The December 2017 Security Update Review
December 12, 2017 | Dustin ChildsThis month has brought holiday harvest of new security patches from Apple, Adobe, and Microsoft. Take a break from your celebrations and review the details from the last (scheduled) patches for 2017.
Adobe Patches for December 2017
Adobe ends this year in patches with a whisper, releasing only one patch for a Moderate-rated CVE in Flash. This patch fixes a bug that resets the global settings preference file. While mainly an inconvenience, it could have some implications for the settings impacting security. This brings Adobe’s total security bulletins to 42 for the year, which is slightly down from last year’s total.
Apple Patches for December 2017
Apple released patches for macOS, watchOS, tvOS, Safari, and iTunes. The updates for macOS fix 22 CVEs across various components. The most critical of the bugs would allow an attacker to execute code with kernel-level privileges. It also appears that all of the issues surrounding the “IAmRoot” bug have been fully resolved. The updates for watchOS and tvOS are quite similar. Both address 10 CVEs and include fixes for the Key Reinstallation Attacks (KRACK). The Safari browser gets updated to 11.0.2 and iTunes is updated to 12.7.2, but that’s all we know about them. Apple has the habit of releasing updates with “details available soon,” and that’s the case with these updates.
Microsoft Patches for December 2017
Microsoft released 32 security patches for December covering Internet Explorer (IE), Microsoft Edge, Microsoft Windows, Microsoft Office, SharePoint, and Exchange. Of these 32 CVEs, 20 are listed as Critical and 12 are rated Important in severity. Three of these CVEs came through the ZDI program. None of the CVEs addressed are listed as being under active attack or publicly known at the time of release.
Let’s take a closer look at some of the more interesting patches to close out the year.
- CVE-2017-11927 - Microsoft Windows Information Disclosure Vulnerability
This bug takes us all the way back to the early days of Internet Explorer and CHM (compressed help) files. This patch resolves an information disclosure vulnerability in the Windows its:// protocol handler. Not familiar with that one? I had to look it up as well. InfoTech Storage Format (ITS) is the storage format used in CHM files. IE uses several different ITS protocol handlers, including ms-its, ms-itss, its, and mk:@MSITStore to access components inside CHM files. In theory, you shouldn’t be able to access remote content using ITS outside of the Local Machine Zone thanks to a 2005 update. It appears that has been circumvented by this bug, as it allows attackers who trick users into browsing to a malicious website or to malicious SMB destinations to leak info. If an attacker can get the target to disclose the user's NTLM hash, they could then attempt a brute-force attack to obtain the corresponding password. This is also a good time to remind folks not to run as Admin for daily tasks and to never discount old protocols. If you aren’t using it, you can unregister the HTML Help InfoTech Protocol altogether, but be aware that Microsoft doesn’t list this as a complete mitigation for this vulnerability.
- CVE-2017-11899 - Microsoft Windows Security Feature Bypass Vulnerability
Last month, there was an update titled “Device Guard Security Feature Bypass Vulnerability.” This month, it gets this new title but keeps the exact same description and impact. This patch fixes a CVE that allows Device Guard to incorrectly validate an untrusted file. This means attackers could make an unsigned file appear to be signed. Since Device Guard relies on a valid signature to determine trustworthiness, malicious files could be executed by making untrusted files seem trusted. This is exactly the sort of bug malware authors seek, as it allows them to have their exploit appear as a trusted file to the target. The same researcher is credited for both last month’s and this month’s bug, but it isn’t clear if these are two separate issues or the result of an incomplete patch.
- CVE-2017-11937 - Microsoft Malware Protection Engine Remote Code Execution VulnerabilityThis update was actually released last week, but should still be given a high priority. This patch corrects a bug that allows remote code execution if the Malware Protection Engine scans a maliciously crafted file. This is problematic since the Malware Protection Engine’s purpose in life is to scan files. Most people using this component will have real-time protection enabled, which means just about any file touched by the affected system is fair game. The average user will also have no action to take as the engine contains a built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. Some people are publicly referring to this as an emergency out-of-band (OOB) update, but that’s not necessarily the case. Malware Protection Engine updates are not tied to Patch Tuesday. As stated in the notification, “Microsoft typically releases an update for the Microsoft Malware Protection Engine once a month or as needed to protect against new threats. Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed.” This means that there’s no concept of an OOB release for the engine; it’s updated whenever it is needed. It does seem odd that Microsoft chose to document the release in a manner that causes such confusion. If the bug isn’t under active attack, why not just wait until Patch Tuesday to coincide with other patches? The update definitely has an odd vibe to it, even if it isn’t actually that odd.
Here’s the full list of CVEs released by Microsoft for December 2017.
| CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older |
| CVE-2017-11886 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11888 | Microsoft Edge Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11889 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11890 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11893 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11894 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11895 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11901 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11903 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11905 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11907 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11908 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11909 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11910 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11911 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11912 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11914 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11918 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11930 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11937 | Microsoft Malware Protection Engine Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 |
| CVE-2017-11885 | Windows RRAS Service Remote Code Execution Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-11887 | Scripting Engine Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11899 | Microsoft Windows Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-11906 | Scripting Engine Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11913 | Scripting Engine Memory Corruption Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11916 | Scripting Engine Memory Corruption Vulnerability | Important | No | No | 1 | N/A |
| CVE-2017-11919 | Scripting Engine Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11927 | Microsoft Windows Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-11932 | Microsoft Exchange Spoofing Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-11934 | Microsoft PowerPoint Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-11935 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11936 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-11939 | Microsoft Office Information Disclosure Vulnerability | Important | No | No | 2 | N/A |
Beyond what we’ve already discussed, the updates for Edge and IE should lead deployment lists. A full three-fourths of this release contains the words “Scripting Engine” in the title, with 19 of these being Critical-rated memory corruption issues. The rest are Information Disclosure bugs. There’s also an update to the Routing and Remote Access Service (RRAS), which some folks may actually still be using. It’s listed as Important since RRAS isn’t enabled by default, but if you are using it, you should consider it Critical.
This month’s release wraps up with a SharePoint bug, three Office patches, and an update for Exchange Server and Outlook Web Access (OWA). That collective shudder you heard was caused by Exchange admins everywhere thinking of applying an update to their mail server before the holidays. Combine that apprehension with the mandatory restart and you have an update that requires careful planning. However, the threat of exploit means this patch shouldn’t be ignored.
Finally, Microsoft released three advisories for December. The first disables the Dynamic Update Exchange protocol (DDE) in all supported editions of Microsoft Word. Malware has been using DDE exploits, so hopefully this change will slow the spread. The second adds defense-in-depth changes to Exchange Server. It would have been convenient to include this with the security update, but that may not have been feasible. Lastly, Microsoft released their version of the aforementioned Adobe patch for Flash in Internet Explorer.
Looking Ahead
The next patch Tuesday falls on January 9 of 2018, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!