The October 2017 Security Update Review

This month has brought a harvest of security patches from Adobe, Apple and Microsoft. Take a few minutes with us as we review of the details the main security patches for October.

Adobe Patches for October 2017

UPDATE: On October 16, Adobe released a patch for Flash to address CVE-2017-11292, which is under active attack. This is a type confusion bug that could allow an attacker to execute arbitrary code on a target system. The attacker would need to entice an affected system to view maliciously crafted Flash content, typically hosted on a website. While this vulnerability is reportedly only being used in targeted attacks, it is quite likely to see broader usage now that it is publicly known. This security update should be a high priority for administrators. 

Interestingly, Adobe did not release any security updates for October. While the last few months have seen the number of Flash CVEs decline, fixes for other Adobe products were expected. There has been no public communications from the Adobe PSIRT, so we can only assume we’ll see patches return to their normal cadence next month.

Apple Patches for October 2017

On October 5, Apple released a supplemental update to their recent group of macOS High Sierra patches. This supplement includes a fix for the keychain flaw (CVE-2017-7150) that also showed your password as the password hint. That brings the recent High Sierra patches to a total of 43 CVEs. Apple doesn’t provide severity ratings or CVSS scores for their patches, but definitely consider the kernel, SQLite, IOFireWireFamily, and certificate validation issues to be the top priorities. Also recently released was iOS 11.0.2, which enigmatically “includes the security content of iOS 11,” which also happens to be the description of iOS 11.0.1. There were more than 60 CVEs addressed in iOS 11, with the most pressing issues being those affecting Webkit.

Microsoft Patches for October 2017

Microsoft released 62 security patches for October covering Windows, Internet Explorer (IE), Edge, Office, and Skype for Business. Of these 62 CVEs, 27 are listed as Critical and 35 are rated Important in severity. A total of eight of these CVEs came through the ZDI program. One CVE in Microsoft Office is listed as under active attack, and two other CVEs are listed as publically known prior to release.

Microsoft also released four advisories this month, and one of these definitely tops the issues that deserve extra attention this month.

-       ADV170012 - Vulnerability in TPM could allow Security Feature Bypass
This advisory is somewhat unusual as it carries a Critical rating, and deservedly so. The bug affects some Trusted Platform Module (TPM) chipsets by weakening the public key resistance against attacks attempting to deduce the corresponding private key. The patch provided by Microsoft is only a temporary measure though, and here’s where it gets truly complicated. The TPM manufacturers need to produce a firmware update to completely resolve this, as the bug itself is present in the TPM firmware – not in Windows itself. This patch is one of several designed to offer a workaround by generating software-based keys whenever possible. Even after a vendor’s firmware update is applied, you’ll need to re-generate new keys to replace the previously generated weak ones. While this doesn’t have the same broad attack surface like a vuln in a web browser, anyone who can pull off this exploit is likely a sophisticated and determined attacker. While that remains unlikely, system administrators must take this Critical-rated threat seriously. The problem is the servicing scenario. This is just a stop-gap measure and still requires manual intervention. When the actual firmware updates roll out from TPM vendors, the process will need to happen all over again – except this time, new TPM firmware needs to be installed on every affected device. Do you know where all of you affected devices are? Are you sure? I don’t know what a worst-case scenario for servicing security patches is, but I’d wager this one is on the top 10 list.

-       CVE-2017-11826 - Microsoft Office Memory Corruption Vulnerability
This is the lone CVE listed as being under active attack for October. The attack scenario here is the usual specially-crafted Office document. An attacker needs to convince a target to open the malicious document, which allows the attacker to execute code at the level of the logged-on user. Let this be your monthly reminder to not do everyday tasks logged in as an Administrator.

-       CVE-2017-11779 - Windows DNSAPI Remote Code Execution Vulnerability
This patch corrects a Critical-severity bug in Windows DNSAPI.dll, which is used by DNS servers.  An attacker that successfully exploits this bug could execute code at the level of the LocalSystem Account. The attack requires a malicious DNS server to send crafted responses to a vulnerable Windows DNS server. Since this bug impacts a privileged account and since it targets a listening service, it’s absolutely conceivable that this bug could be used in a worm targeting Windows DNS servers. This bug also came through our program, so TippingPoint users had filters prior to this patch being made available. If there is a bright spot here, the exploit index (XI) rating indicates exploiting this bug may prove difficult. Still, if you have Windows DNS, make sure this patch gets applied.

-       CVE-2017-11777 - Microsoft Office SharePoint XSS Vulnerability
This bug represents one of two listed as publicly known but not under attack for October and represents an Important severity cross-site scripting (XSS) vulnerability in the Microsoft SharePoint Server. An attacker could exploit this by sending a maliciously crafted request to an affected server.

-       CVE-2017-8703 - Windows Subsystem for Linux Denial of Service Vulnerability
This the final publicly known bug for this month and represents an Important-severity DoS in the Windows Subsystem for Linux. This is an odd case, as it requires the attacker to run a maliciously crafted application to create a DoS against a local system. At first glance, this sounds suspiciously like typing ‘init 6’ from a command line, however this bug could actually impact servers rather harshly. A single user could crash or hang a server and deny service to everyone else on that server. That’s the primary difference between this case and the local DoS we disclosed last Friday that Microsoft chose not to fix.

Here’s the full list of CVEs released by Microsoft for October 2017.

Beyond what we’ve already discussed, the updates for Edge, IE, and Office should top the deployment lists. Speaking of Edge, 18 of the 27 Critical-rated cases this month bear the same generic-sounding “Scripting Engine Memory Corruption Vulnerability” title. Each of these cases could allow remote code execution at the logged-on user level if someone browses to a malicious website using an affected version of Microsoft Edge. The Microsoft ChakraCore Team is credited with finding nine of these CVEs. It’s unclear if they used the recently announce VulnScan tool, but it is nice to see Microsoft patching internally found bugs rather than just shipping fixes in the next version of the product. If you’re interested in some of the complexities of the Chakra JIT compiler, specifically regarding enforcement of bounds checks in native JIT code, check out the recent blog from ZDI researcher Simon Zuckerbraun on the topic.

Rounding out the Microsoft patches for October are updates for Microsoft Windows, Office and Office Services and Web Apps, Skype for Business and Lync, and Chakra Core. Finally, since Adobe didn’t release a Flash update for October, there’s no corresponding update for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on November 14, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!