Lucene search

K
talosblog[email protected] (Edmund Brumaghin)TALOSBLOG:C29A5D06DFA4855828033CE3321D48DE
HistoryDec 12, 2017 - 3:32 p.m.

Microsoft Patch Tuesday - December 2017

2017-12-1215:32:00
[email protected] (Edmund Brumaghin)
feedproxy.google.com
137

0.952 High

EPSS

Percentile

99.1%

Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 34 new vulnerabilities with 21 of them rated critical and 13 of them rated important. These vulnerabilities impact Edge, Exchange, Internet Explorer, Office, Scripting Engine, Windows, and more.

In addition to the 33 vulnerabilities addressed, Microsoft has also released an update for Microsoft Office which improves security by disabling the Dynamic Data Exchange (DDE) protocol. This update is detailed in ADV170021 and impacts all supported versions of Office. Organizations who are unable to install this update should consult the advisory for workaround that help mitigate DDE exploitation attempts.

Vulnerabilities Rated Critical

Microsoft has assigned the following vulnerabilities a Critical severity rating:

The following is a brief description of each vulnerability.

Multiple CVEs - Scripting Engine Memory Corruption Vulnerability

Multiple vulnerabilities have been identified in the scripting engines of Edge and Internet Explorer that could allow an attacker to remotely execute arbitrary code. These vulnerabilities all manifest due to the scripting engines in Edge and Internet Explorer improperly handling objects in memory. As a result, successful exploitation could lead to arbitrary code execution in the context of the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of these vulnerabilities or, in some cases, opens a Microsoft Office document containing an embedded ActiveX control marked “safe for initialization.”

The following is a list of CVEs related to these vulnerabilities:

  • CVE-2017-11886
  • CVE-2017-11889
  • CVE-2017-11890
  • CVE-2017-11893
  • CVE-2017-11894
  • CVE-2017-11895
  • CVE-2017-11901
  • CVE-2017-11903
  • CVE-2017-11905
  • CVE-2017-11907
  • CVE-2017-11908
  • CVE-2017-11909
  • CVE-2017-11910
  • CVE-2017-11911
  • CVE-2017-11912
  • CVE-2017-11914
  • CVE-2017-11918
  • CVE-2017-11930

CVE-2017-11888 - Microsoft Edge Memory Corruption Vulnerability

A vulnerability have been identified in the scripting engines of Edge and Internet Explorer that could allow an attacker to remotely execute arbitrary code. This vulnerability manifests due to the scripting engines in Edge and Internet Explorer improperly handling objects in memory. As a result, successful exploitation could lead to arbitrary code execution in the context of the current user. Users could be exploited if they navigate to a malicious web page designed to exploit of these vulnerabilities.

Multiple CVEs - Microsoft Malware Protection Engine Remote Code Execution Vulnerability

Two arbitrary code execution vulnerabilities have been identified within the Microsoft Malware Protection Engine that could allow an attacker to execute code in the context of the LocalSystem account. These vulnerabilities manifest as a result of the engine improperly scanning files. Exploitation of these vulnerabilities is achievable if the system scans a specially crafted file with an affected version of the Microsoft Malware Protection Engine. Note that these update typically will not require action by users or administrators as the the built-in mechanism for automatic deployment of these updates will account within 48 hours of release.

  • CVE-2017-11937
  • CVE-2017-11940

Vulnerabilities Rated Important

Microsoft has assigned the following vulnerabilities an Important severity rating:

The following is a brief description of each vulnerability.

CVE-2017-11885 - Windows RRAS Service Remote Code Execution Vulnerability

A vulnerability has been identified that exists in RPC on systems where Routing and Remote Access is enabled. Successful exploitation of this vulnerability could result in code execution. In order to exploit this vulnerability, an attacker would need to run an application specifically designed to exploit this vulnerability. Routing and Remote access is not enabled in default configurations of Windows. On systems where Routing and Remote Access is disabled, the system is not vulnerable.

Multiple CVEs - Scripting Engine Information Disclosure Vulnerability

Multiple vulnerabilities have been identified in the scripting engines of Edge and Internet Explorer that could allow an attacker to obtain information to further compromise a user’s system. These vulnerabilities all manifest due to the scripting engine improperly handling objects in memory. Successful exploitation would give an attacker sensitive information that could then be used in other exploits. A scenario where users could be exploited include web-based attacks, where a user navigates to a malicious web page designed to exploit of one of these vulnerabilities.

The following is a list of CVEs related to these vulnerabilities:

  • CVE-2017-11887
  • CVE-2017-11906
  • CVE-2017-11919

CVE-2017-11899 - Microsoft Windows Security Feature Bypass Vulnerability

A vulnerability has been identified that affects Device Guard. Successful exploitation of this vulnerability could result in Device Guard incorrectly validating untrusted files. As Device Guard uses signatures to determine whether a file is benign or malicious, this could cause Device Guard to allow a malicious file to execute on vulnerable systems. An attacker could leverage this vulnerability to cause an untrusted file to appear as if it is trusted.

Multiple CVEs - Scripting Engine Memory Corruption Vulnerability

Multiple vulnerabilities have been identified in the scripting engines of Edge and Internet Explorer that could allow an attacker to remotely execute arbitrary code. These vulnerabilities all manifest due to the scripting engines in Edge and Internet Explorer improperly handling objects in memory. As a result, successful exploitation could lead to arbitrary code execution in the context of the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of these vulnerabilities or, in some cases, opens a Microsoft Office document containing an embedded ActiveX control marked “safe for initialization.”

The following is a list of CVEs related to these vulnerabilities:

  • CVE-2017-11913
  • CVE-2017-11916

CVE-2017-11927 - Microsoft Windows Information Disclosure Vulnerability

An information disclosure vulnerability has been identified that affects the Windows its:// protocol handler. This vulnerability manifests due to the protocol handler sending network traffic to a remote site when determining the zone associated with a URL that is provided to the protocol handler. An attacker could attempt to leverage this vulnerability to obtain sensitive information. This vulnerability could be leveraged to obtain NTLM hash values associated with a victim’s account.

CVE-2017-11932 - Microsoft Exchange Spoofing Vulnerability

A spoofing vulnerability has been identified that affects Microsoft Exchange. This vulnerability manifests due to Outlook Web Access (OWA) failing to properly handle certain web requests. This vulnerability could be leveraged by attackers to inject scripts and content. This vulnerability could also be leveraged to redirect clients to a malicious web site. Successful exploitation of this vulnerability would require an attacker to send victims a specially crafted email containing a malicious link.

CVE-2017-11934 - Microsoft PowerPoint Information Disclosure Vulnerability

An information disclosure vulnerability has been identified that affects Microsoft Office. This vulnerability manifests due to Microsoft Office improperly disclosing contents in memory. This vulnerability could be leveraged by an attacker to obtain sensitive information that could be used to launch additional attacks against a target system. Successful exploitation of this vulnerability would require an attacker to send a specially crafted file to a victim and convince them to open the file.

CVE-2017-11935 - Microsoft Excel Remote Code Execution Vulnerability

An arbitrary code execution vulnerability has been identified in Microsoft Excel which manifests as a result of improperly handling objects in memory. An attacker could exploit this vulnerability by creating a specially crafted Excel document which triggers the vulnerability. Successful exploitation would allow an attacker to execute arbitrary code in the context of the current user. Scenarios where this could occur include email-based attacks or attacks where users download malicious files off of a site hosting user-created content (DropBox, OneDrive, Google Drive).

CVE-2017-11936 - Microsoft SharePoint Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been identified in Microsoft SharePoint Server that could potentially allow an attacker to impersonate a user and perform restricted actions. This vulnerability manifests due to SharePoint improperly sanitizing specially crafted web requests. An authenticated user who exploits this vulnerability could proceed to perform a cross-site scripting attack to cause other users to execute arbitrary JavaScript in the context of that user. This could then allow an attacker to read content, change permissions, or inject other malicious content on behalf of that user if permitted.

CVE-2017-11939 - Microsoft Office Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Microsoft Office that could leak a user’s private key. This vulnerability manifests as a result of Visual Basic macros in Office incorrectly exporting a user’s private key from the certificate store while saving a document. Note that an attacker would need to exploit another vulnerability or socially engineer the user to obtain the document containing the leaked private key in order to leverage it.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules:

  • 37283-37284, 45121-45124, 45128-40133, 45138-45153, 45155-45156, 45160-45163,45167-45170.