [GetGlyphOutline](<https://msdn.microsoft.com/en-us/library/windows/desktop/dd144891\\(v=vs.85\\).aspx>) API functions, as their corresponding logic was located in the kernel, while our focus had now shifted strictly to user-mode. As such, they wouldn\u2019t lead to the discovery of any new bugs in Uniscribe, but would instead slow the overall fuzzing process down. Apart from these minor modifications, the core of the test harness remained unchanged.\n\n** \n**\n\nBy taking the measures listed above, we hoped that they were sufficient to trigger most of the low hanging fruit bugs. With this assumption, the only part left was to make sure that the crashes would be reliably caught and reported to the fuzzer. This subject is discussed in the next section.\n\n## Crash detection\n\nThe first step we took to detect Uniscribe crashes effectively was disabling Special Pools for win32k.sys and ATMFD.DLL (which caused unnecessary overhead for no gain in user-mode), while enabling the PageHeap option in Application Verifier for the harness process. This was done to improve our chances at detecting invalid memory accesses, and make reproduction and deduplication more reliable.\n\n** \n**\n\nThanks to the fact that the fuzz-tested code in usp10.dll executed in the same context as the rest of the harness logic, we didn\u2019t have to write a full-fledged Windows debugger to supervise another process. Instead, we just set up a top-level exception handler with the [SetUnhandledExceptionFilter](<https://msdn.microsoft.com/pl-pl/library/windows/desktop/ms680634\\(v=vs.85\\).aspx>) function, which then got called every time a fatal exception was generated in the process. The handler\u2019s job was to send out the state of the crashing CPU context (passed in through ExceptionInfo->ContextRecord) to the hypervisor (i.e. the Bochs instrumentation) through the \u201cdebug print\u201d hypercall, and then actually report that the crash occurred at the specific address.\n\n** \n**\n\nIn the kernel font fuzzing scenario, crashes were detected by the Bochs instrumentation with the BX_INSTR_RESET instrumentation callback. This approach worked because the guest system was configured to automatically reboot on bugcheck, consequently triggering the bx_instr_reset handler. The easiest way to integrate this approach with user-mode fuzzing would be therefore to just add a [ExitWindowsEx](<https://msdn.microsoft.com/pl-pl/library/windows/desktop/aa376868\\(v=vs.85\\).aspx>) call in the epilogue of the exception handler, making everything work out of the box without even touching the existing Bochs instrumentation. However, the method would result in losing information about the crash location, making automated deduplication impossible. In order to address this problem, we introduced a new \u201ccrash encountered\u201d hypercall, which received the address of the faulting instruction in the argument from the guest, and passed this information further down our scalable fuzzing infrastructure. Having the crashes grouped by the exception address right from the start saved us a ton of postprocessing time, and limited the number of test cases we had to look at to a bare minimum.\n\n** \n**\n\nThis is the end of a list of differences between the Windows kernel font fuzzing setup we\u2019ve been using for nearly two years now, and an equivalent setup for user-mode fuzzing that we only built a few months ago, but has already proven very effective. Everything else has remained the same as described in the \u201cfont fuzzing techniques\u201d article from last year [[4]](<https://googleprojectzero.blogspot.com/2016/07/a-year-of-windows-kernel-font-fuzzing-2.html>).\n\n## Conclusions\n\nIt is a fascinating but dire realization that even for such a well known class of bug hunting targets as font parsing implementations, it is still possible to discover new attack vectors dating back to the previous century, having remained largely unaudited until now, and being as exposed as the interfaces we already know about. We believe that this is a great example of how gradually rising the bar for a variety of software can have much more impact than trying to kill every last bug in a narrow range of code. It is also illustrative of the fact that the time spent on thoroughly analyzing the attack surface and looking for little-known targets may turn out very fruitful, as the security community still doesn\u2019t have a full understanding of the attack vectors in every important data processing stack (such as the Windows font handling in this case).\n\n** \n**\n\nThis effort and its results show that fuzzing is a very universal technique, and most of its components can be easily reused from one target to another, especially within the scope of a single file format. Finally, it has proven that it is possible to fuzz not just the Windows kernel, but also regular user-mode code, regardless of the environment of the host system (which was Linux in our case). While the Bochs x86 emulator incurs a significant overhead as compared to native execution speed, it can often be scaled against to still achieve a net gain in the number of iterations per second. As an interesting fact, issues [#993](<https://bugs.chromium.org/p/project-zero/issues/detail?id=993>) (Windows kernel registry hive loading), [#1042](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1042>) (EMF+ processing in GDI+), [#1052](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1052>) and [#1054](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1054>) (color profile processing) fixed in the last Patch Tuesday were also found with fuzzing Windows on Bochs, but with slightly different input samples, test harnesses and mutation strategies. :)\n\n## References\n\n 1. The \u201cOne font vulnerability to rule them all\u201d series starting with [https://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html](<https://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html>)\n\n 2. [https://googleprojectzero.blogspot.com/2015/09/enabling-qr-codes-in-internet-explorer.html](<https://googleprojectzero.blogspot.com/2015/09/enabling-qr-codes-in-internet-explorer.html>)\n\n 3. [https://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html](<https://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html>)\n\n 4. [https://googleprojectzero.blogspot.com/2016/07/a-year-of-windows-kernel-font-fuzzing-2.html](<https://googleprojectzero.blogspot.com/2016/07/a-year-of-windows-kernel-font-fuzzing-2.html>)\n\n 5. [https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=product%3Auniscribe+fixed%3A2017-mar-14](<https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=product%3Auniscribe+fixed%3A2017-mar-14>)\n\n 6. [http://blogs.flexerasoftware.com/secunia-research/2016/12/microsoft_windows_loaduvstable_heap_based_buffer_overflow_vulnerability.html](<http://blogs.flexerasoftware.com/secunia-research/2016/12/microsoft_windows_loaduvstable_heap_based_buffer_overflow_vulnerability.html>)\n\n 7. [https://msdn.microsoft.com/pl-pl/library/windows/desktop/dd374091(v=vs.85).aspx](<https://msdn.microsoft.com/pl-pl/library/windows/desktop/dd374091\\(v=vs.85\\).aspx>)\n\n 8. [https://msdn.microsoft.com/pl-pl/library/windows/desktop/dd162498%28v=vs.85%29.aspx](<https://msdn.microsoft.com/pl-pl/library/windows/desktop/dd162498%28v=vs.85%29.aspx>)\n\n 9. [https://msdn.microsoft.com/pl-pl/library/windows/desktop/dd374093(v=vs.85).aspx](<https://msdn.microsoft.com/pl-pl/library/windows/desktop/dd374093\\(v=vs.85\\).aspx>)\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-10T00:00:00", "type": "googleprojectzero", "title": "\nNotes on Windows Uniscribe Fuzzing\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7274", "CVE-2017-0072", "CVE-2017-0083", "CVE-2017-0084", "CVE-2017-0086", "CVE-2017-0087", "CVE-2017-0088", "CVE-2017-0089", "CVE-2017-0090", "CVE-2017-0091", "CVE-2017-0092", "CVE-2017-0108", "CVE-2017-0111", "CVE-2017-0128"], "modified": "2017-04-10T00:00:00", "id": "GOOGLEPROJECTZERO:482174747A63E1F94C13FCE5E9F3FB55", "href": "https://googleprojectzero.blogspot.com/2017/04/notes-on-windows-uniscribe-fuzzing.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:39:35", "description": "<html><body>Resolves a vulnerability in Windows that could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document.<h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Windows Uniscribe. The most severe of these vulnerabilities could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less affected than users whose accounts have administrative user rights. To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/MS17-011\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS17-011</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\">Important <ul class=\"sbody-free_list\"><li>All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\" target=\"_self\">2919355</a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\" target=\"_self\">2919355</a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates. </li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>. </li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><div>The following articles contain more information about this security update as it relates to individual product versions. These articles may contain known issue information.</div> <ul id=\"info1_list1\"><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012583\" managed-link=\"\" target=\"\"> 4012583</a> MS17-011 and MS17-013: Description of the security update for Microsoft Graphics Component: March 14, 2017</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012216\" managed-link=\"\" target=\"\"> 4012216</a> March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012213\" managed-link=\"\" target=\"\"> 4012213</a> March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012217\" managed-link=\"\" target=\"\"> 4012217</a> March 2017 Security Monthly Quality Rollup for Windows Server 2012</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012214\" managed-link=\"\" target=\"\"> 4012214</a> March 2017 Security Only Quality Update for Windows Server 2012</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012215\" managed-link=\"\" target=\"\"> 4012215</a> March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012212\" managed-link=\"\" target=\"\"> 4012212</a> March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4013429\" managed-link=\"\" target=\"\"> 4013429</a> March 13, 2017\u2014KB4013429 (OS Build 933)</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012606\" managed-link=\"\" target=\"\"> 4012606</a> March 14, 2017\u2014KB4012606 (OS Build 17312)</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4013198\" managed-link=\"\" target=\"\"> 4013198</a> March 14, 2017\u2014KB4013198 (OS Build 830)</li></ul> </div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see <a href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" id=\"kb-link-13\" target=\"_self\">Get security updates automatically</a>. Note For Windows RT 8.1, this update is available through Windows Update only. </div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a href=\" http://catalog.update.microsoft.com/v7/site/search.aspx?q=4013076\" id=\"kb-link-14\" target=\"_self\">Microsoft Update Catalog</a> website. </div></div><h2>Security update deployment</h2><h3>Windows Vista (all editions)</h3>Reference tableThe following table contains the security update information for this software.<table class=\"table\"><tbody><tr><td width=\"26%\">Security update file names</td><td width=\"73%\">For all supported 32-bit editions of Windows Vista: Windows6.0-KB4012583-x86.msu</td></tr><tr><td width=\"26%\">\u00a0</td><td width=\"73%\">For all supported x64-based editions of Windows Vista: Windows6.0-KB4012583-x64.msu</td></tr><tr><td width=\"26%\">Installation switches</td><td width=\"73%\">See <a href=\"https://support.microsoft.com/kb/934307\">Microsoft Knowledge Base article 934307</a></td></tr><tr><td width=\"26%\">Restart requirement</td><td width=\"73%\">A system restart is required after you apply this security update.</td></tr><tr><td width=\"26%\">Removal information</td><td width=\"73%\">WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under \"Windows Update,\" click View installed updates and select from the list of updates.</td></tr><tr><td width=\"26%\">File information</td><td width=\"73%\">See <a href=\"https://support.microsoft.com/kb/4012583\">Microsoft Knowledge Base article 4012583</a></td></tr><tr><td width=\"26%\">Registry key verification</td><td width=\"73%\">Note A registry key does not exist to validate the presence of this update.</td></tr></tbody></table>\u00a0<h3>Windows Server 2008 (all editions)</h3>Reference tableThe following table contains the security update information for this software.<table class=\"table\"><tbody><tr><td width=\"26%\">Security update file names</td><td width=\"73%\">For all supported 32-bit editions of Windows Server 2008: Windows6.0-KB4012583-x86.msu</td></tr><tr><td width=\"26%\">\u00a0</td><td width=\"73%\">For all supported x64-based editions of Windows Server 2008: Windows6.0-KB4012583-x64.msu</td></tr><tr><td width=\"26%\">\u00a0</td><td width=\"73%\">For all supported Itanium-based editions of Windows Server 2008 Windows6.0-KB4012583-ia64.msu</td></tr><tr><td width=\"26%\">Installation switches</td><td width=\"73%\">See <a href=\"https://support.microsoft.com/kb/934307\">Microsoft Knowledge Base article 934307</a></td></tr><tr><td width=\"26%\">Restart requirement</td><td width=\"73%\">A system restart is required after you apply this security update.</td></tr><tr><td width=\"26%\">Removal information</td><td width=\"73%\">WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under \"Windows Update,\" click View installed updates, and then select from the list of updates.</td></tr><tr><td width=\"26%\">File information</td><td width=\"73%\">See <a href=\"https://support.microsoft.com/kb/4012583\">Microsoft Knowledge Base article 4012583</a></td></tr><tr><td width=\"26%\">Registry key verification</td><td width=\"73%\">Note A registry key does not exist to validate the presence of this update.</td></tr></tbody></table> <h3>Windows 7 (all editions)</h3>Reference tableThe following table contains the security update information for this software.<table class=\"table\"><tbody><tr><td width=\"29%\">Security update file name</td><td width=\"70%\">For all supported x64-based editions of Windows 7: indows6.1-KB4012212-x64.msu Security only</td></tr><tr><td width=\"29%\">\u00a0</td><td width=\"70%\">For all supported x64-based editions of Windows 7: Windows6.1-KB4012215-x64.msu Monthly rollup</td></tr><tr><td width=\"29%\">Installation switches</td><td width=\"70%\">See <a href=\"https://support.microsoft.com/kb/934307\">Microsoft Knowledge Base article 934307</a> </td></tr><tr><td width=\"29%\">Restart requirement</td><td width=\"70%\">A system restart is required after you apply this security update.</td></tr><tr><td width=\"29%\">Removal information</td><td width=\"70%\">To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, click View installed updates \r\runder \"Windows Update,\"\u00a0and then select from the list of updates.</td></tr><tr><td width=\"29%\">File information</td><td width=\"70%\">See <a href=\"https://support.microsoft.com/kb/4012212\">Microsoft Knowledge Base article 4012212</a> See <a href=\"https://support.microsoft.com/kb/4012215\">Microsoft Knowledge Base article 4012215</a></td></tr><tr><td width=\"29%\">Registry key verification</td><td width=\"70%\">Note A registry key does not exist to validate the presence of this update.</td></tr></tbody></table> <h3>Windows Server 2008 R2 (all editions)</h3>Reference tableThe following table contains the security update information for this software.<table class=\"table\"><tbody><tr><td width=\"29%\">Security update file name</td><td width=\"70%\">For all supported x64-based editions of Windows Server 2008 R2: Windows6.1-KB4012212-x64.msu Security only</td></tr><tr><td width=\"29%\">\u00a0</td><td width=\"70%\">For all supported x64-based editions of Windows Server 2008 R2: Windows6.1-KB4012215-x64.msu Monthly rollup</td></tr><tr><td width=\"29%\">Installation switches</td><td width=\"70%\">See <a href=\"https://support.microsoft.com/kb/934307\">Microsoft Knowledge Base article 934307</a></td></tr><tr><td width=\"29%\">Restart requirement</td><td width=\"70%\">A system restart is required after you apply this security update.</td></tr><tr><td width=\"29%\">Removal information</td><td width=\"70%\">To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, click View installed updates \r\runder \"Windows Update,\"\u00a0and then select from the list of updates.</td></tr><tr><td width=\"29%\">File information</td><td width=\"70%\">See <a href=\"https://support.microsoft.com/kb/4012212\">Microsoft Knowledge Base article 4012212</a> See <a href=\"https://support.microsoft.com/kb/4012215\">Microsoft Knowledge Base article 4012215</a></td></tr><tr><td width=\"29%\">Registry key verification</td><td width=\"70%\">Note A registry key does not exist to validate the presence of this update.</td></tr></tbody></table> <h3>Windows 8.1 (all editions)</h3>Reference tableThe following table contains the security update information for this software.<table class=\"table\"><tbody><tr><td width=\"29%\">Security update file name</td><td width=\"70%\">For all supported x64-based editions of Windows 8.1: Windows8.1-KB4012213-x64.msu Security only</td></tr><tr><td width=\"29%\">\u00a0</td><td width=\"70%\">For all supported x64-based editions of Windows 8.1: Windows8.1-KB4012216-x64.msu Monthly rollup</td></tr><tr><td width=\"29%\">Installation switches</td><td width=\"70%\">See <a href=\"https://support.microsoft.com/kb/934307\">Microsoft Knowledge Base article 934307</a></td></tr><tr><td width=\"29%\">Restart requirement</td><td width=\"70%\">A system restart is required after you apply this security update.</td></tr><tr><td width=\"29%\">Removal information</td><td width=\"70%\">To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, click Windows Update, click Installed updates \r\runder \"See also,\"\u00a0and then select from the list of updates.</td></tr><tr><td width=\"29%\">File information</td><td width=\"70%\">See <a href=\"https://support.microsoft.com/kb/4012213\">Microsoft Knowledge Base article 4012213</a> See <a href=\"https://support.microsoft.com/kb/4012216\">Microsoft Knowledge Base article 4012216</a></td></tr><tr><td width=\"29%\">Registry key verification</td><td width=\"70%\">Note A registry key does not exist to validate the presence of this update.</td></tr></tbody></table> <h3>Windows Server 2012 and Windows Server 2012 R2 (all editions)</h3>Reference tableThe following table contains the security update information for this software.<table class=\"table\"><tbody><tr><td width=\"29%\">Security update file name</td><td width=\"70%\">For all supported editions of Windows Server 2012: Windows8-RT-KB4012214-x64.msu Security only</td></tr><tr><td width=\"29%\">\u00a0</td><td width=\"70%\">For all supported editions of Windows Server 2012: Windows8-RT-KB4012217-x64.msu Monthly rollup</td></tr><tr><td width=\"29%\">\u00a0</td><td width=\"70%\">For all supported editions of Windows Server 2012 R2: Windows8.1-KB4012213-x64.msu Security only</td></tr><tr><td width=\"29%\">\u00a0</td><td width=\"70%\">For all supported editions of Windows Server 2012 R2: Windows8.1-KB4012216-x64.msu Monthly rollup</td></tr><tr><td width=\"29%\">Installation switches</td><td width=\"70%\">See <a href=\"https://support.microsoft.com/kb/934307\">Microsoft Knowledge Base article 934307</a></td></tr><tr><td width=\"29%\">Restart requirement</td><td width=\"70%\">A system restart is required after you apply this security update.</td></tr><tr><td width=\"29%\">Removal information</td><td width=\"70%\">To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, click Windows Update, click Installed updates \r\runder \"See also,\"\u00a0and then select from the list of updates.</td></tr><tr><td width=\"29%\">File information</td><td width=\"70%\">See <a href=\"https://support.microsoft.com/kb/4012214\">Microsoft Knowledge Base article 4012214</a> See <a href=\"https://support.microsoft.com/kb/4012217\">Microsoft Knowledge Base article 4012217</a> See <a href=\"https://support.microsoft.com/kb/4012213\">Microsoft Knowledge Base article 4012213</a> See <a href=\"https://support.microsoft.com/kb/4012216\">Microsoft Knowledge Base article 4012216</a></td></tr><tr><td width=\"29%\">Registry key verification</td><td width=\"70%\">Note A registry key does not exist to validate the presence of this update.</td></tr></tbody></table> <h3>Windows 10 (all editions)</h3>Reference tableThe following table contains the security update information for this software.<table class=\"table\"><tbody><tr><td width=\"30%\">Security update file name</td><td width=\"70%\">For all supported x64-based editions of Windows 10: Windows10.0-KB4012606-x64.msu</td></tr><tr><td width=\"30%\">\u00a0</td><td width=\"70%\">For all supported x64-based editions of Windows 10 Version 1511: Windows10.0-KB4013198-x64.msu</td></tr><tr><td width=\"30%\">\u00a0</td><td width=\"70%\">For all supported x64-based editions of Windows 10 Version 1607: Windows10.0-KB4013429-x64.msu</td></tr><tr><td width=\"30%\">Installation switches</td><td width=\"70%\">See <a href=\"https://support.microsoft.com/kb/934307\">Microsoft Knowledge Base article 934307</a></td></tr><tr><td width=\"30%\">Restart requirement</td><td width=\"70%\">A system restart is required after you apply this security update.</td></tr><tr><td width=\"30%\">Removal information</td><td width=\"70%\">To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, click Windows Update, click Installed updates \r\runder \"See also,\"\u00a0and then select from the list of updates.</td></tr><tr><td width=\"30%\">File information</td><td width=\"70%\">See <a href=\"https://support.microsoft.com/en-sg/help/12387/windows-10-update-history\" target=\"_self\">Windows 10 and Windows Server 2016 update history</a>.</td></tr><tr><td width=\"30%\">Registry key verification</td><td width=\"70%\">Note A registry key does not exist to validate the presence of this update.</td></tr></tbody></table> <h3>Windows Server 2016 (all editions)</h3>Reference tableThe following table contains the security update information for this software.<table class=\"table\"><tbody><tr><td width=\"30%\">Security update file name</td><td width=\"70%\">For all supported editions of Windows Server 2016: Windows10.0-KB4013429-x64.msu</td></tr><tr><td width=\"30%\">Installation switches</td><td width=\"70%\">See <a href=\"https://support.microsoft.com/kb/934307\">Microsoft Knowledge Base article 934307</a></td></tr><tr><td width=\"30%\">Restart requirement</td><td width=\"70%\">A system restart is required after you apply this security update.</td></tr><tr><td width=\"30%\">Removal information</td><td width=\"70%\">To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, click Windows Update, click Installed updates \r\runder \"See also,\"\u00a0and then select from the list of updates.</td></tr><tr><td width=\"30%\">File information</td><td width=\"70%\">See <a href=\"https://support.microsoft.com/en-sg/help/12387/windows-10-update-history\" target=\"_self\">Windows 10 and Windows Server 2016 update history</a>.</td></tr><tr><td width=\"30%\">Registry key verification</td><td width=\"70%\">Note A registry key does not exist to validate the presence of this update.</td></tr></tbody></table><h2>More Information</h2><div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\">How to get help and support for this security update</div><div class=\"faq-panel-body\" faq-panel-body=\"\"><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-13\" target=\"_self\">Windows Update: FAQ</a> Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-14\" target=\"_self\">TechNet Security Support and Troubleshooting</a> Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-15\" target=\"_self\">Microsoft Secure</a> Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-16\" target=\"_self\">International Support</a></div></div></div></div></div></body></html>", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-14T00:00:00", "type": "mskb", "title": "MS17-011: Security update for Microsoft Uniscribe: March 14, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0084", "CVE-2017-0117", "CVE-2017-0090", "CVE-2017-0089", "CVE-2017-0091", "CVE-2017-0115", "CVE-2017-0116", "CVE-2017-0086", "CVE-2017-0113", "CVE-2017-0112", "CVE-2017-0083", "CVE-2017-0087", "CVE-2017-0092", "CVE-2017-0085", "CVE-2017-0088", "CVE-2017-0072", "CVE-2017-0114", "CVE-2017-0111"], "modified": "2017-03-14T17:40:17", "id": "KB4013076", "href": "https://support.microsoft.com/en-us/help/4013076/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-11T14:22:07", "description": "The remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Windows Uniscribe due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit these to execute arbitrary code by convincing a user to view a specially crafted website or open a specially crafted document file.\n (CVE-2017-0072, CVE-2017-0083, CVE-2017-0084, CVE-2017-0086, CVE-2017-0087, CVE-2017-0088, CVE-2017-0089, CVE-2017-0090)\n\n - Multiple information disclosure vulnerabilities exist in Windows Uniscribe that allow an unauthenticated, remote attacker to gain access to sensitive information by convincing a user to view a specially crafted website or open a specially crafted document file. (CVE-2017-0085, CVE-2017-0091, CVE-2017-0092, CVE-2017-0111, CVE-2017-0112, CVE-2017-0113, CVE-2017-0114, CVE-2017-0115, CVE-2017-0116, CVE-2017-0117, CVE-2017-0118, CVE-2017-0119, CVE-2017-0120, CVE-2017-0121, CVE-2017-0122, CVE-2017-0123, CVE-2017-0124, CVE-2017-0125, CVE-2017-0126, CVE-2017-0127, CVE-2017-0128)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-03-14T00:00:00", "type": "nessus", "title": "MS17-011: Security Update for Microsoft Uniscribe (4013076)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0072", "CVE-2017-0083", "CVE-2017-0084", "CVE-2017-0085", "CVE-2017-0086", "CVE-2017-0087", "CVE-2017-0088", "CVE-2017-0089", "CVE-2017-0090", "CVE-2017-0091", "CVE-2017-0092", "CVE-2017-0111", "CVE-2017-0112", "CVE-2017-0113", "CVE-2017-0114", "CVE-2017-0115", "CVE-2017-0116", "CVE-2017-0117", "CVE-2017-0118", "CVE-2017-0119", "CVE-2017-0120", "CVE-2017-0121", "CVE-2017-0122", "CVE-2017-0123", "CVE-2017-0124", "CVE-2017-0125", "CVE-2017-0126", "CVE-2017-0127", "CVE-2017-0128"], "modified": "2019-11-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17-011.NASL", "href": "https://www.tenable.com/plugins/nessus/97732", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97732);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-2017-0072\",\n \"CVE-2017-0083\",\n \"CVE-2017-0084\",\n \"CVE-2017-0085\",\n \"CVE-2017-0086\",\n \"CVE-2017-0087\",\n \"CVE-2017-0088\",\n \"CVE-2017-0089\",\n \"CVE-2017-0090\",\n \"CVE-2017-0091\",\n \"CVE-2017-0092\",\n \"CVE-2017-0111\",\n \"CVE-2017-0112\",\n \"CVE-2017-0113\",\n \"CVE-2017-0114\",\n \"CVE-2017-0115\",\n \"CVE-2017-0116\",\n \"CVE-2017-0117\",\n \"CVE-2017-0118\",\n \"CVE-2017-0119\",\n \"CVE-2017-0120\",\n \"CVE-2017-0121\",\n \"CVE-2017-0122\",\n \"CVE-2017-0123\",\n \"CVE-2017-0124\",\n \"CVE-2017-0125\",\n \"CVE-2017-0126\",\n \"CVE-2017-0127\",\n \"CVE-2017-0128\"\n );\n script_bugtraq_id(\n 96599,\n 96603,\n 96604,\n 96605,\n 96606,\n 96607,\n 96608,\n 96610,\n 96652,\n 96657,\n 96658,\n 96659,\n 96660,\n 96661,\n 96663,\n 96665,\n 96666,\n 96667,\n 96668,\n 96669,\n 96670,\n 96672,\n 96673,\n 96674,\n 96675,\n 96676,\n 96678,\n 96679,\n 96680\n );\n script_xref(name:\"MSFT\", value:\"MS17-011\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012583\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"IAVA\", value:\"2017-A-0066\");\n\n script_name(english:\"MS17-011: Security Update for Microsoft Uniscribe (4013076)\");\n script_summary(english:\"Checks the version of Gdi32.dll and for rollup patches applied.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist\n in Windows Uniscribe due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these to execute arbitrary code by\n convincing a user to view a specially crafted website\n or open a specially crafted document file.\n (CVE-2017-0072, CVE-2017-0083, CVE-2017-0084,\n CVE-2017-0086, CVE-2017-0087, CVE-2017-0088,\n CVE-2017-0089, CVE-2017-0090)\n\n - Multiple information disclosure vulnerabilities exist\n in Windows Uniscribe that allow an unauthenticated,\n remote attacker to gain access to sensitive\n information by convincing a user to view a specially\n crafted website or open a specially crafted document\n file. (CVE-2017-0085, CVE-2017-0091, CVE-2017-0092,\n CVE-2017-0111, CVE-2017-0112, CVE-2017-0113,\n CVE-2017-0114, CVE-2017-0115, CVE-2017-0116,\n CVE-2017-0117, CVE-2017-0118, CVE-2017-0119,\n CVE-2017-0120, CVE-2017-0121, CVE-2017-0122,\n CVE-2017-0123, CVE-2017-0124, CVE-2017-0125,\n CVE-2017-0126, CVE-2017-0127, CVE-2017-0128)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-011\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-011';\nkbs = make_list(\n \"4012212\", # Security Only for Windows 7 SP1 and Server 2008 R2 SP1\n \"4012213\", # Security Only for Windows 8.1 and Windows 2012 R2\n \"4012214\", # Security Only for Windows Server 2012\n \"4012215\", # Security only for Windows 7 SP1 and Server 2008 R2 SP1\n \"4012216\", # Security only for Windows 8.1 and Windows Server 2012 R2\n \"4012217\", # Monthly Rollup for Windows Server 2012\n \"4012583\", # Vista / 2008\n \"4012606\", # Win 10\n \"4013198\", # Win 10 1511 (AKA 10586)\n \"4013429\" # Win 10 1607 (AKA 14393)\n);\n\nif (get_kb_item(\"Host/patch_management_checks\"))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows Vista / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Gdi32.dll\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4012583\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Gdi32.dll\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4012583\") ||\n # Windows 7 / Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n # Windows Server 2012\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217)) ||\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n # Windows 10 1607 / Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-08T23:19:49", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS17-011.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "openvas", "title": "Microsoft Uniscribe Multiple Vulnerabilities (4013076)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0118", "CVE-2017-0084", "CVE-2017-0117", "CVE-2017-0125", "CVE-2017-0090", "CVE-2017-0089", "CVE-2017-0091", "CVE-2017-0115", "CVE-2017-0121", "CVE-2017-0116", "CVE-2017-0120", "CVE-2017-0086", "CVE-2017-0124", "CVE-2017-0119", "CVE-2017-0126", "CVE-2017-0113", "CVE-2017-0112", "CVE-2017-0083", "CVE-2017-0087", "CVE-2017-0123", "CVE-2017-0092", "CVE-2017-0085", "CVE-2017-0122", "CVE-2017-0088", "CVE-2017-0128", "CVE-2017-0072", "CVE-2017-0114", "CVE-2017-0111", "CVE-2017-0127"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310810812", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810812", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Uniscribe Multiple Vulnerabilities (4013076)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810812\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0072\", \"CVE-2017-0083\", \"CVE-2017-0084\", \"CVE-2017-0085\",\n \"CVE-2017-0086\", \"CVE-2017-0087\", \"CVE-2017-0088\", \"CVE-2017-0089\",\n \"CVE-2017-0090\", \"CVE-2017-0091\", \"CVE-2017-0092\", \"CVE-2017-0111\",\n \"CVE-2017-0112\", \"CVE-2017-0113\", \"CVE-2017-0114\", \"CVE-2017-0115\",\n \"CVE-2017-0116\", \"CVE-2017-0117\", \"CVE-2017-0118\", \"CVE-2017-0119\",\n \"CVE-2017-0120\", \"CVE-2017-0121\", \"CVE-2017-0122\", \"CVE-2017-0123\",\n \"CVE-2017-0124\", \"CVE-2017-0125\", \"CVE-2017-0126\", \"CVE-2017-0127\",\n \"CVE-2017-0128\");\n script_bugtraq_id(96599, 96608, 96610, 96652, 96603, 96604, 96605, 96606, 96607,\n 96657, 96676, 96658, 96659, 96660, 96661, 96663, 96665, 96679,\n 96680, 96666, 96667, 96678, 96668, 96669, 96670, 96672, 96673,\n 96674, 96675);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 10:00:42 +0530 (Wed, 15 Mar 2017)\");\n script_name(\"Microsoft Uniscribe Multiple Vulnerabilities (4013076)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS17-011.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - The way Windows Uniscribe handles objects in memory.\n\n - When Windows Uniscribe improperly discloses the contents of its memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to take control of the affected system, also to obtain information to further\n compromise the user's system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows 10 x32/x64\n\n - Microsoft Windows Server 2012/2012R2\n\n - Microsoft Windows 10 Version 1511 x32/x64\n\n - Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Vista x32/x64 Edition Service Pack 2\n\n - Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2\n\n - Microsoft Windows 7 x32/x64 Edition Service Pack 1\n\n - Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS17-011\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, win7:2, win7x64:2, win2008:3, win2008r2:2, winVistax64:3,\n win2008x64:3, win2012:1, win2012R2:1, win8_1:1, win8_1x64:1, win10:1,\n win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\nusrVer = fetch_file_version(sysPath:sysPath, file_name:\"System32\\Usp10.dll\");\nmshVer = fetch_file_version(sysPath:sysPath, file_name:\"System32\\Mshtml.dll\");\nicmVer = fetch_file_version(sysPath:sysPath, file_name:\"System32\\Icm32.dll\");\n\nif(!usrVer && !mshVer && !icmVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0 && usrVer)\n{\n if(version_is_less(version:usrVer, test_version:\"1.626.7601.23688\"))\n {\n Vulnerable_range1 = \"Less than 1.626.7601.23688\";\n VULN1 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0 && usrVer)\n{\n if(version_is_less(version:usrVer, test_version:\"1.626.6002.19743\"))\n {\n Vulnerable_range1 = \"Less than 1.626.6002.19743\";\n VULN1 = TRUE ;\n }\n\n else if(version_in_range(version:usrVer, test_version:\"1.626.6002.24000\", test_version2:\"1.626.6002.24066\"))\n {\n Vulnerable_range1 = \"1.626.6002.24000 - 1.626.6002.24066\";\n VULN1 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win2012:1) > 0 && mshVer)\n{\n if(version_is_less(version:mshVer, test_version:\"10.0.9200.22104\"))\n {\n Vulnerable_range = \"Less than 10.0.9200.22104\";\n VULN = TRUE ;\n }\n\n else if(version_is_less(version:icmVer, test_version:\"6.2.9200.22086\"))\n {\n Vulnerable_range2 = \"Less than 6.2.9200.22086\";\n VULN2 = TRUE ;\n }\n}\n\n## Win 8.1 and win2012R2\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n{\n if(version_is_less(version:icmVer, test_version:\"6.3.9600.18589\"))\n {\n report = 'File checked: ' + sysPath + \"\\system32\\Icm32.dll\" + '\\n' +\n 'File version: ' + icmVer + '\\n' +\n 'Vulnerable range: Less than 6.3.9600.18589\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n\nelse if(hotfix_check_sp(win10:1, win10x64:1, win2016:1) > 0 && mshVer)\n{\n if(version_is_less(version:mshVer, test_version:\"11.0.10240.17319\") )\n {\n Vulnerable_range = \"Less than 11.0.10240.17319\";\n VULN = TRUE;\n }\n\n else if(version_in_range(version:mshVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.838\"))\n {\n Vulnerable_range = \"11.0.10586.0 - 11.0.10586.838\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:mshVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.952\"))\n {\n Vulnerable_range = \"11.0.14393.0 - 11.0.14393.952\";\n VULN = TRUE ;\n }\n}\n\nif(VULN1)\n{\n report = 'File checked: ' + sysPath + \"\\System32\\Usp10.dll\" + '\\n' +\n 'File version: ' + usrVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range1 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nelse if(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\System32\\Mshtml.dll\" + '\\n' +\n 'File version: ' + mshVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nelse if(VULN2)\n{\n report = 'File checked: ' + sysPath + \"\\System32\\icm32.dll\" + '\\n' +\n 'File version: ' + icmVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range2 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2021-08-18T11:18:33", "description": "### *Detect date*:\n03/14/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Windows Uniscribe. Malicious users can exploit these vulnerabilities to execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Windows Vista Service Pack 2 \nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows 8.1 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows 10 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS17-011](<https://technet.microsoft.com/en-us/library/security/ms17-011.aspx>) \n[CVE-2017-0072](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0072>) \n[CVE-2017-0083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0083>) \n[CVE-2017-0084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0084>) \n[CVE-2017-0085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0085>) \n[CVE-2017-0086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0086>) \n[CVE-2017-0087](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0087>) \n[CVE-2017-0088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0088>) \n[CVE-2017-0089](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0089>) \n[CVE-2017-0090](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0090>) \n[CVE-2017-0091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0091>) \n[CVE-2017-0092](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0092>) \n[CVE-2017-0111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0111>) \n[CVE-2017-0112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0112>) \n[CVE-2017-0113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0113>) \n[CVE-2017-0114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0114>) \n[CVE-2017-0115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0115>) \n[CVE-2017-0116](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0116>) \n[CVE-2017-0117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0117>) \n[CVE-2017-0118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0118>) \n[CVE-2017-0119](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0119>) \n[CVE-2017-0120](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0120>) \n[CVE-2017-0121](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0121>) \n[CVE-2017-0122](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0122>) \n[CVE-2017-0123](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0123>) \n[CVE-2017-0124](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0124>) \n[CVE-2017-0125](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0125>) \n[CVE-2017-0126](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0126>) \n[CVE-2017-0127](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0127>) \n[CVE-2017-0128](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0128>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2017-0072](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0072>)9.3Critical \n[CVE-2017-0083](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0083>)9.3Critical \n[CVE-2017-0084](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0084>)9.3Critical \n[CVE-2017-0085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0085>)4.3Warning \n[CVE-2017-0086](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0086>)9.3Critical \n[CVE-2017-0087](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0087>)9.3Critical \n[CVE-2017-0088](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0088>)9.3Critical \n[CVE-2017-0089](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0089>)9.3Critical \n[CVE-2017-0090](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0090>)9.3Critical \n[CVE-2017-0091](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0091>)4.3Warning \n[CVE-2017-0092](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0092>)4.3Warning \n[CVE-2017-0111](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0111>)4.3Warning \n[CVE-2017-0112](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0112>)4.3Warning \n[CVE-2017-0113](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0113>)4.3Warning \n[CVE-2017-0114](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0114>)4.3Warning \n[CVE-2017-0115](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0115>)4.3Warning \n[CVE-2017-0116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0116>)4.3Warning \n[CVE-2017-0117](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0117>)4.3Warning \n[CVE-2017-0118](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0118>)4.3Warning \n[CVE-2017-0119](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0119>)4.3Warning \n[CVE-2017-0120](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0120>)4.3Warning \n[CVE-2017-0121](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0121>)4.3Warning \n[CVE-2017-0122](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0122>)4.3Warning \n[CVE-2017-0123](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0123>)4.3Warning \n[CVE-2017-0124](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0124>)4.3Warning \n[CVE-2017-0125](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0125>)4.3Warning \n[CVE-2017-0126](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0126>)4.3Warning \n[CVE-2017-0127](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0127>)4.3Warning \n[CVE-2017-0128](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0128>)4.3Warning\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4012217](<http://support.microsoft.com/kb/4012217>) \n[4012215](<http://support.microsoft.com/kb/4012215>) \n[4012216](<http://support.microsoft.com/kb/4012216>) \n[4012606](<http://support.microsoft.com/kb/4012606>) \n[4013198](<http://support.microsoft.com/kb/4013198>) \n[4013429](<http://support.microsoft.com/kb/4013429>) \n[4012212](<http://support.microsoft.com/kb/4012212>) \n[4012214](<http://support.microsoft.com/kb/4012214>) \n[4012213](<http://support.microsoft.com/kb/4012213>) \n[4013076](<http://support.microsoft.com/kb/4013076>) \n[4012583](<http://support.microsoft.com/kb/4012583>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-14T00:00:00", "type": "kaspersky", "title": "KLA10978 Multiple vulnerabilities in Windows Uniscribe", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0072", "CVE-2017-0083", "CVE-2017-0084", "CVE-2017-0085", "CVE-2017-0086", "CVE-2017-0087", "CVE-2017-0088", "CVE-2017-0089", "CVE-2017-0090", "CVE-2017-0091", "CVE-2017-0092", "CVE-2017-0111", "CVE-2017-0112", "CVE-2017-0113", "CVE-2017-0114", "CVE-2017-0115", "CVE-2017-0116", "CVE-2017-0117", "CVE-2017-0118", "CVE-2017-0119", "CVE-2017-0120", "CVE-2017-0121", "CVE-2017-0122", "CVE-2017-0123", "CVE-2017-0124", "CVE-2017-0125", "CVE-2017-0126", "CVE-2017-0127", "CVE-2017-0128"], "modified": "2020-06-18T00:00:00", "id": "KLA10978", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10978/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T20:05:03", "description": "### *Detect date*:\n03/14/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, obtain sensitive information, cause denial of service.\n\n### *Exploitation*:\nThis vulnerability can be exploited by the following malware:\n\n### *Affected products*:\nMicrosoft Silverlight 5 when installed on Microsoft Windows (x64-based) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows Vista x64 Edition Service Pack 2 \nInternet Explorer 9 \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2012 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nMicrosoft Office 2010 Service Pack 2 (32-bit editions) \nSkype for Business 2016 (64-bit) \nWindows 8.1 for x64-based systems \nWindows 8.1 for 32-bit systems \nWindows Vista Service Pack 2 \nMicrosoft XML Core Services 3.0 \nMicrosoft Lync 2013 Service Pack 1 (64-bit) \nMicrosoft Office 2010 Service Pack 2 (64-bit editions) \nInternet Explorer 11 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nMicrosoft Lync Basic 2013 Service Pack 1 (64-bit) \nWindows Server 2016 \nMicrosoft Lync 2010 Attendee (admin level install) \nSkype for Business 2016 Basic (32-bit) \nMicrosoft Live Meeting 2007 Add-in \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows RT 8.1 \nSkype for Business 2016 (32-bit) \nMicrosoft Lync 2010 Attendee (user level install) \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nMicrosoft Lync 2010 (64-bit) \nMicrosoft Office Word Viewer \nMicrosoft Live Meeting 2007 Console \nMicrosoft Silverlight 5 Developer Runtime when installed on Microsoft Windows (32-bit) \nMicrosoft Edge (EdgeHTML-based) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nMicrosoft Silverlight 5 Developer Runtime when installed on Microsoft Windows (x64-based) \nMicrosoft Office 2007 Service Pack 3 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nSkype for Business 2016 Basic (64-bit) \nMicrosoft Lync Basic 2013 Service Pack 1 (32-bit) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nInternet Explorer 10 \nMicrosoft Lync 2010 (32-bit) \nMicrosoft Silverlight 5 when installed on Microsoft Windows (32-bit) \nWindows Server 2012 R2 \nMicrosoft Lync 2013 Service Pack 1 (32-bit)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-0108](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0108>) \n[CVE-2017-0109](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0109>) \n[CVE-2017-0072](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0072>) \n[CVE-2017-0100](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0100>) \n[CVE-2017-0101](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0101>) \n[CVE-2017-0102](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0102>) \n[CVE-2017-0143](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0143>) \n[CVE-2017-0104](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0104>) \n[CVE-2017-0022](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0022>) \n[CVE-2017-0001](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0001>) \n[CVE-2017-0145](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0145>) \n[CVE-2017-0120](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0120>) \n[CVE-2017-0147](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0147>) \n[CVE-2017-0005](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0005>) \n[CVE-2017-0127](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0127>) \n[CVE-2017-0124](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0124>) \n[CVE-2017-0125](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0125>) \n[CVE-2017-0009](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0009>) \n[CVE-2017-0008](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0008>) \n[CVE-2017-0047](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0047>) \n[CVE-2017-0060](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0060>) \n[CVE-2017-0148](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0148>) \n[CVE-2017-0061](<https://nvd.nist.gov/vuln/detail/CVE-2017-0061>) \n[CVE-2017-0043](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0043>) \n[CVE-2017-0042](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0042>) \n[CVE-2017-0045](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0045>) \n[CVE-2017-0119](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0119>) \n[CVE-2017-0062](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0062>) \n[CVE-2017-0149](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0149>) \n[CVE-2017-0099](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0099>) \n[CVE-2017-0144](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0144>) \n[CVE-2017-0040](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0040>) \n[CVE-2017-0090](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0090>) \n[CVE-2017-0091](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0091>) \n[CVE-2017-0096](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0096>) \n[CVE-2017-0097](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0097>) \n[CVE-2017-0038](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0038>) \n[CVE-2017-0039](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0039>) \n[CVE-2017-0103](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0103>) \n[CVE-2017-0063](<https://nvd.nist.gov/vuln/detail/CVE-2017-0063>) \n[CVE-2017-0118](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0118>) \n[CVE-2017-0117](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0117>) \n[CVE-2017-0116](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0116>) \n[CVE-2017-0115](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0115>) \n[CVE-2017-0114](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0114>) \n[CVE-2017-0113](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0113>) \n[CVE-2017-0112](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0112>) \n[CVE-2017-0111](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0111>) \n[CVE-2017-0092](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0092>) \n[CVE-2017-0076](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0076>) \n[CVE-2017-0014](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0014>) \n[CVE-2017-0059](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0059>) \n[CVE-2017-0056](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0056>) \n[CVE-2017-0055](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0055>) \n[CVE-2017-0050](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0050>) \n[CVE-2017-0123](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0123>) \n[CVE-2017-0122](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0122>) \n[CVE-2017-0073](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0073>) \n[CVE-2017-0075](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0075>) \n[CVE-2017-0025](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0025>) \n[CVE-2017-0146](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0146>) \n[CVE-2017-0128](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0128>) \n[CVE-2017-0089](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0089>) \n[CVE-2017-0088](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0088>) \n[CVE-2017-0121](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0121>) \n[CVE-2017-0130](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0130>) \n[CVE-2017-0126](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0126>) \n[CVE-2017-0083](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0083>) \n[CVE-2017-0085](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0085>) \n[CVE-2017-0084](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0084>) \n[CVE-2017-0087](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0087>) \n[CVE-2017-0086](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0086>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2017-0042](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0042>)2.6Warning \n[CVE-2017-0096](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0096>)2.3Warning \n[CVE-2017-0097](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0097>)2.3Warning \n[CVE-2017-0099](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0099>)2.3Warning \n[CVE-2017-0109](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0109>)7.4High \n[CVE-2017-0075](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0075>)7.4High \n[CVE-2017-0076](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0076>)2.9Warning \n[CVE-2017-0055](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0055>)4.3Warning \n[CVE-2017-0102](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0102>)4.6Warning \n[CVE-2017-0103](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0103>)4.4Warning \n[CVE-2017-0101](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0101>)6.8High \n[CVE-2017-0050](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0050>)7.2High \n[CVE-2017-0056](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0056>)7.2High \n[CVE-2017-0043](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0043>)2.9Warning \n[CVE-2017-0045](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0045>)4.3Warning \n[CVE-2017-0022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0022>)4.3Warning \n[CVE-2017-0143](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>)9.3Critical \n[CVE-2017-0144](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>)9.3Critical \n[CVE-2017-0145](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>)9.3Critical \n[CVE-2017-0146](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146>)9.3Critical \n[CVE-2017-0147](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147>)4.3Warning \n[CVE-2017-0148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148>)9.3Critical \n[CVE-2017-0014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0014>)7.6Critical \n[CVE-2017-0060](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0060>)1.9Warning \n[CVE-2017-0061](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0061>)2.6Warning \n[CVE-2017-0062](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0062>)1.9Warning \n[CVE-2017-0063](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0063>)4.3Warning \n[CVE-2017-0025](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0025>)7.2High \n[CVE-2017-0073](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0073>)4.3Warning \n[CVE-2017-0108](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0108>)9.3Critical \n[CVE-2017-0038](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0038>)4.3Warning \n[CVE-2017-0001](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0001>)7.2High \n[CVE-2017-0005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0005>)6.9High \n[CVE-2017-0047](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0047>)7.2High \n[CVE-2017-0072](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0072>)9.3Critical \n[CVE-2017-0083](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0083>)9.3Critical \n[CVE-2017-0084](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0084>)9.3Critical \n[CVE-2017-0085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0085>)4.3Warning \n[CVE-2017-0086](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0086>)9.3Critical \n[CVE-2017-0087](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0087>)9.3Critical \n[CVE-2017-0088](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0088>)9.3Critical \n[CVE-2017-0089](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0089>)9.3Critical \n[CVE-2017-0090](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0090>)9.3Critical \n[CVE-2017-0091](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0091>)4.3Warning \n[CVE-2017-0092](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0092>)4.3Warning \n[CVE-2017-0111](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0111>)4.3Warning \n[CVE-2017-0112](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0112>)4.3Warning \n[CVE-2017-0113](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0113>)4.3Warning \n[CVE-2017-0114](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0114>)4.3Warning \n[CVE-2017-0115](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0115>)4.3Warning \n[CVE-2017-0116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0116>)4.3Warning \n[CVE-2017-0117](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0117>)4.3Warning \n[CVE-2017-0118](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0118>)4.3Warning \n[CVE-2017-0119](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0119>)4.3Warning \n[CVE-2017-0120](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0120>)4.3Warning \n[CVE-2017-0121](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0121>)4.3Warning \n[CVE-2017-0122](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0122>)4.3Warning \n[CVE-2017-0123](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0123>)4.3Warning \n[CVE-2017-0124](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0124>)4.3Warning \n[CVE-2017-0125](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0125>)4.3Warning \n[CVE-2017-0126](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0126>)4.3Warning \n[CVE-2017-0127](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0127>)4.3Warning \n[CVE-2017-0128](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0128>)4.3Warning \n[CVE-2017-0009](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0009>)4.3Warning \n[CVE-2017-0059](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0059>)4.3Warning \n[CVE-2017-0130](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0130>)7.6Critical \n[CVE-2017-0149](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0149>)7.6Critical \n[CVE-2017-0008](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0008>)4.3Warning \n[CVE-2017-0040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0040>)7.6Critical \n[CVE-2017-0100](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0100>)4.4Warning \n[CVE-2017-0104](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0104>)9.3Critical \n[CVE-2017-0039](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0039>)9.3Critical\n\n### *KB list*:\n[4012204](<http://support.microsoft.com/kb/4012204>) \n[4012215](<http://support.microsoft.com/kb/4012215>) \n[3211306](<http://support.microsoft.com/kb/3211306>) \n[4012212](<http://support.microsoft.com/kb/4012212>) \n[4012598](<http://support.microsoft.com/kb/4012598>) \n[4012583](<http://support.microsoft.com/kb/4012583>) \n[3217587](<http://support.microsoft.com/kb/3217587>) \n[4012021](<http://support.microsoft.com/kb/4012021>) \n[4012373](<http://support.microsoft.com/kb/4012373>) \n[4012497](<http://support.microsoft.com/kb/4012497>) \n[4017018](<http://support.microsoft.com/kb/4017018>) \n[4012584](<http://support.microsoft.com/kb/4012584>) \n[3218362](<http://support.microsoft.com/kb/3218362>) \n[4011981](<http://support.microsoft.com/kb/4011981>) \n[3217882](<http://support.microsoft.com/kb/3217882>) \n[3214051](<http://support.microsoft.com/kb/3214051>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-14T00:00:00", "type": "kaspersky", "title": "KLA11902 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0001", "CVE-2017-0005", "CVE-2017-0008", "CVE-2017-0009", "CVE-2017-0014", "CVE-2017-0022", "CVE-2017-0025", "CVE-2017-0038", "CVE-2017-0039", "CVE-2017-0040", "CVE-2017-0042", "CVE-2017-0043", "CVE-2017-0045", "CVE-2017-0047", "CVE-2017-0050", "CVE-2017-0055", "CVE-2017-0056", "CVE-2017-0059", "CVE-2017-0060", "CVE-2017-0061", "CVE-2017-0062", "CVE-2017-0063", "CVE-2017-0072", "CVE-2017-0073", "CVE-2017-0075", "CVE-2017-0076", "CVE-2017-0083", "CVE-2017-0084", "CVE-2017-0085", "CVE-2017-0086", "CVE-2017-0087", "CVE-2017-0088", "CVE-2017-0089", "CVE-2017-0090", "CVE-2017-0091", "CVE-2017-0092", "CVE-2017-0096", "CVE-2017-0097", "CVE-2017-0099", "CVE-2017-0100", "CVE-2017-0101", "CVE-2017-0102", "CVE-2017-0103", "CVE-2017-0104", "CVE-2017-0108", "CVE-2017-0109", "CVE-2017-0111", "CVE-2017-0112", "CVE-2017-0113", "CVE-2017-0114", "CVE-2017-0115", "CVE-2017-0116", "CVE-2017-0117", "CVE-2017-0118", "CVE-2017-0119", "CVE-2017-0120", "CVE-2017-0121", "CVE-2017-0122", "CVE-2017-0123", "CVE-2017-0124", "CVE-2017-0125", "CVE-2017-0126", "CVE-2017-0127", "CVE-2017-0128", "CVE-2017-0130", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0149"], "modified": "2022-01-25T00:00:00", "id": "KLA11902", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11902/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-01T00:00:00", "description": "### *Detect date*:\n03/14/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, gain privileges, obtain sensitive information and cause a denial of service.\n\n### *Affected products*:\nMicrosoft Windows Vista Service Pack 2 \nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows 8.1 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows 10 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS17-012](<https://technet.microsoft.com/library/security/MS17-012>) \n[CVE-2017-0051](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0051>) \n[CVE-2017-0021](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0021>) \n[CVE-2017-0095](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0095>) \n[CVE-2017-0096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0096>) \n[CVE-2017-0097](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0097>) \n[CVE-2017-0098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0098>) \n[CVE-2017-0099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0099>) \n[CVE-2017-0109](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0109>) \n[CVE-2017-0074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0074>) \n[CVE-2017-0075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0075>) \n[CVE-2017-0076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0076>) \n[CVE-2017-0055](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0055>) \n[CVE-2017-0102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0102>) \n[CVE-2017-0103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0103>) \n[CVE-2017-0101](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0101>) \n[CVE-2017-0050](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0050>) \n[CVE-2017-0056](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0056>) \n[CVE-2017-0024](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0024>) \n[CVE-2017-0026](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0026>) \n[CVE-2017-0078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0078>) \n[CVE-2017-0079](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0079>) \n[CVE-2017-0080](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0080>) \n[CVE-2017-0081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0081>) \n[CVE-2017-0082](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0082>) \n[CVE-2017-0043](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0043>) \n[CVE-2017-0045](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0045>) \n[CVE-2017-0022](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0022>) \n[CVE-2017-0143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143>) \n[CVE-2017-0144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144>) \n[CVE-2017-0145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145>) \n[CVE-2017-0146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146>) \n[CVE-2017-0147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147>) \n[CVE-2017-0148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148>) \n[CVE-2017-0014](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0014>) \n[CVE-2017-0060](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0060>) \n[CVE-2017-0061](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0061>) \n[CVE-2017-0062](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0062>) \n[CVE-2017-0063](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0063>) \n[CVE-2017-0025](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0025>) \n[CVE-2017-0073](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0073>) \n[CVE-2017-0108](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0108>) \n[CVE-2017-0038](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0038>) \n[CVE-2017-0001](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0001>) \n[CVE-2017-0005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0005>) \n[CVE-2017-0047](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0047>) \n[CVE-2017-0072](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0072>) \n[CVE-2017-0083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0083>) \n[CVE-2017-0084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0084>) \n[CVE-2017-0085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0085>) \n[CVE-2017-0086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0086>) \n[CVE-2017-0087](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0087>) \n[CVE-2017-0088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0088>) \n[CVE-2017-0089](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0089>) \n[CVE-2017-0090](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0090>) \n[CVE-2017-0091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0091>) \n[CVE-2017-0092](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0092>) \n[CVE-2017-0111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0111>) \n[CVE-2017-0112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0112>) \n[CVE-2017-0113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0113>) \n[CVE-2017-0114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0114>) \n[CVE-2017-0115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0115>) \n[CVE-2017-0116](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0116>) \n[CVE-2017-0117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0117>) \n[CVE-2017-0118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0118>) \n[CVE-2017-0119](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0119>) \n[CVE-2017-0120](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0120>) \n[CVE-2017-0121](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0121>) \n[CVE-2017-0122](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0122>) \n[CVE-2017-0123](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0123>) \n[CVE-2017-0124](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0124>) \n[CVE-2017-0125](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0125>) \n[CVE-2017-0126](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0126>) \n[CVE-2017-0127](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0127>) \n[CVE-2017-0128](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0128>) \n[CVE-2017-0130](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0130>) \n[CVE-2017-0008](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0008>) \n[CVE-2017-0057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0057>) \n[CVE-2017-0100](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0100>) \n[CVE-2017-0104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0104>) \n[CVE-2017-0007](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0007>) \n[CVE-2017-0016](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0016>) \n[CVE-2017-0039](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0039>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2017-0051](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0051>)2.9Warning \n[CVE-2017-0021](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0021>)7.7Critical \n[CVE-2017-0095](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0095>)7.9Critical \n[CVE-2017-0096](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0096>)2.3Warning \n[CVE-2017-0097](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0097>)2.3Warning \n[CVE-2017-0098](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0098>)2.9Warning \n[CVE-2017-0099](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0099>)2.3Warning \n[CVE-2017-0109](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0109>)7.4High \n[CVE-2017-0074](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0074>)2.3Warning \n[CVE-2017-0075](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0075>)7.4High \n[CVE-2017-0076](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0076>)2.9Warning \n[CVE-2017-0055](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0055>)4.3Warning \n[CVE-2017-0102](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0102>)4.6Warning \n[CVE-2017-0103](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0103>)4.4Warning \n[CVE-2017-0101](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0101>)6.8High \n[CVE-2017-0050](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0050>)7.2High \n[CVE-2017-0056](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0056>)7.2High \n[CVE-2017-0024](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0024>)7.2High \n[CVE-2017-0026](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0026>)7.2High \n[CVE-2017-0078](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0078>)7.2High \n[CVE-2017-0079](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0079>)7.2High \n[CVE-2017-0080](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0080>)7.2High \n[CVE-2017-0081](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0081>)7.2High \n[CVE-2017-0082](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0082>)7.2High \n[CVE-2017-0043](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0043>)2.9Warning \n[CVE-2017-0045](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0045>)4.3Warning \n[CVE-2017-0022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0022>)4.3Warning \n[CVE-2017-0143](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>)9.3Critical \n[CVE-2017-0144](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>)9.3Critical \n[CVE-2017-0145](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>)9.3Critical \n[CVE-2017-0146](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146>)9.3Critical \n[CVE-2017-0147](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147>)4.3Warning \n[CVE-2017-0148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148>)9.3Critical \n[CVE-2017-0014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0014>)7.6Critical \n[CVE-2017-0060](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0060>)1.9Warning \n[CVE-2017-0061](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0061>)2.6Warning \n[CVE-2017-0062](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0062>)1.9Warning \n[CVE-2017-0063](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0063>)4.3Warning \n[CVE-2017-0025](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0025>)7.2High \n[CVE-2017-0073](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0073>)4.3Warning \n[CVE-2017-0108](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0108>)9.3Critical \n[CVE-2017-0038](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0038>)4.3Warning \n[CVE-2017-0001](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0001>)7.2High \n[CVE-2017-0005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0005>)6.9High \n[CVE-2017-0047](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0047>)7.2High \n[CVE-2017-0072](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0072>)9.3Critical \n[CVE-2017-0083](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0083>)9.3Critical \n[CVE-2017-0084](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0084>)9.3Critical \n[CVE-2017-0085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0085>)4.3Warning \n[CVE-2017-0086](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0086>)9.3Critical \n[CVE-2017-0087](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0087>)9.3Critical \n[CVE-2017-0088](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0088>)9.3Critical \n[CVE-2017-0089](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0089>)9.3Critical \n[CVE-2017-0090](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0090>)9.3Critical \n[CVE-2017-0091](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0091>)4.3Warning \n[CVE-2017-0092](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0092>)4.3Warning \n[CVE-2017-0111](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0111>)4.3Warning \n[CVE-2017-0112](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0112>)4.3Warning \n[CVE-2017-0113](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0113>)4.3Warning \n[CVE-2017-0114](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0114>)4.3Warning \n[CVE-2017-0115](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0115>)4.3Warning \n[CVE-2017-0116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0116>)4.3Warning \n[CVE-2017-0117](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0117>)4.3Warning \n[CVE-2017-0118](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0118>)4.3Warning \n[CVE-2017-0119](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0119>)4.3Warning \n[CVE-2017-0120](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0120>)4.3Warning \n[CVE-2017-0121](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0121>)4.3Warning \n[CVE-2017-0122](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0122>)4.3Warning \n[CVE-2017-0123](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0123>)4.3Warning \n[CVE-2017-0124](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0124>)4.3Warning \n[CVE-2017-0125](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0125>)4.3Warning \n[CVE-2017-0126](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0126>)4.3Warning \n[CVE-2017-0127](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0127>)4.3Warning \n[CVE-2017-0128](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0128>)4.3Warning \n[CVE-2017-0130](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0130>)7.6Critical \n[CVE-2017-0008](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0008>)4.3Warning \n[CVE-2017-0057](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0057>)4.3Warning \n[CVE-2017-0100](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0100>)4.4Warning \n[CVE-2017-0104](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0104>)9.3Critical \n[CVE-2017-0007](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0007>)2.1Warning \n[CVE-2017-0016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0016>)7.1High \n[CVE-2017-0039](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0039>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4012217](<http://support.microsoft.com/kb/4012217>) \n[4012215](<http://support.microsoft.com/kb/4012215>) \n[4012216](<http://support.microsoft.com/kb/4012216>) \n[4012606](<http://support.microsoft.com/kb/4012606>) \n[4013198](<http://support.microsoft.com/kb/4013198>) \n[4013429](<http://support.microsoft.com/kb/4013429>) \n[3211306](<http://support.microsoft.com/kb/3211306>) \n[4012212](<http://support.microsoft.com/kb/4012212>) \n[4012214](<http://support.microsoft.com/kb/4012214>) \n[4012213](<http://support.microsoft.com/kb/4012213>) \n[4012598](<http://support.microsoft.com/kb/4012598>) \n[4012583](<http://support.microsoft.com/kb/4012583>) \n[3217587](<http://support.microsoft.com/kb/3217587>) \n[4012021](<http://support.microsoft.com/kb/4012021>) \n[4012373](<http://support.microsoft.com/kb/4012373>) \n[4012497](<http://support.microsoft.com/kb/4012497>) \n[4017018](<http://support.microsoft.com/kb/4017018>) \n[4012584](<http://support.microsoft.com/kb/4012584>) \n[3218362](<http://support.microsoft.com/kb/3218362>) \n[3205715](<http://support.microsoft.com/kb/3205715>) \n[4011981](<http://support.microsoft.com/kb/4011981>) \n[3217882](<http://support.microsoft.com/kb/3217882>)\n\n### *Exploitation*:\nThis vulnerability can be exploited by the following malware:", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-14T00:00:00", "type": "kaspersky", "title": "KLA10979 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0001", "CVE-2017-0005", "CVE-2017-0007", "CVE-2017-0008", "CVE-2017-0014", "CVE-2017-0016", "CVE-2017-0021", "CVE-2017-0022", "CVE-2017-0024", "CVE-2017-0025", "CVE-2017-0026", "CVE-2017-0038", "CVE-2017-0039", "CVE-2017-0043", "CVE-2017-0045", "CVE-2017-0047", "CVE-2017-0050", "CVE-2017-0051", "CVE-2017-0055", "CVE-2017-0056", "CVE-2017-0057", "CVE-2017-0060", "CVE-2017-0061", "CVE-2017-0062", "CVE-2017-0063", "CVE-2017-0072", "CVE-2017-0073", "CVE-2017-0074", "CVE-2017-0075", "CVE-2017-0076", "CVE-2017-0078", "CVE-2017-0079", "CVE-2017-0080", "CVE-2017-0081", "CVE-2017-0082", "CVE-2017-0083", "CVE-2017-0084", "CVE-2017-0085", "CVE-2017-0086", "CVE-2017-0087", "CVE-2017-0088", "CVE-2017-0089", "CVE-2017-0090", "CVE-2017-0091", "CVE-2017-0092", "CVE-2017-0095", "CVE-2017-0096", "CVE-2017-0097", "CVE-2017-0098", "CVE-2017-0099", "CVE-2017-0100", "CVE-2017-0101", "CVE-2017-0102", "CVE-2017-0103", "CVE-2017-0104", "CVE-2017-0108", "CVE-2017-0109", "CVE-2017-0111", "CVE-2017-0112", "CVE-2017-0113", "CVE-2017-0114", "CVE-2017-0115", "CVE-2017-0116", "CVE-2017-0117", "CVE-2017-0118", "CVE-2017-0119", "CVE-2017-0120", "CVE-2017-0121", "CVE-2017-0122", "CVE-2017-0123", "CVE-2017-0124", "CVE-2017-0125", "CVE-2017-0126", "CVE-2017-0127", "CVE-2017-0128", "CVE-2017-0130", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "modified": "2022-01-25T00:00:00", "id": "KLA10979", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10979/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}