The April 2017 Security Update Review

Take a break from staying dry during April showers and join us in taking a look at the security updates released by Adobe and Microsoft for the month of April, 2017. It’s a new world for Microsoft security patches, and it’s starting off with a bit of confusing information. Let’s parse through it and determine what matters to you.

Microsoft Patches for April 2017

This month marks the beginning of a new era for Microsoft’s patching process as they move away from security bulletins. Instead, they are providing details of their patches through the “Security Update Guide,” which tells us there are updates for Internet Explorer, Microsoft Edge, Microsoft Windows, Visual Studio for Mac, .NET Framework, Silverlight, and Microsoft Office and Microsoft Office Services and Web Apps. There remains a question about whether this move will change Microsoft’s compliance with ISO 29147, which states a unique update ID apart from CVE must be used. If there is any irony here, it’s that Microsoft was a significant contributor to the standard, and a security bulletin from 2009 serves as an example for compliance.

However, this change only tells a part of the patch story for this month. For April, Microsoft released patches for 45 unique CVEs in Edge, Internet Explorer, Windows, Office, Visual Studio for Mac, Silverlight and .NET Framework. Three of these CVEs are listed as being under active attack and should be prioritized above the others.

- CVE-2017-0199: Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API

This bug received some press over the weekend, and there are some reports attacks using this flaw have been used since January. While labelled as an Outlook issue, this is actually bug actually stems from an issue within RTF files. According to published reports, the exploit uses an embedded OLE2link object in a specially-crafted document. It should also be noted that these attacks can be thwarted by enabling Office’s Protective View feature. There are updates for both Office and Windows to be applied, and both should be considered necessary for complete protection.

- CVE-2017-0210: Internet Explorer Elevation of Privilege Vulnerability

This CVE is listed as both publicly known and publicly exploited in active attacks. The exploit allows an attacker to access sensitive information from one domain and inject it into another domain, which could allow the attacker to gain elevated privileges. However, direct code execution is not possible through this bug alone. Instead, it would likely be used with a bug that executes code at a low integrity level to elevate the code execution to medium level integrity.

- 2017-2605*: Defense-in-Depth Update for Microsoft Office

This is truly an interesting case. The bug is listed as Critical yet titled “Defense-in-Depth” – a term normally applied to Moderate or lower severity. There’s also not an actual fix for this issue. Instead, the update turns off the Encapsulated PostScript (EPS) filter in Office as a by default. According to Microsoft, they are aware of “limited targeted attacks” that take advantage of an unpatched vulnerability in the EPS filter. This temporary measure is being pushed out until a true fix is released. Issues like this used to be covered by Security Advisories, so perhaps this indicates Microsoft has chosen to do away with these as well.

*This was initialy listed as CVE-2017-2605, but the number appears to not be associated with that CVE.

The release also includes 13 other Critical CVEs, primarily in the IE and Edge browsers. Also listed as Critical are three CVEs for Hyper-V, which was an untested target in the most recent Pwn2Own. We always hope Pwn2Own serves as a forcing function for vendors to improve their software and thus make it more difficult on the contestants. Whether Pwn2Own played a role here is unclear, but with acknowledgments given to internal Microsoft teams for finding these bugs, it appears Microsoft fixing them proactively. Kudos for both the proactive fixes and the internal recognition.

The other Important and Moderate CVEs cover various Windows components – namely Win32K and the Kernel – other Office bugs, and additional Hyper-V bugs. While none of the other updates released this month are listed as being under active attack, curiously, there is a CVE from 2013 for an information disclosure in the libjpeg library. Why it took several years to address this Important-severity issues previously patched by open-source software is not made clear.

And before we go any further, we would be remiss if we didn’t mention the end of support for the much-maligned Windows Vista operating systems. Today is the last time patches for Vista will be released for the Vista OS. Starting tomorrow, there will be little changed for those using Vista. No features will be disabled. There will be no forced update on to a new platform. The vast resources of online guidance for running and troubleshooting the OS will exist as they always have. In short, nothing obvious will change immediately. However, just because Microsoft stopped supporting Vista, it doesn’t mean attackers stop targeting Vista. Combine that with compliance concerns and the cost of maintaining older systems, it’s time to move on.

Adobe Patches for April 2017

Adobe has a much more conventional release for this month with updates for Campaign, Flash player, Acrobat Reader, Photoshop and the Creative Cloud Desktop Application. The update for Flash addresses seven bugs, none of which are listed as being under active attack. Five of these bugs came through the ZDI program and two of these bugs (CVE-2017-3062 and CVE-2017-3063) were disclosed through Pwn2Own. All of these issues fall into the category of either memory corruption or use-after-free (UAF) bugs. The update for Photoshop also rates as Critical with two bugs being addressed. Neither are listed as under active attack.

The update for Acrobat Reader also rates as the final Critical bulletin from Adobe for this month, though it comes in much larger with 47 CVEs being fixed. None of these are listed as being under attack. In addition to the memory corruption and UAF issues, the patch corrects a DLL hijacking bug, multiple information disclosures, an integer overflow, and a heap overflow. A total of 28 of these bugs came through the ZDI, and three (CVE-2017-3055, CVE-2017-3056, and CVE-2017-3057) were disclosed during this year’s Pwn2Own contest.

The updates for Adobe Campaign and the Creative Cloud Desktop Application are both listed as Important in severity. While neither can directly lead to code execution, both should be applied if you use these applications in your environment.

Looking Ahead

The next patch Tuesday falls on May 9, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!