The July 2017 Security Update Review
July 11, 2017 | Dustin ChildsSummer is in full swing, and with it comes the latest batch of security patches from Adobe, Google Android, and Microsoft. This release also closes the books for all bugs initially disclosed during the 2017 edition of Pwn2Own competition. Take a few minutes to relieve yourself from the summer heat and review details on this month’s bumper crop of security bugs.
Adobe Patches for July 2017
For this month, Adobe released one Critical-rated update for Flash and one Important-rated update for Adobe Connect. The Flash update is uncharacteristically small with only three CVEs being addressed – one of which came through the ZDI program. While the update does receive the highest severity rating, Adobe reports there are no indications of active attacks using these CVEs. The bugs addressed include a Critical-rated memory corruption issue leading to RCE, an Important-rated memory corruption issue leading to memory address disclosure, and an Important-rated information disclosure vulnerability leading to a security feature bypass. The update for Adobe Connect addresses two Important-rated cross-site scripting (XSS) bugs and one Moderate-rated clickjacking bug, also known as UI redressing.
Google Android Patches for July 2017
The July update for Google Android fixes a plethora of security bugs, including the highly-publicized “BroadPwn” bug connected to the Broadcom’s BCM43xx family of WiFi chips. According to the researcher, no user interaction is needed to remotely trigger the vulnerability. Since this chipset is widely available – used in various iPhone models, Nexus, Samsung, LG and HTC – the bug could have a wide-reaching impact. The research will be presented at the upcoming Black Hat conference in Las Vegas, so it’s good to see Android get a patch out ahead of the public disclosure. It’s still unknown if Apple or Broadcom will also need to produce patches. Hopefully the talk provides information on that aspect.
Microsoft Patches for July 2017
Microsoft greets July with 54 security patches impacting Windows, Internet Explorer, Edge, Office, SharePoint, .NET Framework, Exchange, and Hololens. Yes, that Hololens (more on that below). Of these 54 CVEs, 19 are listed as Critical, 32 are rated Important, and 3 are Moderate in severity. None are listed as being under active attack, although four are listed as being publicly known prior to the update.
You’ll notice several of the bugs patched this month came through the ZDI program. More specifically, some of these vulns were first disclosed to Microsoft during the most recent Pwn2Own competition back in March. These bugs are the last ones to be patched from the competition. In all, the ZDI purchased 51 bugs affecting six different vendors over the three-day competition. Impressively, all affected vendors were able to produce patches within 120 days. It’s nice to see fixes for the bugs disclosed during the contest now available to everyone. All of the vendors should be commended for their effort and hard work in making these patches available in a timely manner.
A few of the CVEs addressed by Microsoft this month deserve some extra attention.
- CVE-2017-8584 – Hololens Remote Code Execution Vulnerability
This patch covers an RCE that occurs when HoloLens improperly handles objects in memory due to specially crafted WiFi packets. Microsoft lists this as publicly known but not exploited. It’s unlikely that this bug will see much use since the Hololens device isn’t widely deployed, but this bug is still fascinating for a couple of different reasons. The device can be compromised by merely receiving WiFi packets, apparently without any form of authentication at all. On its own, that’s something to really delve into, but more than that, we now live in a world where Microsoft releases security patches for augmented reality headsets.
- CVE-2017-8463 – Windows Explorer Remote Code Execution Vulnerability
While not previously known publicly, this RCE bug in Windows Explorer certainly caught my attention. An attacker would need to use a bit of social engineering to successfully achieve code execution. They would need to share both a folder and a piece of malware named with an executable extension and then trick the user into thinking that the malware was the folder. These types of bugs are commonly used in phishing campaigns and ransomware attacks. We can expect to see reports of this bug in the wild in the coming months, especially since this was given an XI rating of 1 and impacts all supported OS versions.
Here’s the full list of CVEs released by Microsoft for July 2017.
| CVE | Title | Severity | Public | Exploited | XI - Latest | XI- Older |
| CVE-2017-8584 | HoloLens Remote Code Execution Vulnerability | Critical | Yes | No | 2 | 2 |
| CVE-2017-8587 | Windows Explorer Denial of Service Vulnerability | Important | Yes | No | 3 | 3 |
| CVE-2017-8602 | Microsoft Browser Spoofing Vulnerability | Important | Yes | No | 3 | N/A |
| CVE-2017-8611 | Microsoft Edge Spoofing Vulnerability | Moderate | Yes | No | 2 | N/A |
| CVE-2017-8463 | Windows Explorer Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8589 | Windows Search Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8594 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8595 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8596 | Microsoft Edge Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8598 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8601 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8603 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8604 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8605 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8607 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 2 |
| CVE-2017-8608 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | 2 |
| CVE-2017-8610 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8617 | Microsoft Edge Remote Code Execution Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8619 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8606 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8609 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8618 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-0243 | Microsoft Office Remote Code Execution Vulnerability | Important | No | No | N/A | 2 |
| CVE-2017-8467 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8486 | Win32k Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8495 | Kerberos SNAME Security Feature Bypass Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8501 | Microsoft Office Memory Corruption Vulnerability | Important | No | No | N/A | 2 |
| CVE-2017-8502 | Microsoft Office Memory Corruption Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8556 | Microsoft Graphics Component Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8557 | Windows System Information Console Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8559 | Microsoft Exchange Cross-Site Scripting Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-8560 | Microsoft Exchange Cross-Site Scripting Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-8561 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8562 | Windows ALPC Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8563 | Windows Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8564 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-8565 | Windows PowerShell Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8566 | Windows IME Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8569 | SharePoint Server XSS Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8570 | Microsoft Office Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8573 | Microsoft Graphics Component Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8574 | Microsoft Graphics Component Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8577 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8578 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8580 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8581 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8582 | Https.sys Information Disclosure Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-8585 | .NET Denial of Service Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-8588 | WordPad Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8590 | Windows CLFS Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8599 | Microsoft Edge Security Feature Bypass Vulnerability | Important | No | No | 1 | N/A |
| CVE-2017-8592 | Microsoft Browser Security Feature Bypass | Important | No | No | 3 | 3 |
| CVE-2017-0170 | Windows Performance Monitor Information Disclosure Vulnerability | Moderate | No | No | 3 | 3 |
| CVE-2017-8621 | Microsoft Exchange Open Redirect Vulnerability | Moderate | No | No | 3 | 3 |
Obviously, the patches impacting Edge, IE and Office should top deployment lists due to the ubiquitous nature of the programs. Amongst the Edge and IE cases are several quite simply titled “Scripting Engine Memory Corruption Vulnerability.” Some of these cases demonstrate a new class of risk emerging in connection with JavaScript: the danger of vulnerabilities in the execution engine itself. We have begun to receive reports of some vulnerabilities of this class from submitters to the ZDI program, and additionally from contestants in the Pwn2Own competition. ZDI researcher Simon Zuckerbraun will be providing some details on these types of JavaScript vulnerabilities in a series of blogs starting next week. Stay tuned to our blog for the latest, and remember kids – Java is to JavaScript as ham is to hamster.
The release is rounded out by several bugs impacting the kernel, an RCE in PowerShell that could prove interesting down the line, an ASP.net info disclosure, a .NET denial of service, and several Office code execution and info disclosure issues. Be especially leery of the updates to Office components, as there has been a rash of recent issues with recent Outlook updates.
Finally, Microsoft also released its version of the Adobe patch for Flash in Internet Explorer. It’s interesting to note that Microsoft reverted to security advisories for these updates after briefly treating these patches like security bulletins.
Looking Ahead
The next patch Tuesday falls on the August 8th, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!