The March 2017 Security Update Review

Just a day before Pwn2Own kicks off its 10th anniversary, join us in looking at the security updates released by Google, Adobe, VMWare, Firefox, and Microsoft for the month of March 2017. It’s shaping up to be the largest Patch Tuesday in history, which is fitting to coincide with the largest Pwn2own ever.

tl:dr – Everyone has patched ahead of the largest Pwn2Own ever. Start your updating early.

Google Chrome Update for March 2017

The Chrome team released version 57.0.2987.98 on Thursday, March 9, to correct nine high-severity bugs in the browser plus some medium-severity bugs and other fixes. The most severe of these issues – at least based on price – involves a memory corruption in the V8 JavaScript engine. In the past, Google had also said it would deprecate the use of the SHA-1 algorithm in version 56, but no announcements about the outdated algorithm have been made. Surprisingly, they released version 58.0.3029.12 the following day with additional security fixes. The folks in Mountain View did say more information regarding Chrome will be published via the Chrome and Chromium blog. Hopefully we’ll get more details then.

VMware Security Advisories for March 2017

Ahead of its inclusion in Pwn2Own 2017, the folks from VMware released multiple updates for March. The most recent update corrects a remote code execution problem in Apache Struts 2 in Horizon Desktop as-a-Service Platform (DaaS), VMware vCenter Server (vCenter), vRealize Operations Manager (vROps), and vRealize Hyperic Server (Hyperic). A separate update for VMware Workstation and Fusion fixes an out-of-bounds memory access vulnerability. Both are rated Critical and were released within days of each other. A different Important-rated update for VMware Workstation corrects multiple security issues, including a DLL-loading issue and a null pointer derefernce.

VMware does not patch on a regular schedule like some vendors, so it’s interesting to see a flurry of patches come from them. While the inclusion of VMware in Pwn2Own may not have driven these patches, but I am certain it didn’t discourage these patches either.

Mozilla Firefox Update for March 2017

The Firefox update for March addresses 28 CVEs, seven of which are related Critical. The worst of these bugs could allow remote code execution if a user browses to a malicious website. The code execution would occur at the logged on user level, another reminder to operate as a non-admin user for daily activities.

Microsoft Patches for March 2017

Microsoft failed to deliver any updates in February, and they also failed to provide an exact reason why. Combine that fact with a light January and we’re left with the largest patch Tuesday in Microsoft’s history. There are 17 updates addressing 135 CVEs (plus the bulletin for Flash, which addresses seven more CVEs). Eight of these updates are rated as Critical and nine are rated as Important. The updates for IE and GDI have CVEs listed as under active attack. Seven of these updates include CVEs that are publicly known:

  - IE (CVE-2017-0008, -0012, -0033, -0037, -0154)
  - Edge (CVE-2017-0012, -0033, -0037, -0065, -0069)
  - Hyper-V (CVE-2017-0097)
  - SMB (CVE-2017-0143)
  - Windows (CVE-2017-0016)
  - Office (CVE-2017-0014)
  - Kernel (CVE-2017-0050)

On an interesting side note, Microsoft had previously stated that as of today, security bulletins would no longer be available outside the “Security Update Guide”. However, the standard monthly summary linking to individual bulletins remains. It will be interesting to see how this evolves over time. Hopefully Microsoft continues to make it easy to digest this vital information in various forms. Until then, let’s take a deep dive into the security updates for March.

MS17-006 – Internet Explorer (Critical)
This bulletin addresses 12 vulnerabilities, five of which are publicly known and one which is under active attack. This should likely be the priority for most enterprises and consumers alike. IE is widely deployed and active attacks tend to be widespread. The CVE under attack is listed as “memory corruption”, which usually means a use-after-free (UAF) bug.

MS17-007 – Edge (Critical)
This bulletin addresses 32 vulnerabilities, five of which are publicly known but not reported to be under active attack. This is one of the rare times where the Edge browser has more bugs being fixed than IE. Over 20 of the CVEs receive an Exploit Index (XI) rating of 1, which means Microsoft indicates exploitation is more likely for these issues. Microsoft touts many of the security enhancements in Edge, but clearly issues remain.

MS17-008 – Hyper-V (Critical)
This bulletin addresses 11 vulnerabilities, one of which is publicly known but not reported to be under active attack. The worst case for these bugs would allow someone on the guest OS to execute code on the host OS. We actually have this scenario as a category in this year’s Pwn2Own. You may be offered this update even if you don’t have Hyper-V enabled since, according to the bulletin, “the update is applicable to all supported products and versions that contain the vulnerable code.”

MS17-009 – Widows PDF Viewer (Critical)
This bulletin addresses one Critical bug, which is also discussed in the Edge bulletin. Both updates will be needed for full protection, but they may be applied in any order.

MS17-010 – SMB Server (Critical)
This bulletin addresses 6 vulnerabilities, one of which is publicly known but not reported to be under active attack. All of these issues rely on SMBv1, which really should be disabled on your systems.

MS17-011 – Uniscribe (Critical)
This bulletin addresses 29 vulnerabilities, none of which are reported as publicly known. Only eight of these issues are listed as remote code execution (RCE), and all of these have lower XI ratings. If you have to prioritize your testing, you may want to push this down the list.

MS17-012 – Windows (Critical)
This bulletin addresses one Critical and five Important bugs in a veritable potpourri of Windows components. Included in this update is a fix for CVE-2017-0016, which was publicly disclosed in February. Although Microsoft does not show this as being exploited, there are reports to the contrary.

MS17-013 – Graphics Components (Critical)
This bulletin addresses 12 vulnerabilities, one of which is reported to be under active attack. Flaws in the GDI and GDI+ make for an attractive target, so it’s no surprise attackers use these bugs. While this patch does correct the GDI bug publicly disclosed by Google, the CVE under attack is actually a different issue.

MS17-014 – Office (Important)
This bulletin addresses 12 vulnerabilities, one of which is publicly known but not reported to be under active attack. While you may be tempted to pass on this patch, remember Office applications are widely targeted and often used in ransomware attacks.

MS17-015– Exchange Server (Important)
This bulletin addresses one privately reported vulnerability in Exchange Server 2013. While the bug impacts Outlook Web Access (OWA), this is another case where waiting may be prudent, as Exchange patches have a bad history where quality is concerned.

MS17-016 – Windows IIS (Important)
This bulletin addresses one privately reported vulnerability in all supported releases of Microsoft Windows. This is a simple cross-site scripting (XSS) issue, but don’t ignore this if you’re running IIS.

MS17-017 – Windows Kernel (Important)
This bulletin addresses four vulnerabilities, one of which is publicly known but not reported to be under active attack. Kernel bugs are key factors in many sandbox escapes – a highlight of many Pwn2Own exploits. It will be interesting to see if any of the Pwn2Own contestants will need to scramble due to this patch.

MS17-018 – Windows Kernel-Mode Drivers (Important)
This bulletin addresses eight elevation of privilege (EoP) vulnerabilities, none of which are reported as publicly known. Similar to kernel bugs, KMD bugs are often seen in sandbox escapes.

MS17-019 – Active Directory Federation Services (Important)
This bulletin addresses one privately reported vulnerability in all supported releases of Windows server. Since this is an info disclosure issue, an attacker would need to pair this with something else to really create a problem.

MS17-020 – Windows DVD Maker (Important)
This bulletin addresses one privately reported vulnerability in all Windows Vista and Windows 7. As with ADFS, this is only an info disclosure issue.

MS17-021 – DirectShow (Important)
This bulletin addresses one privately reported vulnerability in all supported releases of Microsoft Windows. Another info disclosure issue that requires user action, such as visiting a website.

MS17-022 – XML Core Services (Important)
This bulletin addresses one privately reported vulnerability in XML Core Service 3.0 on all supported releases of Microsoft Windows. This is the final info disclosure issue for March.

The final bulletin for the month is Microsoft’s repackage of the Adobe Flash update, which is detailed below.

Adobe Patches for March 2017

For this month, Adobe released two Critical Flash Player and Shockwave Player. The Flash update corrects seven CVEs, the worst of which could allow remote code execution if a user viewed specially-crafted content with an affected Flash version. None of these are listed as being under active attack. The Shockwave update addresses just one CVE and is listed as Important in severity. The fixes an issue in the directory search path used to find resources that could allow an escalation of privilege.

Looking Ahead

The next patch Tuesday falls on April 11, and we’ll be back with details and analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!