The September 2017 Security Update Review

September 12, 2017 | Dustin Childs

Take a break from this soggy season, put down your latest pumpkin-spiced beverage and turn your attention instead to the latest security patches from Adobe, Google, Apache, and Microsoft.

Adobe Patches for September 2017

We begin this month’s review by looking at another small patch for Adobe Flash. Similar to last month, only two Critical-rated bugs are being addressed. Neither of these bugs are reported as being under active attack. That patch resolves two memory corruption issues that can lead to an out-of-bounds memory access, which could allow an access violation exception resulting in code execution. This makes four months in a row with a single-digit number of issues being fixed in Flash. It’s unknown if this drop-off is the result of Adobe announcing the end of Flash or if it is the result of some other factor.

In addition to the Flash update, Adobe also released updates for Coldfusion and RoboHelp for Windows. The patch for ColdFusion addresses a Critical-rated XML parsing vulnerability as well as an Important-rated cross-site scripting (XSS) bug. Also included in the patch are mitigations for unsafe Java deserialization, which are always welcome. The update Adobe RoboHelp for Windows covers an Important-rated XSS bug and a Moderate URL-redirect bug. None of these issues are listed as being publicly known or under active attack at the time of release.

Google Android Patches for September 2017

In case you missed the announcement, the Google Pixel phone will be again included in Mobile Pwn2Own in a few months. Accordingly, it makes sense to take a look this month’s security updates for the Android OS. A total of 81 issues were fixed by the September patches, with 13 of those being Critical-rated remote code execution bugs. None are reported to be under active attack. The worst of these issues reside in the media framework that could allow a remote attacker to execute code within the context of a privileged process using a specially crafted file.

Also included in these patches were Critical-rated fixes for Qualcomm components, various kernel components, and the Broadcom Wi-Fi driver. Any time you say “Broadcom” and “Android” in the same sentence, people immediately think of the BroadPwn bug from earlier this year. Fortunately, this month’s bug is not as severe. Instead of allowing kernel-level code execution like BroadPwn, this bug only allows privileged user-level code execution. Still, the bug is definitely severe, and Android users should update as soon as possible to resolve all of the listed vulnerabilities.

It’s also interesting to see many of these bugs were reported by previous (and hopefully future) Mobile Pwn2Own contestants. We’ve seen some teams in the past race to close bugs they know of but aren’t targeting in an attempt to hinder the competition. How many more bugs will be patched before the contest begins at PacSec in November? Time will tell.

Apache Struts Patches for September 2017

Any attempt to discuss patches for September 2017 fails without at least mentioning CVE-2017-9805. This vulnerability in Apache Struts could allow remote code execution when using the Struts REST plugin with XStream handler to deserialise XML requests. This is notable for a couple of different reasons. The open-source program is widely deployed, with some estimates showing as much as 65 percent of Fortune 500 companies using it in some fashion. The researchers who discovered the vulnerability stated the bug was easy to exploit as well. Not surprisingly, several exploits for the bugs were made public following the announcement of the patch. Finally, unsubstantiated reports place the blame for the recent Equifax breach on Apache Struts. As others have noted, no evidence exists showing this bug – or any Apache vuln – were used in the Equifax breach, so take such news with more than just a few grains of salt.

Also, please remember that with Apache Struts, it’s not just applying a patch. You must also recompile your Java web applications. While we can’t attribute any past events to this vulnerability, it most certainly will be targeted in the future. Praemonitus, praemunitus.

Microsoft Patches for September 2017

Microsoft released 81 security patches for September covering Windows, Internet Explorer (IE), Edge, Exchange, .NET Framework, Office, and Hyper-V. Of these 81 CVEs, 26 are listed as Critical, 53 are rated Important, and two are Moderate in severity. A total of ten of these CVEs came through the ZDI program. Three of these bugs are listed as publically known prior to release, with one bug listed as being under active attack.

A few of the CVEs addressed by Microsoft this month deserve some extra attention, and we’ll start by looking at the one under active attack.

-       CVE-2017-8759 - .NET Framework Remote Code Execution Vulnerability
This bug represents the only CVE listed as being under attack for this month, although Microsoft doesn’t give any indication of how widespread the attacks may be. According to the write-up, the vulnerability allows attackers to “take control of an affected system.” This implies a successful exploit will be executing with elevated privileges. However, since the severity is set to Important, it indicates user interaction is involved here – likely opening an Office document or PDF file. Another vector would involve executing a malicious application as a low-privileged user. Either way, this patch should be your top priority this month since .NET is deployed just about everywhere, and it’s already being exploited – just likely in a limited fashion.

-       CVE-2017-8628 - Microsoft Bluetooth Driver Spoofing Vulnerability
You don’t often see patches to fix issues that depend on physical proximity, but Bluetooth attacks are definitely an exception. This bug could allow an attacker to perform a man-in-the-middle attack on vulnerable Bluetooth stacks. This means that your Bluetooth traffic would go through the attacker’s system before being routed to where you intend – likely without you even noticing. This bug is already making waves due to the snazzy “BlueBorne” name and logo. For the Windows OS, code execution over BlueTooth cannot directly not occur with this bug. Still, the MiTM attack is still severe enough to warrant extra attention.          

-       CVE-2017-0161 - NetBIOS Remote Code Execution Vulnerability
Ah, the venerable Network Basic Input/Output System – connecting systems on a LAN since 1983. Although not publicly known prior to release, this bug certainly deserves some extra attention. It allows an attacker to execute code on a target system just through sending some specially crafted NetBT Session Service packets. The good news is that NetBIOS isn’t a routable protocol, so the impact is limited. The bad news is that this is practically wormable within a LAN. This could also impact multiple virtual clients if the guest OSes all connect to the same (virtual) LAN. In this scenario, one guest OS could execute code on the others if NetBIOS is enabled. Another factor in this bug is that’s a race condition. That fact significantly lowers the reliability of any exploit that may be created.

-       CVE-2017-9417 - Broadcom BCM43xx allows Remote Code Execution
The HoloLens headset received its first security update in July, and now it has its second. This patch covers the previously mentioned BroadPwn vulnerability in the HoloLens headset, which apparently also has a Broadcom WiFi chip. It’s unknown if this will be the last BroadPwn-related patch seen in the industry, but I’d wager it’s the most unexpected one. 

Here’s the full list of CVEs released by Microsoft for September 2017.

CVE Title Severity Public Exploited XI - Latest XI - Older
CVE-2017-8759 .NET Framework Remote Code Execution Vulnerability Important No Yes 0 0
CVE-2017-9417 Broadcom BCM43xx allows Remote Code Execution Important Yes No 2 2
CVE-2017-8746 Device Guard Security Feature Bypass Vulnerability Important Yes No 2 2
CVE-2017-8723 Microsoft Edge Security Feature Bypass Moderate Yes No 3 N/A
CVE-2017-8747 Internet Explorer Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-8749 Internet Explorer Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-8750 Microsoft Browser Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-8731 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8734 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8751 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8755 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8756 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11766 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8757 Microsoft Edge Remote Code Execution Vulnerability Critical No No 1 N/A
CVE-2017-8696 Microsoft Graphics Component Remote Code Execution Critical No No 2 2
CVE-2017-8737 Microsoft PDF Remote Code Execution Vulnerability Critical No No 2 2
CVE-2017-8728 Microsoft PDF Remote Code Execution Vulnerability Critical No No 2 N/A
CVE-2017-0161 NetBIOS Remote Code Execution Vulnerability Critical No No 2 2
CVE-2017-8649 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8660 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8729 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8738 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8740 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-8741 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-8752 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8753 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11764 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8748 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-8682 Win32k Graphics Remote Code Execution Vulnerability Critical No No 2 1
CVE-2017-8686 Windows DHCP Server Remote Code Execution Vulnerability Critical No No 2 2
CVE-2017-8695 Graphics Component Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8704 Hyper-V Denial of Service Vulnerability Important No No 3 3
CVE-2017-8706 Hyper-V Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8707 Hyper-V Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8711 Hyper-V Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8712 Hyper-V Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8713 Hyper-V Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8733 Internet Explorer Spoofing Vulnerability Important No No 3 3
CVE-2017-8628 Microsoft Bluetooth Driver Spoofing Vulnerability Important No No 2 2
CVE-2017-8736 Microsoft Browser Information Disclosure Vulnerability Important No No 3 3
CVE-2017-8597 Microsoft Edge Information Disclosure Vulnerability Important No No 2 N/A
CVE-2017-8643 Microsoft Edge Information Disclosure Vulnerability Important No No 1 N/A
CVE-2017-8648 Microsoft Edge Information Disclosure Vulnerability Important No No 1 N/A
CVE-2017-8754 Microsoft Edge Security Feature Bypass Vulnerability Important No No 2 N/A
CVE-2017-8724 Microsoft Edge Spoofing Vulnerability Important No No 3 N/A
CVE-2017-8758 Microsoft Exchange Cross-Site Scripting Vulnerability Important No No 3 3
CVE-2017-11761 Microsoft Exchange Information Disclosure Vulnerability Important No No 3 3
CVE-2017-8630 Microsoft Office Memory Corruption Vulnerability Important No No 2 2
CVE-2017-8631 Microsoft Office Memory Corruption Vulnerability Important No No 2 2
CVE-2017-8632 Microsoft Office Memory Corruption Vulnerability Important No No 2 2
CVE-2017-8744 Microsoft Office Memory Corruption Vulnerability Important No No 1 1
CVE-2017-8725 Microsoft Office Publisher Remote Code Execution Important No No 2 2
CVE-2017-8567 Microsoft Office Remote Code Execution Important No No N/A 3
CVE-2017-8745 Microsoft SharePoint Cross Site Scripting Vulnerability Important No No 3 3
CVE-2017-8629 Microsoft SharePoint XSS Vulnerability Important No No 3 3
CVE-2017-8684 Microsoft Win32k GDI Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8685 Microsoft Win32k GDI Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8688 Microsoft Windows GDI+ Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8679 Microsoft Windows Kernel Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8742 PowerPoint Remote Code Execution Vulnerability Important No No 1 1
CVE-2017-8743 PowerPoint Remote Code Execution Vulnerability Important No No 1 1
CVE-2017-8714 Remote Desktop Virtual Host Remote Code Execution Vulnerability Important No No 2 2
CVE-2017-8739 Scripting Engine Information Disclosure Vulnerability Important No No 2 N/A
CVE-2017-8692 Uniscribe Remote Code Execution Vulnerability Important No No 2 2
CVE-2017-8675 Win32k Elevation of Privilege Vulnerability Important No No 1 1
CVE-2017-8720 Win32k Elevation of Privilege Vulnerability Important No No 2 2
CVE-2017-8683 Win32k Graphics Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8677 Win32k Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8678 Win32k Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8680 Win32k Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8681 Win32k Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8687 Win32k Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8702 Windows Elevation of Privilege Vulnerability Important No No N/A 3
CVE-2017-8676 Windows GDI+ Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8710 Windows Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8708 Windows Kernel Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8709 Windows Kernel Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8719 Windows Kernel Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8716 Windows Security Feature Bypass Vulnerability Important No No 3 N/A
CVE-2017-8699 Windows Shell Remote Code Execution Vulnerability Important No No 2 2
CVE-2017-8735 Microsoft Edge Spoofing Vulnerability Moderate No No 3 N/A

Beyond what we’ve already discussed, the updates for Edge, IE, and Exchange should top the deployment lists. Take care with the Exchange update, as even Microsoft recommends testing Exchange updates in a non-production environment prior to deployment. Similar to the previous month, there are many Edge and IE cases quite simply titled “Scripting Engine Memory Corruption Vulnerability,” which show the not-always-positive impact JavaScript has on security. There are also a number of kernel and kernel-mode drivers (KMD) patches fixing information disclosure bugs. On the surface, these aren’t too interesting. However, kernel info leaks are a key component of sandbox escapes, so shutting down as many as possible has an asymmetric impact to the security of a system.

Rounding out the Microsoft patches for September are updates for Office, GDI+, SharePoint, and Hyper-V. These Hyper-V bugs are fascinating as they could allow someone on a guest OS to disclose sensitive information from the underlying host OS. Again, these bugs wouldn’t directly lead to code execution, but they would likely be used in the early part of a virtual machine escape.  Microsoft also released its version of the Adobe patch for Flash in Internet Explorer to address the two Flash bugs previously mentioned. Finally, Microsoft an advisory for defense-in-depth changes to Office, but no other details on what changes were made are available.

Looking Ahead

The next patch Tuesday falls on October 10, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!