Microsoft SharePoint Server CVE-2017-11777 Cross Site Scripting Vulnerability
2017-10-10T00:00:00
ID SMNTC-101155 Type symantec Reporter Symantec Security Response Modified 2017-10-10T00:00:00
Description
Description
Microsoft SharePoint Server is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to perform unauthorized actions such as reading, modifying, or deleting content on behalf of the victim on the SharePoint site.
Technologies Affected
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Recommendations
Block external access at the network boundary, unless external parties require service.
Filter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.
Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity such as unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.
Do not follow links provided by unknown or untrusted sources.
Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.
Set web browser security to disable the execution of JavaScript.
Since exploiting cross-site scripting issues often requires malicious script code to run in browsers, consider disabling script code and active content support within a client browser as a way to prevent a successful exploit. Note that this mitigation tactic might adversely affect legitimate sites that rely on the execution of browser-based script code.
Updates are available. Please see the references or vendor advisory for more information.
{"bulletinFamily": "software", "viewCount": 12, "reporter": "Symantec Security Response", "references": ["https://products.office.com/en-us/sharepoint/collaboration"], "affectedSoftware": [{"operator": "eq", "version": "2013 Service Pack 1 ", "name": "Microsoft SharePoint Enterprise Server"}, {"operator": "eq", "version": "2016 ", "name": "Microsoft SharePoint Enterprise Server"}], "description": "### Description\n\nMicrosoft SharePoint Server is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to perform unauthorized actions such as reading, modifying, or deleting content on behalf of the victim on the SharePoint site.\n\n### Technologies Affected\n\n * Microsoft SharePoint Enterprise Server 2013 Service Pack 1 \n * Microsoft SharePoint Enterprise Server 2016 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity such as unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of JavaScript.** \nSince exploiting cross-site scripting issues often requires malicious script code to run in browsers, consider disabling script code and active content support within a client browser as a way to prevent a successful exploit. Note that this mitigation tactic might adversely affect legitimate sites that rely on the execution of browser-based script code.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "hashmap": [{"key": "affectedSoftware", "hash": "4518fb32f48d75f10ffd78f3bfd4c5f4"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "49c389b51edbb3a395a9b4acb1256972"}, {"key": "cvss", "hash": "d16a1892885a4cedfc7b1d4344ffb50d"}, {"key": "description", "hash": "f55301b395d50cb6c0852fd20c982c41"}, {"key": "href", "hash": "2decdbe565d5bba3ee7e710ec8578c4a"}, {"key": "modified", "hash": "ef619c27a44a9d718c6f220c37119846"}, {"key": "published", "hash": "ef619c27a44a9d718c6f220c37119846"}, {"key": "references", "hash": "ca12e7b783143467358499b6e226ca29"}, {"key": "reporter", "hash": "d6218597dc7a1b025a781373296b2b63"}, {"key": "title", "hash": "353c73bae6453e60e8faef61b236095e"}, {"key": "type", "hash": "52e3bbafc627009ac13caff1200a0dbf"}], "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/101155", "modified": "2017-10-10T00:00:00", "objectVersion": "1.3", "enchantments": {"score": {"value": 4.5, "vector": "NONE", "modified": "2018-03-13T06:16:53"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-11777"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812023"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_OCT_OFFICE_SHAREPOINT.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:16AAA0E325C3DC54A87F3EC426974E24"]}, {"type": "thn", "idList": ["THN:362907387C0F8EBF7559F06EA602D348"]}, {"type": "kaspersky", "idList": ["KLA11113"]}, {"type": "myhack58", "idList": ["MYHACK58:62201789593"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:141C894C9A7CCB3BB2E580A6C8292E37"]}, {"type": "talosblog", "idList": ["TALOSBLOG:D985A5A21B218B47A518D6D4AB858393"]}], "modified": "2018-03-13T06:16:53"}, "vulnersScore": 4.5}, "id": "SMNTC-101155", "title": "Microsoft SharePoint Server CVE-2017-11777 Cross Site Scripting Vulnerability", "hash": "3249632412796b1db9a6b9e129b064f07ae6d0dae273e36e833e8129b6f383e8", "edition": 2, "published": "2017-10-10T00:00:00", "type": "symantec", "history": [{"lastseen": "2017-10-11T00:00:09", "bulletin": {"published": "2017-10-10T00:00:00", "enchantments": {"score": {"value": 2.6, "modified": "2017-10-11T00:00:09"}}, "id": "SMNTC-101155", "bulletinFamily": "software", "title": "Microsoft SharePoint Server CVE-2017-11777 Cross Site Scripting Vulnerability", "hash": "6d6fe3bdae5b744ed75c36327f21e2ddcc281b19774d5714f724e35af11f8ed3", "viewCount": 7, "edition": 1, "cvelist": ["CVE-2017-11777"], "references": ["https://products.office.com/en-us/sharepoint/collaboration"], "affectedSoftware": [{"operator": "eq", "version": "2016", "name": "Microsoft SharePoint Enterprise Server"}, {"operator": "eq", "version": "2013 SP1", "name": "Microsoft SharePoint Enterprise Server"}], "objectVersion": "1.3", "history": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "### Description\n\nMicrosoft SharePoint Server is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to perform unauthorized actions such as reading, modifying, or deleting content on behalf of the victim on the SharePoint site. \n\n### Technologies Affected\n\n * Microsoft SharePoint Enterprise Server 2013 Service Pack 1\n * Microsoft SharePoint Enterprise Server 2016\n\n### Recommendations\n\n#### Block external access at the network boundary, unless external parties require service.\n\nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n#### Deploy network intrusion detection systems to monitor network traffic for malicious activity.\n\nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity such as unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n#### Do not follow links provided by unknown or untrusted sources.\n\nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n#### Set web browser security to disable the execution of JavaScript.\n\nSince exploiting cross-site scripting issues often requires malicious script code to run in browsers, consider disabling script code and active content support within a client browser as a way to prevent a successful exploit. Note that this mitigation tactic might adversely affect legitimate sites that rely on the execution of browser-based script code. \n\nUpdates are available. Please see the references or vendor advisory for more information. \n", "hashmap": [{"key": "description", "hash": "07bd29f8cee425a3a0054bf5ec380aee"}, {"key": "modified", "hash": "ef619c27a44a9d718c6f220c37119846"}, {"key": "cvelist", "hash": "49c389b51edbb3a395a9b4acb1256972"}, {"key": "type", "hash": "52e3bbafc627009ac13caff1200a0dbf"}, {"key": "affectedSoftware", "hash": "98708281ae5acdd5903682b306cf896e"}, {"key": "href", "hash": "7ea59b206bd9ad6ce9699def70551b8b"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "published", "hash": "ef619c27a44a9d718c6f220c37119846"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "references", "hash": "ca12e7b783143467358499b6e226ca29"}, {"key": "reporter", "hash": "d6218597dc7a1b025a781373296b2b63"}, {"key": "title", "hash": "353c73bae6453e60e8faef61b236095e"}], "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=101155", "modified": "2017-10-10T00:00:00", "lastseen": "2017-10-11T00:00:09", "reporter": "Symantec Security Response", "type": "symantec"}, "differentElements": ["cvss", "description", "href", "affectedSoftware"], "edition": 1}], "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "cvelist": ["CVE-2017-11777"], "lastseen": "2018-03-13T06:16:53"}
{"cve": [{"lastseen": "2019-05-29T18:16:47", "bulletinFamily": "NVD", "description": "Microsoft SharePoint Enterprise Server 2013 SP1 and Microsoft SharePoint Enterprise Server 2016 allow an attacker to exploit a cross-site scripting (XSS) vulnerability by sending a specially crafted request to an affected SharePoint server, due to how SharePoint Server sanitizes web requests, aka \"Microsoft Office SharePoint XSS Vulnerability\". This CVE ID is unique from CVE-2017-11775 and CVE-2017-11820.", "modified": "2017-10-20T13:27:00", "id": "CVE-2017-11777", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11777", "published": "2017-10-13T13:29:00", "title": "CVE-2017-11777", "type": "cve", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "mskb": [{"lastseen": "2019-10-10T22:41:46", "bulletinFamily": "microsoft", "description": "<html><body><p>Description of the security update for SharePoint Server 2013: October 10, 2017</p><h2>Summary</h2><div><p>This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11775\">Microsoft Common Vulnerabilities and Exposures CVE-2017-11775</a>\u00a0and <a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11777\" target=\"\">Microsoft Common Vulnerabilities and Exposures CVE-2017-11777</a>.<br/><br/><strong>Note</strong> To apply this security update, you must have the release version of <a href=\"http://support.microsoft.com/kb/2880552\">Service Pack 1 for Microsoft SharePoint Server 2013</a> installed on the computer.</p></div><h2>Improvements and fixes</h2><div>This security update contains the following improvements and fixes:<br/>\u00a0<ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li>Assume that the administrator is changing the settings of a user profile on the\u00a0central administration page. After the administrator saves and then reopens the profile, the <strong>First day of week</strong> and <strong>First week of year</strong> properties are\u00a0shifted by one count unexpectedly.</li><li><p>Adds the <strong>OneDrive default to cloud</strong> feature in hybrid scenarios. After the feature is enabled, you are\u00a0redirected to SharePoint Online OneDrive site if there is any request for the onPrem my site (for example, access SharePoint OneDrive site).</p></li><li><p>Permission issues may prevent you from\u00a0accessing a\u00a0 content-type hub after the Hybrid Content Type feature is enabled.</p></li><li><p>Adds a term check logic to prevent the odd term that blocks the hybrid taxonomy replication timer jobs.</p></li><li><p>Improves opaque compound word\u00a0breaking for the Thai language.</p></li></ul></div><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update Catalog</h3><p>To get the stand-alone package for this update, go to the <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4011170\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a> website.</p><h3>Method 2: Microsoft Download Center</h3><p>You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" href=\"http://www.microsoft.com/downloads/details.aspx?familyid=9ff8330f-ef19-4984-971b-560cb469027e\" managed-link=\"\">Download security update 4011170 for the 64-bit version of SharePoint Server 2013</a></li></ul><h2>More Information</h2><h3>Security update deployment information</h3><p>For deployment information about this update, see <a href=\"https://support.microsoft.com/en-us/help/20171010\">security update deployment information: October 10, 2017</a>.</p><h3>Security update replacement information</h3><p>This security update replaces previously released security update <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4011113\" managed-link=\"\" target=\"\">KB4011113</a>.</p><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>Package name</th><th>Package hash SHA 1</th><th>Package hash SHA 2</th></tr><tr><td>coreserverloc2013-kb4011170-fullfile-x64-glb.exe</td><td>3EDE23A2F60BDF0E1771940C504548E4CCC37E8D</td><td>440A57B69CD91EFEE148D6079A9C2DEBD397F308E85CB41E4C9344BF73CBF66E</td></tr></tbody></table><h3>File information</h3><p>For the list of files that cumulative update 4011170 contains, download the <a href=\"http://download.microsoft.com/download/F/5/3/F536F0DE-A8DA-4269-A5A1-0DA6A28845A4/4011170.csv\" managed-link=\"\" target=\"_blank\">file information for update 4011170</a>.</p><h2>How to get help and support for this security update</h2><p>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/12373/windows-update-faq\" managed-link=\"\" target=\"\">Windows Update FAQ</a></p><p>Security solutions for IT professionals: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"\">Security Support and Troubleshooting</a></p><p>Help for protecting your Windows-based computer from viruses and malware: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"\">Microsoft Secure</a></p><p>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"\">International Support</a></p><p><span><span>Propose a feature or provide feedback on SharePoint: <a href=\"http://sharepoint.uservoice.com/\" target=\"_blank\">SharePoint User Voice portal</a></span></span></p></body></html>", "modified": "2017-10-10T17:17:24", "id": "KB4011170", "href": "https://support.microsoft.com/en-us/help/4011170/", "published": "2017-10-04T20:06:24", "title": "Description of the security update for SharePoint Server 2013: October 10, 2017", "type": "mskb", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2019-11-16T10:13:48", "bulletinFamily": "microsoft", "description": "<html><body><p>Resolves a remote code execution vulnerability in Microsoft Office. </p><h2>Summary</h2><div><p>This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11775\">Microsoft Common Vulnerabilities and Exposures CVE-2017-11775</a>,\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11777\" target=\"\">Microsoft Common Vulnerabilities and Exposures CVE-2017-11777</a>,\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11820\" target=\"\">Microsoft Common Vulnerabilities and Exposures CVE-2017-11820</a>, and <a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826\" target=\"\">Microsoft Common Vulnerabilities and Exposures CVE-2017-11826</a>.<br/><br/><strong>Note</strong> To apply this security update, you must have the release version of Microsoft SharePoint Server 2016 installed on the computer.</p><p>This public update delivers Feature Pack 2 for SharePoint Server 2016, which contains the following feature:</p><ul><li>SharePoint Framework (SPFx)</li></ul><p>This public update also delivers all of the features that were previously included in Feature Pack 1 for SharePoint Server 2016, including:</p><ul><li>Administrative Actions Logging</li><li>MinRole enhancements</li><li>SharePoint Custom Tiles</li><li>Hybrid Auditing (preview)</li><li>Hybrid Taxonomy</li><li>OneDrive API for SharePoint on-premises</li><li>OneDrive for Business modern experience (available to Software Assurance customers)</li></ul><p>The OneDrive for Business modern user experience requires an active Software Assurance contract at the time that it is enabled, either by installation of the public update or by manual enablement. If you don't have an active Software Assurance contract at the time of enablement, you must turn off the OneDrive for Business modern user experience.</p><p>For more information, see <a data-content-id=\"\" data-content-type=\"\" href=\"https://go.microsoft.com/fwlink/?linkid=832679\" target=\"_blank\">New features included in the November 2016 Public Update for SharePoint Server 2016 (Feature Pack 1)</a> and <a data-content-id=\"\" data-content-type=\"\" href=\"https://go.microsoft.com/fwlink/?linkid=856819\" target=\"_blank\">New features in September 2017 PU for SharePoint Server 2016 (Feature Pack 2)</a>.</p></div><h2>Improvements and fixes</h2><div>This security update contains the following improvements and fixes for SharePoint Server 2016:<ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li>Translate some terms in multiple languages to make sure that the meaning is accurate.</li><li><p>Improve the export of versioned list items that are part of an IRM enabled list.</p></li><li><p>Improve the opaque compound words breaking for Thai language.</p></li><li><p>When SharePoint Server 2013 consumes search from SharePoint Server 2016 by using AAM (alternate access mapping) from a non-default zone, search is broken.</p></li><li><p>Add term check logic to prevent an odd term that blocks hybrid taxonomy replication timer jobs.</p></li><li><p>Assume that the administrator is changing the settings of a user profile at the central administration page. After the administrator saves and opens the profile again, the <strong>First day of week</strong> and <strong>First week of year</strong> properties are\u00a0shifted by one count unexpectedly.</p></li><li><p>Improves the efficiency of AAM caching in SharePoint Server 2016.</p></li><li><p>More ULS log information will be added in upgrade scenarios for better troubleshooting in verbose mode.</p></li><li><p>As part of SharePoint database upgrade, the members of the db_owner role are deleted from the role, except for the \"dbo\" user and the user who is performing the upgrade. This is done for enhanced security to make sure that an errant account isn't inadvertently left having the db_owner role privileges. However, there may be situations in which this behavior is not desirable. For example, RBS may be broken every\u00a0time that an upgrade is run. In this situation, a registry key is added to bypass this behavior.\u00a0<br/><br/><strong>Note\u00a0</strong>Before you install this update, follow the steps in the\u00a0\"<a bookmark-id=\"reg\" href=\"#reg\" managed-link=\"\">Registry information</a>\"\u00a0section to create the registry key.</p></li><li><p>SharePoint mistakenly skips recycling the SharePoint Timer service at regular intervals due to an error in calculating how long the service has been running.</p></li><li><p>When you use the Psconfig command-line tool to join a farm in a non-English version\u00a0of Windows\u00a0and then you select a SharePoint server role that hosts the Distributed Cache component, you experience the \"cacheHostInfo is null\" error.</p></li><li><p>Increase the maximum number of unique terms indexed per field from 10000 to 1000000.</p></li><li><p>Add a new field to control whether each custom tile is displayed or hidden in the app launcher.</p></li><li><p>Improve the warning message when you try to use the Psconfig command-line tool to disconnect a server from a farm. The warning message will now inform the user that any services that are running on the server, including Search if it exists, will be removed if you disconnect the server from the farm.</p></li><li><p>Improves the warning message when you try to use Central Administration to remove a server from the farm. The warning message\u00a0emphasizes that you should use this mechanism only to remove orphaned servers from the farm. If the server still exists, you should use the Psconfig command-line tool or Windows PowerShell to remove the server from the farm.</p></li><li><p>Assume that you have a page library that has the <strong>Require Check Out</strong> option and the <strong>Major and minor versioning</strong> option enabled. Then, a web part page that contains a list view web part with the default view applied is created and saved. When you open the page for editing again, a custom JSLink view can't be saved on the list view web part.</p></li><li><p>If you delete a term and then create a term by using the same ID,\u00a0the hybrid taxonomy replication timer jobs fails and you experience an exception (<em>object is invalid</em> or <em>key not found</em>) if the deletion isn't committed before the new creation.</p></li></ul><p>This security update contains the following improvements and fixes for Project Server 2016:</p><ul><li><p>Some summary resource assignment work or actual work values may have large negative numbers. This issue may cause the project publish process to fail.</p></li><li><p>After you add yourself to a task by using the <strong>Add yourself to a task</strong> option for a timesheet, the new assignment request is sent to the project owner instead of to the task manager for the task.</p></li></ul></div><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update Catalog</h3><p>To get the stand-alone package for this update, go to the <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4011217\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a> website.</p><h3>Method 2: Microsoft Download Center</h3><p>You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span>\u00a0<a bookmark-id=\"\" data-content-id=\"\" href=\"http://www.microsoft.com/downloads/details.aspx?familyid=88dfde83-b64a-4931-9c73-34b5c4fb70f7\" managed-link=\"\">Download security update KB 4011217 for the 64-bit version of SharePoint Server 2016</a></li></ul><h2>More Information</h2><p><a class=\"bookmark\" id=\"reg\"></a></p><h3>Registry information</h3><p><span><span class=\"text-base\">Important</span><br/>Follow the steps in this section carefully. Serious problems might occur if you change the registry incorrectly. Before you change it, <a href=\"https://support.microsoft.com/en-us/help/322756\" id=\"kb-link-4\">back up the registry for restoration </a> in case problems occur.</span><br/><br/>After you install this update, you can follow these steps to control the metafiles optimization:</p><ol class=\"sbody-num_list\"><li>Start Registry Editor:<br/>\u00a0<ol start=\"1\"><li>In Windows Server 2012, if you're using a mouse, move it to the upper-right corner, go to <span class=\"text-base\">Search</span>, and then enter <span class=\"text-base\">regedit </span>in the search text box.</li><li>Select <span class=\"text-base\">regedit.exe</span> in the search results.</li></ol></li><li>Locate and then select the following registry subkey:<div class=\"indent\"><strong class=\"sbody-strong\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Shared Tools\\Web Server Extensions\\16.0\\WSS\\</strong></div></li><li>On the <span class=\"text-base\">Edit</span> menu, point to <span class=\"text-base\">New</span>, and then select <span class=\"text-base\">DWORD Value</span>.</li><li>Enter <strong><span class=\"text-base\">BypassDboDropMember</span></strong>, and then press the Enter key.</li><li>In the <span class=\"text-base\">Details</span> pane, press and hold (or right-click) <span class=\"text-base\">BypassDboDropMember</span>, and then select <span class=\"text-base\">Modify</span>.</li><li>In the <span class=\"text-base\">Value data</span> box, enter <span class=\"text-base\">1</span>, and then select <span class=\"text-base\">OK</span>.<br/><br/><span class=\"text-base\">Note </span>If you don't want to bypass the behavior, you can set the value to <span class=\"text-base\">0</span>.</li><li>Exit Registry Editor.</li></ol><h3>Security update deployment information</h3><p>For deployment information about this update, see <a href=\"https://support.microsoft.com/en-us/help/20171010\">security update deployment information: October 10, 2017</a>.</p><h3>Security update replacement information</h3><p>This security update replaces previously released security update <a href=\"https://support.microsoft.com/help/4011127\"> KB 4011127</a>.</p><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>Package Name</th><th>Package Hash SHA 1</th><th>Package Hash SHA 2</th></tr><tr><td>sts2016-kb4011217-fullfile-x64-glb.exe</td><td>98A683C59490636F0B1AC0FD8B714375B8E5E9E7</td><td>9310341BBFBEEDC8C877195694D3A362A8F7517AD162BBE6F0FBFD874A076E2B</td></tr></tbody></table><h3>File information</h3><p>For the list of files that cumulative update 4011217 contains, download the <a href=\"http://download.microsoft.com/download/6/7/a/67a14737-e346-413b-979f-4388086f273f/4011217.csv\" managed-link=\"\" target=\"_blank\">file information for update 4011217</a>.</p><h2>How to get help and support for this security update</h2><p>Help for installing updates:\u00a0<a aria-live=\"rude\" href=\"https://support.microsoft.com/help/12373/windows-update-faq\" managed-link=\"\" tabindex=\"0\" target=\"_self\">Windows Update FAQ</a></p><p>Security solutions for IT professionals:\u00a0<a aria-live=\"rude\" bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" tabindex=\"0\" target=\"_self\">Security Support and Troubleshooting</a></p><p>Help for protecting your Windows-based computer from viruses and malware:\u00a0<a aria-live=\"rude\" bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" tabindex=\"0\" target=\"_self\">Microsoft Secure</a></p><p>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"\">International Support</a><br/><br/>Propose a feature or provide feedback on SharePoint: <a href=\"http://sharepoint.uservoice.com/\" target=\"_blank\">SharePoint User Voice portal</a></p></body></html>", "modified": "2017-10-10T17:17:12", "id": "KB4011217", "href": "https://support.microsoft.com/en-us/help/4011217/", "published": "2017-10-09T20:09:36", "title": "Description of the security update for SharePoint Enterprise Server 2016: October 10, 2017", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:34:49", "bulletinFamily": "scanner", "description": "This host is missing an important security\n update according to Microsoft KB4011170", "modified": "2019-05-20T00:00:00", "published": "2017-10-13T00:00:00", "id": "OPENVAS:1361412562310812023", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812023", "title": "Microsoft SharePoint Enterprise Server 2013 Service Pack 1 Multiple XSS Vulnerabilities (KB4011170)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft SharePoint Enterprise Server 2013 Service Pack 1 Multiple XSS Vulnerabilities (KB4011170)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812023\");\n script_version(\"2019-05-20T11:12:48+0000\");\n script_cve_id(\"CVE-2017-11775\", \"CVE-2017-11777\");\n script_bugtraq_id(101105, 101155);\n script_tag(name:\"cvss_base\", value:\"3.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-20 11:12:48 +0000 (Mon, 20 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-10-13 10:02:45 +0530 (Fri, 13 Oct 2017)\");\n script_name(\"Microsoft SharePoint Enterprise Server 2013 Service Pack 1 Multiple XSS Vulnerabilities (KB4011170)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4011170\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to an error when\n Microsoft SharePoint Server does not properly sanitize a specially crafted\n web request to an affected SharePoint server.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to perform cross-site scripting attacks on affected systems and run\n script in the security context of the current user. The attacks could allow\n the attacker to read content that the attacker is not authorized to read, use\n the victim's identity to take actions on the SharePoint site on behalf of the\n user, such as change permissions and delete content, and inject malicious\n content in the browser of the user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft SharePoint Enterprise Server 2013 Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4011170\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_sharepoint_sever_n_foundation_detect.nasl\");\n script_mandatory_keys(\"MS/SharePoint/Server/Ver\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif( ! infos = get_app_version_and_location( cpe:\"cpe:/a:microsoft:sharepoint_server\", exit_no_version:TRUE ) ) exit( 0 );\nshareVer = infos['version'];\nif(!shareVer || shareVer !~ \"^15\\.\"){\n exit(0);\n}\n\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Office15.OSERVER\",\n item:\"InstallLocation\");\nif(path)\n{\n path = path + \"\\15.0\\WebServices\\ConversionServices\";\n\n dllVer = fetch_file_version(sysPath:path, file_name:\"msoserver.dll\");\n if(dllVer && dllVer =~ \"^15\\.\")\n {\n if(version_is_less(version:dllVer, test_version:\"15.0.4971.1000\"))\n {\n report = 'File checked: ' + path + \"\\msoserver.dll\"+ '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: ' + \"15.0 - 15.0.4971.0999\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n\nexit(99);\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2019-11-17T19:32:50", "bulletinFamily": "scanner", "description": "The Microsoft Sharepoint Server installation on the remote\nhost is missing security updates. It is, therefore, affected\nby multiple vulnerabilities :\n\n - A cross-site scripting (XSS) vulnerability exists when\n Microsoft SharePoint Server does not properly sanitize a\n specially crafted web request to an affected SharePoint\n server. An authenticated attacker could exploit the\n vulnerability by sending a specially crafted request to\n an affected SharePoint server. The attacker who\n successfully exploited the vulnerability could then\n perform cross-site scripting attacks on affected systems\n and run script in the security context of the current\n user. The attacks could allow the attacker to read\n content that the attacker is not authorized to read, use\n the victim", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS17_OCT_OFFICE_SHAREPOINT.NASL", "href": "https://www.tenable.com/plugins/nessus/103786", "published": "2017-10-11T00:00:00", "title": "Security Updates for Microsoft Sharepoint Server (October 2017)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103786);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-11775\",\n \"CVE-2017-11777\",\n \"CVE-2017-11820\",\n \"CVE-2017-11826\"\n );\n script_bugtraq_id(\n 101097,\n 101105,\n 101155,\n 101219\n );\n script_xref(name:\"MSKB\", value:\"3213623\");\n script_xref(name:\"MSKB\", value:\"4011068\");\n script_xref(name:\"MSKB\", value:\"4011170\");\n script_xref(name:\"MSKB\", value:\"4011180\");\n script_xref(name:\"MSKB\", value:\"4011217\");\n script_xref(name:\"MSFT\", value:\"MS17-3213623\");\n script_xref(name:\"MSFT\", value:\"MS17-4011068\");\n script_xref(name:\"MSFT\", value:\"MS17-4011170\");\n script_xref(name:\"MSFT\", value:\"MS17-4011180\");\n script_xref(name:\"MSFT\", value:\"MS17-4011217\");\n script_xref(name:\"IAVA\", value:\"2017-A-0291\");\n\n script_name(english:\"Security Updates for Microsoft Sharepoint Server (October 2017)\");\n script_summary(english:\"Checks for Microsoft security updates.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Sharepoint Server installation on the remote host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Sharepoint Server installation on the remote\nhost is missing security updates. It is, therefore, affected\nby multiple vulnerabilities :\n\n - A cross-site scripting (XSS) vulnerability exists when\n Microsoft SharePoint Server does not properly sanitize a\n specially crafted web request to an affected SharePoint\n server. An authenticated attacker could exploit the\n vulnerability by sending a specially crafted request to\n an affected SharePoint server. The attacker who\n successfully exploited the vulnerability could then\n perform cross-site scripting attacks on affected systems\n and run script in the security context of the current\n user. The attacks could allow the attacker to read\n content that the attacker is not authorized to read, use\n the victim's identity to take actions on the SharePoint\n site on behalf of the user, such as change permissions\n and delete content, and inject malicious content in the\n browser of the user. The security update addresses the\n vulnerability by helping to ensure that SharePoint\n Server properly sanitizes web requests. (CVE-2017-11775,\n CVE-2017-11777, CVE-2017-11820)\n\n - A remote code execution vulnerability exists in\n Microsoft Office software when the software fails to\n properly handle objects in memory. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the current user. If\n the current user is logged on with administrative user\n rights, an attacker could take control of the affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2017-11826)\");\n # https://support.microsoft.com/en-us/help/4011117/descriptionofthesecurityupdateforsharepointfoundation2013september12-2\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a44abe21\");\n # https://support.microsoft.com/en-us/help/4011068/security-update-for-word-automation-services-for-sharepoint\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9244fe07\");\n # https://support.microsoft.com/en-us/help/4011170/description-of-the-security-update-for-sharepoint-server-2013-october\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd221883\");\n # https://support.microsoft.com/en-us/help/4011180/descriptionofthesecurityupdateforsharepointfoundation2013october10-201\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f914ba0b\");\n # https://support.microsoft.com/en-us/help/4011217/security-update-for-sharepoint-enterprise-server-2016\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aaee58c0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue:\n -KB3213623\n -KB4011068\n -KB4011170\n -KB4011180\n -KB4011217\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11826\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_foundation\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_sharepoint_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"microsoft_office_compatibility_pack_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list(\n '3213623', # Word Automation Services for SharePoint Server 2010 SP2\n '4011068', # Word Automation Services for SharePoint Server 2013 SP1\n '4011170', # SharePoint Server 2013 SP1\n '4011180', # SharePoint Foundation 2013 SP1\n '4011217' # SharePoint Enterprise Server 2016\n);\n\nif (get_kb_item(\"Host/patch_management_checks\"))\nhotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\", exit_code:1);\n\n# Get path information for Windows.\nwindir = hotfix_get_systemroot();\nif (isnull(windir)) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');\n\nregistry_init();\n\nvar sps_2010_path, sps_2010_sp, sps_2010_edition;\nvar sps_2013_path, sps_2013_sp, sps_2013_edition;\nvar sps_2016_path, sps_2016_sp, sps_2016_edition;\n\nvuln = FALSE;\nxss = FALSE;\n\nport = kb_smb_transport();\n\ninstalls = get_installs(app_name:\"Microsoft SharePoint Server\", exit_if_not_found:TRUE);\n\nforeach install (installs[1])\n{\n if (install[\"Product\"] == \"2016\")\n {\n sps_2016_path = install['path'];\n sps_2016_sp = install['SP'];\n sps_2016_edition = install['Edition'];\n }\n else if (install[\"Product\"] == \"2013\")\n {\n sps_2013_path = install['path'];\n sps_2013_sp = install['SP'];\n sps_2013_edition = install['Edition'];\n }\n else if (install[\"Product\"] == \"2010\")\n {\n sps_2010_path = install['path'];\n sps_2010_sp = install['SP'];\n sps_2010_edition = install['Edition'];\n }\n}\n\n######################################################################\n# SharePoint Server 2010 SP2\n######################################################################\nif (sps_2010_path && sps_2010_sp == \"2\" && sps_2010_edition == \"Server\")\n{\n path = hotfix_append_path(path:sps_2010_path, value:\"WebServices\\WordServer\\Core\");\n if (hotfix_check_fversion(file:\"sword.dll\", version:\"14.0.7189.5001\", min_version:\"14.0.0.0\", path:path, kb:\"3213623\", product:\"Office SharePoint Server 2010 Word Automation Services\") == HCF_OLDER)\n vuln = TRUE;\n}\n\n######################################################################\n# SharePoint Server 2013 SP1\n######################################################################\nif (sps_2013_path && sps_2013_sp == \"1\")\n{\n if (sps_2013_edition == \"Server\")\n {\n if (hotfix_check_fversion(file:\"tquery.dll\", version:\"15.0.4921.1000\", min_version:\"15.0.0.0\", path:path, kb:\"4011170\", product:\"Microsoft SharePoint Server 2013 Service Pack 1 \") == HCF_OLDER)\n {\n vuln = TRUE;\n xss = TRUE;\n }\n\n # Files under <sps_2013_path>\\WebServices\\ConversionServices\n path = hotfix_append_path(path:sps_2013_path, value:\"WebServices\\ConversionServices\");\n if (hotfix_check_fversion(file:\"oartserver.dll\", version:\"15.0.4963.1000\", min_version:\"15.0.0.0\", path:path, kb:\"4011068\", product:\"Office SharePoint Server 2013\") == HCF_OLDER)\n vuln = TRUE;\n }\n else if (sps_2013_edition == \"Foundation\")\n {\n commonfiles = hotfix_get_commonfilesdir();\n if (!commonfiles) commonfiles = hotfix_get_commonfilesdirx86();\n if (commonfiles) path = hotfix_append_path(path:commonfiles, value:\"Microsoft Shared\\Web Server Extensions\\15\\BIN\");\n else path = hotfix_append_path(path:sps_2013_path, value:\"BIN\");\n if (hotfix_check_fversion(file:\"onetutil.dll\", version:\"15.0.4971.1000\", min_version:\"15.0.0.0\", path:path, kb:\"4011180\", product:\"Microsoft Sharepoint Foundation 2013 Service Pack 1\") == HCF_OLDER)\n {\n vuln = TRUE;\n xss = TRUE;\n }\n }\n}\n\n######################################################################\n# SharePoint Server 2016\n######################################################################\nif (sps_2016_path && sps_2016_sp == \"0\" && sps_2016_edition == \"Server\")\n{\n path = hotfix_append_path(path:sps_2016_path, value:\"WebServices\\ConversionServices\");\n if (hotfix_check_fversion(file:\"ppserver.dll\", version:\"16.0.4588.1000\", min_version:\"16.0.0.0\", path:path, kb:\"4011217\", product:\"Office SharePoint Server 2016\") == HCF_OLDER)\n {\n vuln = TRUE;\n xss = TRUE;\n }\n}\n\nif (vuln)\n{\n if (xss) replace_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-01-23T05:28:27", "bulletinFamily": "info", "description": "Security experts are urging network administrators to patch a Microsoft Office vulnerability that has been exploited in the wild.\n\nThe vulnerability ([CVE-2017-11826](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826>)) could allow remote code execution if a user opens a specially crafted Office file. It was one of 62 vulnerabilities patched by Microsoft as part of its monthly Patch Tuesday updates released today. Of those, 23 of the vulnerabilities are rated critical, 34 rated as important and 33 can result in remote code execution.\n\nAs for the Microsoft Office vulnerability Microsoft said: \u201cIf the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\u201d\n\nThe vulnerability is rated important, but tops the list of vulnerabilities to address this month because the bug has been exploited in the wild. Researchers at Qihoo 360 Core Security are credited for [first detecting an in-the-wild attack](<http://360coresec.blogspot.com/2017/10/new-office-0day-cve-2017-11826.html>) that leveraged CVE-2017-11826 on Sept. 28.\n\n\u201cThe attack only targeted limited customers,\u201d wrote Qihoo. \u201cThe attacker embedded malicious .docx in the RTF files. Through reversing analysis of the sample C&C, we found that the attack was initiated in August and the launch date of the attack can be dated back to September.\u201d\n\n\u201cPriority should also be given to [CVE-2017-11771](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11771>), which is a vulnerability in the Windows Search service. This is the fourth Patch Tuesday this year to feature a vulnerability in this service,\u201d wrote Jimmy Graham, director of product management at Qualys in [a blog post analysis](<https://blog.qualys.com/laws-of-vulnerabilities/2017/10/10/october-patch-tuesday-28-critical-microsoft-vulnerabilities>) of Tuesday\u2019s patches. \u201cAs with the others, this vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations.\u201d\n\nHe noted, while an exploit against [CVE-2017-11771](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11771>) can leverage SMB as an attack vector, it isn\u2019t related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry and NotPetya.\n\nAmong other patches issued by Microsoft, the company addressed critical Windows DNS client vulnerabilities ([CVE-2017-11779](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11779>)) with a patch that closed off an avenue where an attacker could relatively simply respond to DNS queries with malicious code and gain arbitrary code execution on Windows clients or Windows Server installations.\n\nThe flaws were discovered and privately disclosed to Microsoft by [Nick Freeman, a security researcher with Bishop Fox](<https://threatpost.com/microsoft-patches-critical-windows-dns-client-vulnerabilities/128344/>). \u201cAn attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account,\u201d Microsoft said. Impacted is Windows 8.1 through 10 including Windows Server 2012 through 2016.\n\nAnother noteworthy bug is a Windows Subsystem for Linux, denial of service vulnerability ([CVE-2017-8703](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8703>)). This previously publicly disclosed bug could allow an attacker to execute a specially crafted application to affect an object in memory allowing an attacker to cause the system to become unresponsive, Microsoft. The only affected product is Windows 10 (Version 1703).\n\nChris Goettl, manager of product management, security at Ivanti, also noted a critical Microsoft Office SharePoint XSS vulnerability ([CVE-2017-11777](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11777>)) that can be abused by an attacker who send a specially crafted request to an affected SharePoint server. If successful, \u201cthe attacker would have the same security context as the current user allowing them to read data they should not have access to, use the victim\u2019s identity to take actions on the SharePoint site on behalf of the user, and inject malicious content in the browser of the user,\u201d Goettl said.\n\nLastly, it\u2019s worth noting Microsoft\u2019s support for Windows 10 November Update Version 1511 (released in 2015) ends with today\u2019s updates. On the flip side, Microsoft has said the fourth major update to Windows 10 Fall Creators Update, will be release [next week, on Oct. 17](<https://www.microsoft.com/en-us/windows/upcoming-features>).\n\nToday also marks the sunsetting of support for [Microsoft Office 2007](<https://support.microsoft.com/en-us/help/3198497/office-2007-approaching-end-of-extended-support>).\n", "modified": "2017-10-10T16:44:08", "published": "2017-10-10T16:44:08", "id": "THREATPOST:16AAA0E325C3DC54A87F3EC426974E24", "href": "https://threatpost.com/microsoft-patches-office-bug-actively-being-exploited/128367/", "type": "threatpost", "title": "Microsoft Patches Office Bug Actively Being Exploited", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:17:52", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-E4takzJjKk8/Wd3UFwfKMwI/AAAAAAAAuVU/uPeiwXfdpcQIBJUClruJP7W1tKclI0aJgCLcBGAs/s1600/Microsof-Security-Patches.png>)\n\nAs part of its \"October Patch Tuesday,\" Microsoft has today [released](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/313ae481-3088-e711-80e2-000d3a32fc99>) a large batch of security updates to patch a total of 62 vulnerabilities in its products, including a severe MS office zero-day flaw that has been exploited in the wild. \n \nSecurity updates also include patches for Microsoft Windows operating systems, Internet Explorer, Microsoft Edge, Skype, Microsoft Lync and Microsoft SharePoint Server. \n \nBesides the MS Office vulnerability, the company has also addressed two other publicly disclosed (but not yet targeted in the wild) vulnerabilities that affect the SharePoint Server and the Windows Subsystem for Linux. \n \nOctober patch Tuesday also fixes a critical Windows DNS vulnerability that could be exploited by a malicious DNS server to execute arbitrary code on the targeted system. Below you can find a brief technical explanation of all above mentioned critical and important vulnerabilities. \n\n\n### \nMicrosoft Office Memory Corruption Vulnerability (CVE-2017-11826)\n\n \nThis vulnerability, classified by Microsoft as \"important,\" is caused by a memory corruption issue. It affects all supported versions of MS Office and has been actively exploited by the attackers in targeted attacks. \n \nAn attacker could exploit this vulnerability either by sending a specially crafted Microsoft Office file to the victims and convincing them to open it, or hosting a site containing specially crafted files and tricking victims to visit it. \n \nOnce opened, the malicious code within the booby-trapped Office file will execute with the same rights as the logged-in user. So, users with least privilege on their systems are less impacted than those having higher admin rights. \n \nThe vulnerability was [reported](<https://360coresec.blogspot.in/2017/10/new-office-0day-cve-2017-11826.html>) to Microsoft by security researchers at China-based security firm Qihoo 360 Core Security, who initially detected an in-the-wild cyber attack which involved malicious RTF files and leveraged this vulnerability on September 28. \n \n\n\n### Microsoft Windows DNSAPI Remote Code Execution Vulnerability (CVE-2017-11779)\n\n \nAmong other critical vulnerabilities patched by Microsoft include a critical remote code execution flaw in the Windows DNS client that affects computers running Windows 8.1 and Windows 10, and Windows Server 2012 through 2016. \n \nThe vulnerability can be triggered by a malicious DNS response, allowing an attacker gain arbitrary code execution on Windows clients or Windows Server installations in the context of the software application that made the DNS request. \n \nNick Freeman, a security researcher from security firm Bishop Fox, discovered the vulnerability and demonstrated how an attacker connected to a public Wi-Fi network could run malicious code on a victim's machine, escalate privileges and take full control over the target computer or server. \n\n\n> \"This means that if an attacker controls your DNS server (e.g., through a Man-in-the-Middle attack or a malicious coffee-shop hotspot) \u2013 they can gain access to your system,\" the researcher explains.\n\n> \"This doesn\u2019t only affect web browsers \u2013 your computer makes DNS queries in the background all the time, and any query can be responded to in order to trigger this issue.\"\n\nFor full technical details, you can watch the video demonstration by Bishop Fox\u2019s Dan Petro and head on to Bishop Fox\u2019s [blog post](<https://www.bishopfox.com/blog/2017/10/a-bug-has-no-name-multiple-heap-buffer-overflows-in-the-windows-dns-client/>). \n\n\n### \nWindows Subsystem for Linux Denial of Service Vulnerability (CVE-2017-8703)\n\n \nThis denial of service (DoS) issue is yet another noteworthy vulnerability which resides in Windows Subsystem for Linux. \n \nThe vulnerability, classified by Microsoft as \"important,\" was previously publicly disclosed, but wasn't found actively exploited in the wild. \n \nThe vulnerability could allow an attacker to execute a malicious application to affect an object in the memory, which eventually allows that the application to crash the target system and made it unresponsive. \n\n\n> The only affected Microsoft product by this vulnerability is Windows 10 (Version 1703). \"The update addresses the vulnerability by correcting how Windows Subsystem for Linux handles objects in memory,\" Microsoft said in its advisory.\n\n \n\n\n### Microsoft Office SharePoint XSS Vulnerability (CVE-2017-11777)\n\n \nAnother previously disclosed but not yet under attack vulnerability is a cross-site scripting (XSS) flaw in Microsoft SharePoint Server that affects SharePoint Enterprise Server 2013 Service Pack 1 and SharePoint Enterprise Server 2016. \n \nThe vulnerability, also classified by Microsoft as \"important,\" can be exploited by sending a maliciously crafted request to an affected SharePoint server. \n \nSuccessful exploitation of this vulnerability could allow an attacker to perform cross-site scripting attacks on affected systems and execute malicious script in the same security context of the current user. \n\n\n> \"The attacks could allow the attacker to read content that the attacker is not authorised to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user,\" Microsoft explains.\n\nBesides these, the company has patched a total of 19 vulnerabilities in the scripting engine in Edge and Internet Explorer that could allow web pages to achieve remote-code execution, with the logged-in user's permissions, via memory corruption flaws. \n \nJust opening a web page could potentially land you in trouble by executing malware, spyware, ransomware, and other nasty software on the vulnerable computer. \n \n\n\n### More RCE And Other Vulnerabilities\n\n \nRedmond also patched two vulnerabilities in the Windows font library that can allow a web page or document to execute malicious code on a vulnerable machine and hijack it on opening a file with a specially crafted embedded font or visiting a website hosting the malicious file. \n \nThe update also includes fixes for a bug in Windows TRIE (CVE-2017-11769) that allows DLL files to achieve remote code execution, a programming error (CVE-2017-11776) in Outlook that leaves its emails open to snooping over supposedly secure connections. \n \nOther issues patched this month include two remote code execution flaws in the Windows Shell and a remote code execution bug in Windows Search. \n \nMicrosoft also published an [advisory warning](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012>) user of a security feature bypass issue affecting the firmware of Infineon Trusted Platform Modules (TPMs). \n \nSurprisingly, Adobe Flash does not include any security patches. Meanwhile, Adobe has skipped October's Patch Tuesday altogether. \n \nUsers are strongly advised to apply October security patches as soon as possible in order to keep hackers and cybercriminals away from taking control over their computers. \n \nFor installing security updates, simply head on to Settings \u2192 Update & security \u2192 Windows Update \u2192 Check for updates, or you can install the updates manually.\n", "modified": "2017-10-11T09:13:54", "published": "2017-10-10T22:06:00", "id": "THN:362907387C0F8EBF7559F06EA602D348", "href": "https://thehackernews.com/2017/10/microsoft-security-patches.html", "type": "thn", "title": "Microsoft Issues Patches For Severe Flaws, Including Office Zero-Day & DNS Attack", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2019-02-11T20:22:47", "bulletinFamily": "info", "description": "### *Detect date*:\n10/10/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Office. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information perform cross-site scripting and privilege escalations\n\n### *Affected products*:\nWord Automation Services \nMicrosoft Lync 2013 Service Pack 1 (32-bit) \nMicrosoft Lync 2013 Service Pack 1 (64-bit) \nMicrosoft Office 2010 Service Pack 2 (32-bit editions) \nMicrosoft Office 2010 Service Pack 2 (64-bit editions) \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office 2013 Service Pack 1 (32-bit editions) \nMicrosoft Office 2013 Service Pack 1 (64-bit editions) \nMicrosoft Office 2016 (32-bit edition) \nMicrosoft Office 2016 (64-bit edition) \nMicrosoft Office 2016 Click-to-Run (C2R) for 32-bit editions \nMicrosoft Office 2016 Click-to-Run (C2R) for 64-bit editions \nMicrosoft Office 2016 for Mac \nMicrosoft Office Compatibility Pack Service Pack 3 \nMicrosoft Office Online Server 2016 \nMicrosoft Office Web Apps Server 2010 Service Pack 2 \nMicrosoft Office Web Apps Server 2013 Service Pack 1 \nMicrosoft Office Word Viewer \nMicrosoft Outlook 2010 Service Pack 2 (32-bit editions) \nMicrosoft Outlook 2010 Service Pack 2 (64-bit editions) \nMicrosoft Outlook 2013 RT Service Pack 1 \nMicrosoft Outlook 2013 Service Pack 1 (32-bit editions) \nMicrosoft Outlook 2013 Service Pack 1 (64-bit editions) \nMicrosoft Outlook 2016 (32-bit edition) \nMicrosoft Outlook 2016 (64-bit edition) \nMicrosoft SharePoint Enterprise Server 2013 Service Pack 1 \nMicrosoft SharePoint Enterprise Server 2016 \nMicrosoft Word 2007 Service Pack 3 \nMicrosoft Word 2010 Service Pack 2 (32-bit editions) \nMicrosoft Word 2010 Service Pack 2 (64-bit editions) \nMicrosoft Word 2013 RT Service Pack 1 \nMicrosoft Word 2013 Service Pack 1 (32-bit editions) \nMicrosoft Word 2013 Service Pack 1 (64-bit editions) \nMicrosoft Word 2016 (32-bit edition) \nMicrosoft Word 2016 (64-bit edition) \nSkype for Business 2016 (32-bit) \nSkype for Business 2016 (64-bit)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[ADV170017](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170017>) \n[CVE-2017-11776](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11776>) \n[CVE-2017-11777](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11777>) \n[CVE-2017-11774](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774>) \n[CVE-2017-11775](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11775>) \n[CVE-2017-11786](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11786>) \n[CVE-2017-11820](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11820>) \n[CVE-2017-11826](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826>) \n[CVE-2017-11825](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11825>) \n[CVE-2017-11775](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11775>) \n[CVE-2017-11776](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11776>) \n[CVE-2017-11777](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11777>) \n[CVE-2017-11786](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11786>) \n[CVE-2017-11820](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11820>) \n[CVE-2017-11825](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11825>) \n[CVE-2017-11826](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Access](<https://threats.kaspersky.com/en/product/Microsoft-Access/>)\n\n### *CVE-IDS*:\n[CVE-2017-11774](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11774>) \n[CVE-2017-11775](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11775>) \n[CVE-2017-11776](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11776>) \n[CVE-2017-11777](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11777>) \n[CVE-2017-11786](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11786>) \n[CVE-2017-11820](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11820>) \n[CVE-2017-11825](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11825>) \n[CVE-2017-11826](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11826>)\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[2553338](<http://support.microsoft.com/kb/2553338>) \n[3172524](<http://support.microsoft.com/kb/3172524>) \n[3213623](<http://support.microsoft.com/kb/3213623>) \n[3213630](<http://support.microsoft.com/kb/3213630>) \n[3213647](<http://support.microsoft.com/kb/3213647>) \n[3213648](<http://support.microsoft.com/kb/3213648>) \n[3213659](<http://support.microsoft.com/kb/3213659>) \n[4011068](<http://support.microsoft.com/kb/4011068>) \n[4011159](<http://support.microsoft.com/kb/4011159>) \n[4011162](<http://support.microsoft.com/kb/4011162>) \n[4011170](<http://support.microsoft.com/kb/4011170>) \n[4011178](<http://support.microsoft.com/kb/4011178>) \n[4011179](<http://support.microsoft.com/kb/4011179>) \n[4011180](<http://support.microsoft.com/kb/4011180>) \n[4011185](<http://support.microsoft.com/kb/4011185>) \n[4011194](<http://support.microsoft.com/kb/4011194>) \n[4011196](<http://support.microsoft.com/kb/4011196>) \n[4011217](<http://support.microsoft.com/kb/4011217>) \n[4011222](<http://support.microsoft.com/kb/4011222>) \n[4011231](<http://support.microsoft.com/kb/4011231>) \n[4011232](<http://support.microsoft.com/kb/4011232>) \n[4011236](<http://support.microsoft.com/kb/4011236>) \n[2837599](<http://support.microsoft.com/kb/2837599>) \n[2920723](<http://support.microsoft.com/kb/2920723>) \n[3213627](<http://support.microsoft.com/kb/3213627>) \n[3172531](<http://support.microsoft.com/kb/3172531>) \n[4022208](<http://support.microsoft.com/kb/4022208>) \n[4022206](<http://support.microsoft.com/kb/4022206>) \n[4022172](<http://support.microsoft.com/kb/4022172>) \n[4022176](<http://support.microsoft.com/kb/4022176>) \n[4022188](<http://support.microsoft.com/kb/4022188>) \n[4022189](<http://support.microsoft.com/kb/4022189>)", "modified": "2018-11-06T00:00:00", "published": "2017-10-10T00:00:00", "id": "KLA11113", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11113", "title": "\r KLA11113Multiple vulnerabilities in Microsoft Office ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2017-10-12T12:21:49", "bulletinFamily": "info", "description": "Microsoft on Tuesday's Patch Tuesday on the breath announced a 62 bug. the bug of the patch, which contains a has been applied to the major Office 0-day exploits flaws in the bug, this is by memory of the destruction occasioned by the long-distance code to perform vulnerability flaws bug\uff08 CVE-2017-11826 town. Hack to long-distance applications this vulnerability flaws bugs, to lure users to shut the particular manufacturing document, and thus fulfilling vicious thoughts code. All versions of Office are affected by the vulnerability flaws of the bug impact. \n! [](/Article/UploadPic/2017-10/20171012163339623. png? www. myhack58. com) \nBecause the software helpless to properly handle the memory in the tool lead to a long-distance code to perform vulnerability flaws bug. Intrusion the attacker can apply the vulnerability flaws of the bug in the future user cases fulfilling arbitrary whims of the code. If later the user to the governance administrator rights log in, the intrusion of the attacker to be able to in moderation the affected system: device French; check, change or delete data; and even created with the full user permissions to the new account. System user permissions to set up equipped furnishings lower user than the application of governance the user permissions of the user by the impact can be smaller. \nIn the e-mail intrusion attacks, intrusion attackers may place a specially crafted file is sent to the user and coercion the user to close the file and then apply this vulnerability flaws bug. In a Web-based intrusion attacks, intrusion attackers capable of hosting a web site or application was compromised the attack site to the receiving or host user-supplied content the website contains a vulnerability flaws bug the application of a specially crafted file. The invasion of the attacker is helpless to force users to visit the site, only to lure the user to click on the link on weekdays via the process e-mail or instant news stop hanging nylon one. \nIt is worth mentioning that this vulnerability flaws bug is the domestic qihoo 360 researchers in the invention and to the Microsoft Declaration. They are in 9 month 28 days invented with the invasion of the attacker the application of the vulnerability flaws of the bug, the joint vicious thoughts RTF file intrusion the company's majority customers. While today it is unclear details, but via the process of elucidating the invasion of the attacker the application of the C & C server, it is possible invention the intrusion attacks as early as 8 months you have begun to organize, in the 9 months of the initial start. \nThe researchers showed that the invasion of the attacker the application collection vertical nylon tips to make the purpose of the user shut the vicious thoughts file, the ultimate trigger the Trojan horse nature of the useful load, can be from contaminated equipment to steal sensitive information. Else, the intrusion is also related to some\u201cfamous\u201dnetwork security products in the DLL coerce vulnerability flaws bug. This affected the collection of the network security vendors still have not named, but Symantec, Kaspersky Labs, Rapid7, F-Secure and Comodo and other companies of the product are also the invention of the DLL coerce vulnerability flaws bug. \nMicrosoft also fixed two earlier disclosed too small but also not is Application vulnerability flaws bug: \nIn SharePoint [XSS](<http://www.myhack58.com/Article/html/3/7/Article_007_1.htm>) vulnerability flaws bug\uff08CVE-2017-11777\uff09 \nThe Linux version of the Windows sub-system in the DoS vulnerability. bug\uff08CVE-2017-8703\uff09 \nThe repair of the vulnerability flaws of the bug have 27 belonging to the major level, included with the Windows KEPT coherent long-distance perform code vulnerability flaws bug\uff08CVE-2017-11779-in. Microsoft also announced the initiative to prompt the user to pay attention to the impact Infineon may care Platform Module\uff08TPM\uff09the firmware of the network security feature bypass results. Microsoft last month total fixed about 80 vulnerabilities flaws bug, which contains a . NET 0-day exploits flaws a bug that hackers used to say that the Russian people disseminated FinFisher vicious thoughts software. \nOther weekday with Microsoft sync announced a fix to update the Adobe in this week and did not announce any network security fix. \nThe following is the repair of the 62 vulnerabilities flaws in the bug list. Interested readers can also click here to check profile, maybe Click here to check the Microsoft Update notification Bulletin and patch on. \nTag \nCVE ID \nCVE Title \nDevice Guard \nCVE-2017-8715 \nThe Windows network security feature bypass vulnerability flaws bug \nDevice Guard \nCVE-2017-11823 \nMicrosoft Windows network security feature bypass vulnerability flaws bug \nInternet Explorer \nCVE-2017-11790 \nInternet Explorer information disclosure vulnerability flaws bug \nInternet Explorer \nCVE-2017-11810 \nThe Scripting Engine memory destruction vulnerability flaws bug \nInternet Explorer \nCVE-2017-11822 \nInternet Explorer memory destruction vulnerability flaws bug \nInternet Explorer \nCVE-2017-11813 \nInternet Explorer memory destruction vulnerability flaws bug \nMicrosoft Edge \nCVE-2017-8726 \nMicrosoft Edge memory destruction vulnerability flaws bug \nMicrosoft Edge \nCVE-2017-11794 \nMicrosoft Edge information leak vulnerability flaws bug \nMicrosoft Graphics Component \nCVE-2017-11816 \nWindows GDI information leak vulnerability flaws bug \nMicrosoft Graphics Component \nCVE-2017-11763 \nMicrosoft Graphics long-distance code to perform vulnerability flaws bug \nMicrosoft Graphics Component \nCVE-2017-11762 \nMicrosoft Graphics long-distance code to perform vulnerability flaws bug \nMicrosoft Graphics Component \nCVE-2017-11824 \nWindows Graphics Component provide the right to exploit the flaws bug \nMicrosoft Graphics Component \nCVE-2017-8693 \nMicrosoft Graphics information leak vulnerability flaws bug \nThe Microsoft JET Database Engine \nCVE-2017-8718 \nThe Microsoft JET Database Engine long code perform vulnerability flaws bug \nThe Microsoft JET Database Engine \nCVE-2017-8717 \nThe Microsoft JET Database Engine long code perform vulnerability flaws bug \nMicrosoft Office \nCVE-2017-11776 \nMicrosoft Outlook information disclosure vulnerability flaws bug \nMicrosoft Office \nCVE-2017-11775 \nMicrosoft Office SharePoint [XSS](<http://www.myhack58.com/Article/html/3/7/Article_007_1.htm>) vulnerability flaws bug \nMicrosoft Office \nCVE-2017-11774 \nMicrosoft Outlook network security feature bypass vulnerability flaws bug \nMicrosoft Office \nCVE-2017-11777 \nMicrosoft Office SharePoint [XSS](<http://www.myhack58.com/Article/html/3/7/Article_007_1.htm>) vulnerability flaws bug \nMicrosoft Office \nCVE-2017-11826 \nMicrosoft Office memory the destruction of vulnerabilities flaws bug \nMicrosoft Office \nCVE-2017-11825 \nMicrosoft Office long distance code to perform vulnerability flaws bug \nMicrosoft Office \nADV170017 \nOffice Defense depth updates \nMicrosoft Office \nCVE-2017-11786 \nSkype for Business provide the right to exploit the flaws bug \nMicrosoft Office \nCVE-2017-11820 \nMicrosoft Office SharePoint [XSS](<http://www.myhack58.com/Article/html/3/7/Article_007_1.htm>)\n\n**[1] [[2]](<89593_2.htm>) [next](<89593_2.htm>)**\n", "modified": "2017-10-12T00:00:00", "published": "2017-10-12T00:00:00", "id": "MYHACK58:62201789593", "href": "http://www.myhack58.com/Article/html/3/62/2017/89593.htm", "title": "Microsoft windows October release of the 62 flaws vulnerability bug patch, and repair of the National researchers submitted the 0-day flaw vulnerability bug-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2017-10-22T19:31:53", "bulletinFamily": "blog", "description": "Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 63 new vulnerabilities with 28 of them rated critical and 35 rated important. These vulnerabilities impact Graphics, Edge, Internet Explorer, Office, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more. <br /><br /><a name='more'></a><br /><h2 id=\"h.vyxocry7flp\">Vulnerabilities Rated Critical</h2><br />The following vulnerabilities are rated \"Critical\" by Microsoft: <br /><br /><ul><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11813\">CVE-2017-11813 - Internet Explorer Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11822\">CVE-2017-11822 - Internet Explorer Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11762\">CVE-2017-11762 - Microsoft Graphics Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11763\">CVE-2017-11763 - Microsoft Graphics Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11797\">CVE-2017-11797 - Scripting Engine Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11767\">CVE-2017-11767 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11792\">CVE-2017-11792 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11793\">CVE-2017-11793 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11796\">CVE-2017-11796 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11798\">CVE-2017-11798 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11799\">CVE-2017-11799 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11800\">CVE-2017-11800 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11801\">CVE-2017-11801 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11802\">CVE-2017-11802 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11804\">CVE-2017-11804 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11805\">CVE-2017-11805 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11806\">CVE-2017-11806 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11807\">CVE-2017-11807 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11808\">CVE-2017-11808 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11809\">CVE-2017-11809 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11810\">CVE-2017-11810 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11811\">CVE-2017-11811 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11812\">CVE-2017-11812 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11821\">CVE-2017-11821 - Scripting Engine Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11779\">CVE-2017-11779 - Windows DNSAPI Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11771\">CVE-2017-11771 - Windows Search Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8727\">CVE-2017-8727 - Windows Shell Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11819\">CVE-2017-11819 - Windows Shell Remote Code Execution Vulnerability</a></li></ul><h3 id=\"h.9n0bk25dm78x\">CVE-2017-11813, CVE-2017-11822 - Internet Explorer Memory Corruption Vulnerability</h3><br />Two vulnerabilities have been identified in Internet Explorer that could result in remote code execution in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory when attempting to render a webpage. Both vulnerabilities could be exploited if, for example, a user visits a specially crafted webpage that exploits one of these flaws.<br /><br /><h3 id=\"h.p7pfodbbvqp3\">CVE-2017-11762, CVE-2017-11763 - Microsoft Graphics Remote Code Execution Vulnerability</h3><br />Two vulnerabilities have been identified in the font library of the Microsoft Graphics Component that could allow an attacker to execute arbitrary code. These vulnerabilities manifest due to the library incorrectly handling specialty embedded fonts within a web page or document. Exploitation of these two vulnerabilities could be achieved if a user navigates to a malicious web page or if the user opens a specially crafted document that exploits these vulnerabilities.<br /><br /><h3 id=\"h.2zd3ocgo4tir\">Multiple CVEs - Scripting Engine Memory Corruption Vulnerability</h3><br />Multiple vulnerabilities have been identified in the scripting engines of Edge and Internet Explorer that could allow an attacker to remotely execute arbitrary code. These vulnerabilities all manifest due to the scripting engines in Edge and Internet Explorer improperly handling objects in memory. As a result, successful exploitation could lead to arbitrary code execution in the context of the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of these vulnerabilities or, in some cases, opens a Microsoft Office document containing an embedded ActiveX control marked \"safe for initialization.\"<br /><br />The following is a list of CVEs related to these vulnerabilities:<br /><br /><ul><li>CVE-2017-11767</li><li>CVE-2017-11792</li><li>CVE-2017-11793</li><li>CVE-2017-11796</li><li>CVE-2017-11797</li><li>CVE-2017-11798</li><li>CVE-2017-11799</li><li>CVE-2017-11800</li><li>CVE-2017-11801</li><li>CVE-2017-11802</li><li>CVE-2017-11804</li><li>CVE-2017-11805</li><li>CVE-2017-11806</li><li>CVE-2017-11807</li><li>CVE-2017-11808</li><li>CVE-2017-11809</li><li>CVE-2017-11810</li><li>CVE-2017-11811</li><li>CVE-2017-11812</li><li>CVE-2017-11821</li></ul><h3 id=\"h.6zgalyi0vdh0\">CVE-2017-11779 - Windows DNSAPI Remote Code Execution Vulnerability</h3><br />A remote code execution vulnerability has been identified in Windows DNS that could allow an attacker to execute arbitrary code in the context of the Local System account. This vulnerability manifests in DNSAPI.dll as a result of improperly handling DNS responses. A scenario where this vulnerability could be exploited would be one where an attacker stand ups a malicious DNS server to transmit specially crafted DNS responses to the target.<br /><br /><h3 id=\"h.30w8s827zxf7\">CVE-2017-11771 - Windows Search Remote Code Execution Vulnerability</h3><br />An arbitrary code execution vulnerability has been identified in Window Search that could allow an attacker to elevate their privileges and subsequently execute code in the elevated context. This vulnerability manifests due to improper handling of objects in memory. For this vulnerability to be exploited, an attacker would need to either have access to the targeted host to exploit this vulnerability, or remotely trigger it through an SMB connection.<br /><br /><h3 id=\"h.vl6grtvoq51l\">CVE-2017-8727 - Windows Shell Memory Corruption Vulnerability</h3><br />A remote code execution vulnerability has been identified in Internet Explorer which could allow an attacker to execute arbitrary code in the context of the current user. This vulnerability manifests as a result of Internet Explorer improperly accessing objects in memory via the Microsoft Windows Text Services Framework. An attacker could create a specially crafted web page that exploits this vulnerability and subsequently socially engineer a user to visit the page to compromise users. Additionally, attackers could leverage vulnerable or compromised websites or sites that display user-provided content or advertisements to exploit and compromise users.<br /><br /><h3 id=\"h.idto8iab26ye\">CVE-2017-11819 - Windows Shell Remote Code Execution Vulnerability</h3><br />A remote code execution vulnerability has been identified in Microsoft web browsers which manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the current user. An attacker could leverage this vulnerability to exploit users by crafting a specially formed web page and socially engineering users to visit such a page. Other scenarios include an attacker leveraging vulnerable or compromised websites or sites that display user-provided content or advertisements to exploit this vulnerability and compromise users.<br /><br /><h2 id=\"h.ykle8if9gdqr\">Vulnerabilities Rated Important</h2><br />The following vulnerabilities are rated \"important\" by Microsoft:<br /><br /><ul><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11790\">CVE-2017-11790 - Internet Explorer Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11794\">CVE-2017-11794 - Microsoft Edge Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8726\">CVE-2017-8726 - Microsoft Edge Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8693\">CVE-2017-8693 - Microsoft Graphics Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8717\">CVE-2017-8717 - Microsoft JET Database Engine Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8718\">CVE-2017-8718 - Microsoft JET Database Engine Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826\">CVE-2017-11826 - Microsoft Office Memory Corruption Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11825\">CVE-2017-11825 - Microsoft Office Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11775\">CVE-2017-11775 - Microsoft Office SharePoint XSS Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11777\">CVE-2017-11777 - Microsoft Office SharePoint XSS Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11820\">CVE-2017-11820 - Microsoft Office SharePoint XSS Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11776\">CVE-2017-11776 - Microsoft Outlook Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774\">CVE-2017-11774 - Microsoft Outlook Security Feature Bypass Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11772\">CVE-2017-11772 - Microsoft Search Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11823\">CVE-2017-11823 - Microsoft Windows Security Feature Bypass</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11786\">CVE-2017-11786 - Skype for Business Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11769\">CVE-2017-11769 - TRIE Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8689\">CVE-2017-8689 - Win32k Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8694\">CVE-2017-8694 - Win32k Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11783\">CVE-2017-11783 - Windows Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11816\">CVE-2017-11816 - Windows GDI Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11824\">CVE-2017-11824 - Windows Graphics Component Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11817\">CVE-2017-11817 - Windows Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11765\">CVE-2017-11765 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11784\">CVE-2017-11784 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11785\">CVE-2017-11785 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11814\">CVE-2017-11814 - Windows Kernel Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8715\">CVE-2017-8715 - Windows Security Feature Bypass Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11781\">CVE-2017-11781 - Windows SMB Denial of Service Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11782\">CVE-2017-11782 - Windows SMB Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11815\">CVE-2017-11815 - Windows SMB Information Disclosure Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11780\">CVE-2017-11780 - Windows SMB Remote Code Execution Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11818\">CVE-2017-11818 - Windows Storage Security Feature Bypass Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8703\">CVE-2017-8703 - Windows Subsystem for Linux Denial of Service Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11829\">CVE-2017-11829 - Windows Update Delivery Optimization Elevation of Privilege Vulnerability</a></li></ul><h3 id=\"h.g7oy1wnmoh\">CVE-2017-11790 - Internet Explorer Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in Internet Explorer that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Internet Explorer improperly handling objects in memory. A user who navigates to an attacker-controlled web page could be exploited. Additionally, users who navigate to site that hosts user-generated content could also be exploited.<br /><br /><h3 id=\"h.nb288lrlg1t0\">CVE-2017-11794 - Microsoft Edge Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in Edge that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Edge improperly handling objects in memory. A user who navigates to an attacker-controlled web page could be exploited. Additionally, users who navigate to site that hosts user-generated content could also be exploited.<br /><br /><h3 id=\"h.xeyotn6ksca2\">CVE-2017-8726 - Microsoft Edge Memory Corruption Vulnerability</h3><br />A remote code execution vulnerability has been identified in Edge that could allow an attacker to execute arbitrary code in the context of the user. This vulnerability manifests due to Edge improperly handling objects in memory. Possible scenarios where an attacker could compromise a user could include a web-based attacks where a user navigates to a specially crafted web page under the attacker's control. Other possibilities include a user opening a Microsoft Office document containing an embedded ActiveX control marked \"safe for initialization\".<br /><br /><h3 id=\"h.ljhh4ib6ascw\">CVE-2017-8693 - Microsoft Graphics Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in the Microsoft Windows Graphics Component that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the Graphics component improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability. <br /><br /><h3 id=\"h.b3tc5u640xdc\">CVE-2017-8717, CVE-2017-8718 - Microsoft JET Database Engine Remote Code Execution Vulnerability</h3><br />Two arbitrary code execution vulnerabilities have been identified in the Microsoft JET Database Engine that could allow an attacker to execute arbitrary code in the context of the current user. These vulnerabilities manifest as buffer overflow conditions when triggered. For an attacker to successfully exploit these vulnerabilities, a user would need to open or preview a specially crafted Microsoft Excel document on an affected version of Windows. An email-based attack where an attacker sends a victim a specially crafted Excel document is the most likely scenario where a user could be compromised.<br /><br /><h3 id=\"h.8jrdy5afh6a8\">CVE-2017-11826 - Microsoft Office Memory Corruption Vulnerability</h3><br />A vulnerability have been identified in Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Office improperly handling objects in memory. A users who opens a maliciously crafted Office document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document. Note that in certain conditions, the Preview Pane is an attack vector as well.<br /><br /><h3 id=\"h.ylhjbo1cr5qh\">CVE-2017-11825 - Microsoft Office Remote Code Execution Vulnerability</h3><br />A vulnerability has been identified in Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Office improperly handling objects in memory. A users who opens a maliciously crafted Office document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document.<br /><br /><h3 id=\"h.oxc5wddvo6jo\">Multiple CVEs - Microsoft Office SharePoint XSS Vulnerability</h3><br />Multiple vulnerabilities in Microsoft Office Sharepoint have been identified that could could allow an attacker to execute a cross-site scripting (XSS) attack. These vulnerabilities manifest due to Sharepoint Server improperly sanitizing specific web requests from a user. Successful exploitation of these flaws could allow an attacker to execute scripts in the context of the current user, read content that the attacker would not otherwise have permission to view, or execute actions on behalf of the affected user.<br /><br />The following CVEs reflect these vulnerabilities:<br /><br /><ul><li>CVE-2017-11775</li><li>CVE-2017-11777</li><li>CVE-2017-11820</li></ul><h3 id=\"h.c41fpdu70sl\">CVE-2017-11776 - Microsoft Outlook Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability in Microsoft Outlook has been identified that could leak sensitive information to third-parties. This vulnerability manifests when Outlook fails to establish a secure connection. An attacker who exploits this vulnerability could obtain the email content of a user.<br /><br /><h3 id=\"h.qzz1eubjito7\">CVE-2017-11774 - Microsoft Outlook Security Feature Bypass Vulnerability</h3><br />A security feature bypass vulnerability has been identified in Microsoft Outlook that could be used to execute arbitrary commands. This vulnerability manifests due to Office improperly handling objects in memory. A user who opens a specially crafted document file could be exploited. A scenario where this could occur would be in a file-sharing attack where an attacker gives the user a file and socially engineers them to open it.<br /><br /><h3 id=\"h.h7qopze2yjkx\">CVE-2017-11772 - Microsoft Search Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in Windows Search that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Window Search improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user sends specially crafted messages to the Window Search service. Alternatively, this vulnerability could be exploited remotely in an enterprise setting over an SMB connection from an unauthenticated attacker. <br /><br /><h3 id=\"h.vz622ye9nv6q\">CVE-2017-11823 - Microsoft Windows Security Feature Bypass</h3><br />A vulnerability had been identified in Device Guard that could allow an attacker bypass a security control and inject malicious code into a Windows Powershell session. This vulnerability manifests as a flaw in how the Device Guard Code Integrity policy is implemented. An attacker who has access to a local machine could inject malicious code into a script that is trusted by the Code Integrity policy. As a result, the injected code could be run with the same trust level as the script, bypassing the Code Integrity policy control.<br /><br /><h3 id=\"h.oakx7dmaktpr\">CVE-2017-11786 - Skype for Business Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in Skype for Business that could allow an authenticated attacker to potentially impersonate a user. This vulnerability manifests due to Skype for Business improperly handling specific authentication requests. An attacker who initiates an instant message session while a specially crafted profile image is set could exploit this vulnerability and steal an authentication hash that could be reused in different contexts. Successful exploitation would allow an attacker to perform actions that a user is permitted to do, resulting in various outcomes such as privilege escalation.<br /><br /><h3 id=\"h.m4vwz0vfvmia\">CVE-2017-11769 - TRIE Remote Code Execution Vulnerability</h3><br />An arbitrary code execution vulnerability has been identified in Windows that could allow an attacker to execute code in the context of the current user. This vulnerability manifests due to the way certain Windows components improperly handle loading DLL files. Successful exploitation could allow an attacker to perform actions or execute commands within the context of the current user.<br /><br /><h3 id=\"h.s3nuhh6mevtm\">CVE-2017-8689, CVE-2017-8694 - Win32k Elevation of Privilege Vulnerability</h3><br />Two vulnerabilities in Windows Kernel-Mode Drivers have been identified that could allow a privilege escalation attack to occur. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of these vulnerabilities would result in an attacker obtaining administrator privileges on the targeted system. Users who run a specifically crafted executable that exploits this vulnerability could leverage this vulnerability to perform actions as an administrator on the affected system.<br /><br /><h3 id=\"h.efo91ikgy106\">CVE-2017-11783 - Windows Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in Windows that could allow an authenticated attacker to elevate their privileges to that of an administrator. This vulnerability manifests due to Windows improperly handling calls to Advanced Local Procedure Call (ALPC). A user who creates a specially crafted application and executes it on an affected system could exploit this vulnerability.<br /><br /><h3 id=\"h.ctwd13favj7d\">CVE-2017-11816 - Windows GDI Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in the Microsoft Windows Graphics Device Interface (GDI) that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the GDI improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability. <br /><br /><h3 id=\"h.3ttkcyczmr38\">CVE-2017-11824 - Windows Graphics Component Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in the Microsoft Windows Graphics Component that could allow an attacker to elevate their privileges to that of an administrator. This vulnerability manifests due to the Graphics component improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability.<br /><br /><h3 id=\"h.xs6yd6lux2zt\">CVE-2017-11817 - Windows Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in the Windows kernel that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the kernel improperly initializing objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability. <br /><br /><h3 id=\"h.64j13moi1fp9\">CVE-2017-11784, CVE-2017-11785 - Windows Kernel Information Disclosure Vulnerability</h3><br />Two information disclosure vulnerabilities have been identified in the Windows kernel that could allow an attacker to obtain memory addresses and bypass Kernel Address Space Layout Randomization (KASLR). Exploitation of these vulnerabilities could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit them. <br /><br /><h3 id=\"h.7pxt6sdcvtyu\">CVE-2017-11765, CVE-2017-11814 - Windows Information Disclosure Vulnerability</h3><br />Two information disclosure vulnerabilities have been identified in the Windows kernel that could allow an attacker to obtain information that could be used to further compromise an affected system. These vulnerabilities manifest due to the kernel improperly initializing objects in memory. Exploitation of these vulnerabilities could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit them. <br /><br /><h3 id=\"h.cingn0ygtdh4\">CVE-2017-8715 - Windows Security Feature Bypass Vulnerability</h3><br />A vulnerability had been identified in Device Guard that could allow an attacker to bypass a security control and inject malicious code into a Windows Powershell session. This vulnerability manifests as a flaw in how the Device Guard Code Integrity policy is implemented. An attacker who has access to a local machine could inject malicious code into a script that is trusted by the Code Integrity policy. As a result, the injected code could be run with the same trust level as the script, bypassing the Code Integrity policy control.<br /><br /><h3 id=\"h.jfc0amtsn2gv\">CVE-2017-11781 - Windows SMB Denial of Service Vulnerability</h3><br />A denial of service vulnerability has been identified in Microsoft SMB that could allow an attacker to crash an affected host. This vulnerability manifests due to SMB improperly handling certain requests. An attacker who sends a vulnerable server specially crafted requests could exploit this vulnerability and create a denial of service condition for users.<br /><br /><h3 id=\"h.s6konclvij9e\">CVE-2017-11782 - Windows SMB Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in the default Windows SMB Server configuration that could allow anonymous users to access certain named pipes. These named pipes could be used to send specially crafted requests to services that accept requests via named pipes. An attacker who is able to send SMB messages to an affected SMB server could exploit this vulnerability.<br /><br /><h3 id=\"h.eu27t49sp7sb\">CVE-2017-11815 - Windows SMB Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in Windows SMB that could allow an attacker to access files they otherwise should not have access to. This vulnerability manifests due to SMB server improperly handling certain requests. An attacker who is able to authenticate to the SMB server and send it SMB messages could exploit this vulnerability.<br /><br /><h3 id=\"h.4pj6p2ufcvo6\">CVE-2017-11780 - Windows SMB Remote Code Execution Vulnerability</h3><br />A remote code execution vulnerability has been identified in Microsoft Server Message Block 1.0 (SMBv1) which could allow an attacker to compromise SMBv1 servers. This vulnerability manifests due to the way SMBv1 servers handle certain requests. Exploitation of this vulnerability could be achieved by an unauthenticated attacker by sending specially crafted requests to the affected server.<br /><br /><h3 id=\"h.faj8k2jjkgei\">CVE-2017-11818 - Windows Storage Security Feature Bypass Vulnerability</h3><br />A security feature bypass has been identified in Microsoft Windows storage which could allow an application with a certain integrity level to execute code at a different level. This vulnerability manifests due to Windows improperly validating an integrity-level check.<br /><br /><h3 id=\"h.xb5ohr1yadjd\">CVE-2017-8703 - Windows Subsystem for Linux Denial of Service Vulnerability</h3><br />A denial of service vulnerability has been identified in the Windows Subsystem for Linux (WSL). This vulnerability manifests as due to the WSL improperly handling objects in memory. An attacker who creates a specially crafted application and executes it on an affected system could exploit this vulnerability.<br /><br /><h3 id=\"h.4x4sjotidrnz\">CVE-2017-11829 - Windows Update Delivery Optimization Elevation of Privilege Vulnerability</h3><br />A privilege escalation vulnerability has been identified in Windows Update Delivery Optimization that could allow an attacker to overwrite files of a higher privilege than what the attacker possesses. This vulnerability manifests due to Windows Update Delivery Optimization improperly enforcing file share permissions. An attacker who is able to log into the system and create a Delivery Optimization job could exploit this vulnerability.<br /><br /><h2 id=\"h.f970sl5g45g5\">Coverage</h2><br />In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.<br /><br />Snort Rules:<br /><br /><ul><li>44333-44334</li><li>44508-44519</li><li>44526-44529</li><li>44532-44533</li></ul><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=As9MZaE7IyE:eG0TMScPdq0:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/As9MZaE7IyE\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-10-10T20:25:22", "published": "2017-10-10T13:25:00", "id": "TALOSBLOG:D985A5A21B218B47A518D6D4AB858393", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/As9MZaE7IyE/ms-tuesday.html", "title": "Microsoft Patch Tuesday - October 2017", "type": "talosblog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "trendmicroblog": [{"lastseen": "2017-10-25T19:33:12", "bulletinFamily": "blog", "description": "\n\nEven though \u201cPatch Tuesday\u201d isn\u2019t supposed to exist anymore, here I am blogging about it. As I looked at the October updates from Microsoft, the usual suspects were there. But this month was a little different. We usually see critical vulnerabilities on the browser side, but Microsoft Office is in the spotlight with [CVE-2017-11826](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826>) under active attack.\n\nThe scenario involves a specially crafted file with an affected version of Microsoft Office software. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. So, just imagine if a user is logged on with administrative user rights \u2013 an attacker could take over the system and install programs; view, change, or delete data; or create new accounts with full user rights. The table below highlights the Digital Vaccine\u00ae filters available for the Microsoft October updates.\n\n**Microsoft Update**\n\nThis week\u2019s Digital Vaccine\u00ae (DV) package includes coverage for Microsoft updates released on or before October 10, 2017. Microsoft had another big month with 62 security patches for September covering Windows, Internet Explorer (IE), Edge, Office, and Skype for Business. 27 of the patches are listed as Critical and 35 are rated Important. Eight of the Microsoft CVEs came through the Zero Day Initiative program. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an asterisk (*) shipped prior to this DV package, providing preemptive zero-day protection for customers. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [October 2017 Security Update Review](<https://www.zerodayinitiative.com/blog/2017/10/10/the-october-2017-security-update-review>) from the Zero Day Initiative:\n\n**CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|--- \nCVE-2017-11762 | *29152 | \nCVE-2017-11763 | 29698 | \nCVE-2017-11765 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11769 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11771 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11772 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11774 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11775 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11776 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11777 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11779 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11780 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11781 | *29694 | \nCVE-2017-11782 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11783 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11784 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11785 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11786 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11790 | *29151 | \nCVE-2017-11792 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11793 | 29705 | \nCVE-2017-11794 | *29687 | \nCVE-2017-11796 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11797 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11798 | 29706 | \nCVE-2017-11799 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11800 | 28925 | \nCVE-2017-11801 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11802 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11804 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11805 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11806 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11807 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11808 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11809 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11810 | 29707 | \nCVE-2017-11811 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11812 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11813 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11814 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11815 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11816 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11817 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11818 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11819 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11820 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11821 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11822 | 29704 | \nCVE-2017-11823 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11824 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11825 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-11826 | | Insufficient information currently available \nCVE-2017-11829 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8689 | 29692 | \nCVE-2017-8693 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8694 | 29693 | \nCVE-2017-8703 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8715 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8717 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8718 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8726 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2017-8727 | 29699 | \n \n \n\n**Zero-Day Filters**\n\nThere are four new zero-day filters covering two vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website. You can also follow the Zero Day Initiative on Twitter [@thezdi](<https://twitter.com/thezdi>) and on their [blog](<https://www.zerodayinitiative.com/blog>).\n\n**_Microsoft (2)_**\n\n| \n\n * 29695: ZDI-CAN-5067: Zero Day Initiative Vulnerability (Microsoft Chakra)\n * 29741: HTTP: Microsoft Windows WAV File Denial-of-Service Vulnerability (ZDI-17-838) \n---|--- \n| \n \n**_Trend Micro (2)_**\n\n| \n\n * 29701: HTTPS: Trend Micro Mobile Security Enterprise slink_id SQL Injection (ZDI-17-803)\n * 29710: HTTPS:Trend Micro InterScan Messaging Security Proxy Command Injection Vulnerability (ZDI-17-502,504) \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-october-2-2017/>).", "modified": "2017-10-13T14:03:59", "published": "2017-10-13T14:03:59", "id": "TRENDMICROBLOG:141C894C9A7CCB3BB2E580A6C8292E37", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-october-9-2017/", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of October 9, 2017", "type": "trendmicroblog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
