The May 2017 Security Update ReviewMay 09, 2017 | Dustin Childs
Take a break from smelling the flowers brought on by last month’s rain and join us in taking a closer look at the security updates released by Adobe, Intel, and Microsoft for the month of May, 2017. Microsoft introduced their new format last month, and we’ve put on our decoder ring to find what’s important to you. Let’s parse through the data and see the release for this month.
Microsoft Patches for May 2017
This month Microsoft released patches for 55 new CVEs in Internet Explorer, Edge, Office, Windows, and .NET Framework. A total of 14 of these CVEs are rated Critical while the rest are rated Important in severity. Three of these CVEs are documented as being under active attack and should be prioritized.
- CVE-2017-0261: Microsoft Office Remote Code Execution Vulnerability
This bug exploits a flaw in the processing of EPS image files to execute code on a target system. The attacker only gets to the level of the logged-on user and must be combined with an elevation of privilege to take control of a system. That’s exactly what is happening here, as public reports have this bug being used in combination with the kernel bug listed below. If you have Office installed on your workstation, you are definitely at risk and should apply the updates. If you have Office installed on your server, you should uninstall Office from your server.
- CVE-2017-0222: Internet Explorer Memory Corruption Vulnerability
This vulnerability allows an attacker to execute code on a target system if they can convince a user to browse to a malicious web page. While you may think your browsing habits don’t put you at risk, exploits like these are often seen in malicious ads that show up on legitimate websites. Issues like this are the reason browsing as a system administrator is always a bad idea since the attacker get the permissions of the logged-on user. It also highlights how an ad blocker can be a defensive tool – not just a convenience.
- CVE-2017-0263: Win32k Elevation of Privilege Vulnerability
This CVE covers an elevation of privilege vulnerability in Windows kernel-mode drivers. Unlike the other two bugs we just covered, this vulnerability currently being exploited does allow an attacker to execute code with elevated privileges. In this case, the attacker must be logged on to the target system. The local nature of the bug is why the severity drops from Critical to Important. These bugs are typically paired with a remote bug – like the two previously mentioned – to allow an attacker to completely take over a system. For those who believe 0-days don’t matter, they should probably ask those affected by these bugs for their opinion.
- CVE-2017-0241: Microsoft Edge Elevation of Privilege Vulnerability
This bug could allow an attacker to force a target system to take actions in the context of the Intranet Zone and access functionality that is usually restricted when browsing in the of the Internet Zone. Why does this matter? The default security template for the Local Intranet Zone is lower. This means that many actions here have more open settings than the Internet Zone. In particular, the popup blocker is set to allow popups, and features like ActiveX Filtering, the XSS Filter, and SmartScreen are disabled by default. This bug would need to be used in conjunction with something else to really be effective, but it could take something uninteresting and turn it into something useful to attackers. While Microsoft has a “No” in the column for “Exploited,” they do list this as being publicly known and have “0 - Exploitation Detected” in the Exploit Index. Either way, this is definitely a case to focus on.
To help understand the entirety of this release, we’ve put together this table of all CVEs release by Microsoft for May, 2017.
|CVE||Title||Severity||Impact||Public||Exploited||XI - Latest||XI - Older|
|CVE-2017-0222||Internet Explorer Memory Corruption Vulnerability||Critical||RCE||No||Yes||0||0|
|CVE-2017-0261||Microsoft Office Remote Code Execution Vulnerability||Important||RCE||No||Yes||1||0|
|CVE-2017-0263||Win32k Elevation of Privilege Vulnerability||Important||EoP||No||Yes||1||0|
|CVE-2017-0229||Scripting Engine Memory Corruption Vulnerability||Critical||RCE||Yes||No||3||3|
|CVE-2017-0064||Internet Explorer Security Feature Bypass Vulnerability||Important||SFB||Yes||No||2||2|
|CVE-2017-0231||Microsoft Browser Spoofing Vulnerability||Important||Spoofing||Yes||No||2||2|
|CVE-2017-0241||Microsoft Edge Elevation of Privilege Vulnerability||Important||EoP||Yes||No||0||N/A|
|CVE-2017-0221||Microsoft Edge Memory Corruption Vulnerability||Critical||RCE||No||No||1||N/A|
|CVE-2017-0224||Scripting Engine Memory Corruption Vulnerability||Critical||RCE||No||No||1||N/A|
|CVE-2017-0227||Microsoft Edge Memory Corruption Vulnerability||Critical||RCE||No||No||1||N/A|
|CVE-2017-0228||Scripting Engine Memory Corruption Vulnerability||Critical||RCE||No||No||1||N/A|
|CVE-2017-0235||Scripting Engine Memory Corruption Vulnerability||Critical||RCE||No||No||1||N/A|
|CVE-2017-0236||Scripting Engine Memory Corruption Vulnerability||Critical||RCE||No||No||1||N/A|
|CVE-2017-0240||Microsoft Edge Memory Corruption Vulnerability||Critical||RCE||No||No||1||N/A|
|CVE-2017-0266||Microsoft Edge Remote Code Execution Vulnerability||Critical||RCE||No||No||1||N/A|
|CVE-2017-0272||Windows SMB Remote Code Execution Vulnerability||Critical||RCE||No||No||2||2|
|CVE-2017-0277||Windows SMB Remote Code Execution Vulnerability||Critical||RCE||No||No||2||2|
|CVE-2017-0278||Windows SMB Remote Code Execution Vulnerability||Critical||RCE||No||No||2||2|
|CVE-2017-0279||Windows SMB Remote Code Execution Vulnerability||Critical||RCE||No||No||2||2|
|CVE-2017-0290||Microsoft Malware Protection Engine Remote Code Execution Vulnerability||Critical||RCE||No||No||2||2|
|CVE-2017-0077||Win32k Information Disclosure Vulnerability||Important||Info Disc.||No||No||1||1|
|CVE-2017-0171||Windows DNS Server Denial of Service Vulnerability||Important||DoS||No||No||3||3|
|CVE-2017-0175||Windows Kernel Information Disclosure Vulnerability||Important||Info Disc.||No||No||N/A||1|
|CVE-2017-0190||Windows GDI Denial of Service Vulnerability||Important||DoS||No||No||3||3|
|CVE-2017-0212||Windows Hyper-V vSMB Elevation of Privilege Vulnerability||Important||EoP||No||No||2||2|
|CVE-2017-0213||Windows COM Elevation of Privilege Vulnerability||Important||EoP||No||No||1||1|
|CVE-2017-0214||Windows COM Elevation of Privilege Vulnerability||Important||EoP||No||No||1||1|
|CVE-2017-0220||Windows Kernel Information Disclosure Vulnerability||Important||Info Disc.||No||No||N/A||1|
|CVE-2017-0226||Microsoft Internet Explorer Memory Corruption Vulnerability||Important||RCE||No||No||1||1|
|CVE-2017-0230||Scripting Engine Memory Corruption Vulnerability||Important||RCE||No||No||1||N/A|
|CVE-2017-0233||Microsoft Edge Elevation of Privilege Vulnerability||Important||EoP||No||No||1||N/A|
|CVE-2017-0234||Scripting Engine Memory Corruption Vulnerability||Important||RCE||No||No||1||N/A|
|CVE-2017-0238||Scripting Engine Memory Corruption Vulnerability||Important||RCE||No||No||1||1|
|CVE-2017-0242||Microsoft ActiveX Information Disclosure Vulnerability||Important||Info Disc.||No||No||2||2|
|CVE-2017-0244||Windows Kernel Elevation of Privilege Vulnerability||Important||EoP||No||No||N/A||1|
|CVE-2017-0245||Win32k Information Disclosure Vulnerability||Important||Info Disc.||No||No||N/A||2|
|CVE-2017-0246||Win32k Elevation of Privilege Vulnerability||Important||EoP||No||No||N/A||1|
|CVE-2017-0248||.Net Security Feature Bypass Vulnerability||Important||SFB||No||No||3||3|
|CVE-2017-0254||Microsoft Office Memory Corruption Vulnerability||Important||RCE||No||No||2||2|
|CVE-2017-0255||Microsoft SharePoint XSS Vulnerability||Important||EoP||No||No||3||3|
|CVE-2017-0258||Windows Kernel Information Disclosure Vulnerability||Important||Info Disc.||No||No||2||2|
|CVE-2017-0259||Windows Kernel Information Disclosure Vulnerability||Important||Info Disc.||No||No||2||2|
|CVE-2017-0262||Microsoft Office Remote Code Execution Vulnerability||Important||RCE||No||No||1||0|
|CVE-2017-0264||Microsoft Office Memory Corruption Vulnerability||Important||RCE||No||No||N/A||3|
|CVE-2017-0265||Microsoft Office Memory Corruption Vulnerability||Important||RCE||No||No||N/A||3|
|CVE-2017-0267||Windows SMB Information Disclosure Vulnerability||Important||Info Disc.||No||No||2||2|
|CVE-2017-0268||Windows SMB Information Disclosure Vulnerability||Important||Info Disc.||No||No||2||2|
|CVE-2017-0269||Windows SMB Denial of Service Vulnerability||Important||DoS||No||No||2||2|
|CVE-2017-0270||Windows SMB Information Disclosure Vulnerability||Important||Info Disc.||No||No||2||2|
|CVE-2017-0271||Windows SMB Information Disclosure Vulnerability||Important||Info Disc.||No||No||2||2|
|CVE-2017-0273||Windows SMB Denial of Service Vulnerability||Important||DoS||No||No||2||2|
|CVE-2017-0274||Windows SMB Information Disclosure Vulnerability||Important||Info Disc.||No||No||2||2|
|CVE-2017-0275||Windows SMB Information Disclosure Vulnerability||Important||Info Disc.||No||No||2||2|
|CVE-2017-0276||Windows SMB Information Disclosure Vulnerability||Important||Info Disc.||No||No||2||2|
|CVE-2017-0280||Windows SMB Denial of Service Vulnerability||Important||DoS||No||No||2||2|
|CVE-2017-0281||Microsoft Office Remote Code Execution Vulnerability||Important||RCE||No||No||2||2|
Since this is our first month doing this, we’ll likely modify this table over time to best meet your needs. Let us know on Twitter what you think. We’ll try to incorporate improvements as we go.
Of the remaining bugs, the patches for SMB are attention worthy, as well. Any time code execution exists in a default service that runs at elevated levels, people should take notice.
Finally, Microsoft also released Security Advisory 4022344 last evening to address a Critical bug in their malware protection engine. Fortunately, this engine is designed to get frequent updates, so no user interaction should be required. According to Microsoft, this CVE was not publicly known or under active attack prior to the patch being made available. For completeness, this CVE was included in the table above.
Intel Patches for May 2017
Although we typically don’t cover Intel patches, a recent update from the processor giant has been making some news. Given a critical severity rating, CVE-2017-5689 allows an elevation of privilege vulnerability in the Intel Active Management Technology (AMT) portion of some chipsets. Most consumers will never have heard of AMT, but enterprises know AMT provides a means to manage client systems through a web interface. Admins can remote reboot a machine, provide remote installation media and, if configured, access a remote console.
While details about the exact vulnerability remain a bit light, the actual impact of the vulnerability may not be as bad as initially thought. If you have never enabled or used AMT, your systems are likely not in a vulnerable state. Most Intel systems don’t ship with AMT. Most Intel systems that do ship with AMT don’t have it enabled. This doesn’t mean the vulnerability will never be a problem for you, but it does give you a bit of time to read the uninstallation document.
Adobe Patches for May 2017
For this month, Adobe has released a surprisingly small update consisting of two updates. The Critical update for Flash fixes seven CVEs and none are listed as being under active attack. All CVEs are rated as Critical, so we do recommend installing the update as soon as possible. The other update is for Adobe Experience Manager (AEM) Forms and corrects an Important severity information disclosure vulnerability. This is also not reported to be under active attack.
The next patch Tuesday falls on the 13th of June, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!