The August 2017 Security Update Review

August 08, 2017 | Dustin Childs

While others go looking for the latest school supplies, let’s beat the heat and turn our attention instead to the latest security patches from Adobe and Microsoft.

Adobe Patches for August 2017

For this month, Adobe released two Critical-rated updates for Adobe Flash, Digital Edition, and Reader, and one Important-rated update for Adobe Experience Manager. The Flash update is again rather small with only two CVEs being addressed – one of which came through the ZDI program. Since Adobe put a solid expiration date on Flash, it also declared an expiration date for Flash updates. Of course, this doesn’t mean attackers will stop targeting remaining Flash instances past 2020, so administrators need to take appropriate measures before that time. The update for Adobe Reader is much larger. It covers 43 Critical and 24 Important CVEs. A total of 57 of these unique CVEs were due to 65 separate bug submissions to the ZDI program. The patch mostly addresses Use-After-Free and memory corruption issues that could allow a remote attacker to execute their code on a target system if they can convince a user to open a maliciously crafted file.

The update for Adobe Digital Editions addresses two Critical CVEs and seven Important CVEs. Again, one of these CVEs came through the ZDI program. Most of these bugs result in information disclosure due to leaking memory addresses. The final Adobe update for August corrects three different issues in the Experience Manager. While Adobe lists the overall bulletin as Moderate, it identifies CVE-2017-3108 as an Important-severity arbitrary code execution. Either way, if you are running the Experience Manager product within your enterprise, this patch definitely should not be ignored. And if you’re keeping score at home, you should note that over 70% of the CVEs patched by Adobe this month came through the ZDI program at some point.

Microsoft Patches for July 2017

Microsoft released 48 security patches for August covering Windows, Internet Explorer (IE), Edge, the subsystem for Linux, Kernel, SharePoint, SQL Server, and Hyper-V. Of these 48 CVEs, 25 are listed as Critical, 21 are rated Important, and two are Moderate in severity. A total of seven of these CVEs came through the ZDI program. Two of these bugs are listed as publically known prior to release, with one bug listed as having publicly available PoC.

A few of the CVEs addressed by Microsoft this month deserve some extra attention, and we’ll start by looking at the one under active attack.

-       CVE-2017-8620 – Windows Search Remote Code Execution Vulnerability
This is by far the most critical bug for this month. In addition to being similar to a previous Search vulnerability – which was under active attack when it was released – this bug allows a malicious SMB request to execute code on a target system. As with the previous Search flaw, within an enterprise, an attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer. That’s pretty close to wormable and just the sort of thing malware writers look for in a bug. Also, let this be your monthly reminder to disable SMBv1.

-       CVE-2017-8664 – Windows Hyper-V Remote Code Execution Vulnerability
Although neither publically known nor actively exploited, this bug certainly warrants extra attention. According to Microsoft, “Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.” This could allow for an attacker on a guest OS to escape and execute code on the underlying hypervisor. Back at the 2017 Pwn2Own competition, a Hyper-V escape like this one would have earned the contestant $100,000 USD. Although we didn’t have anyone attempt this product this year, it’s safe to say we’ll likely get some attempts should the category return.   

Here’s the full list of CVEs released by Microsoft for August 2017.

CVE Title Severity Public Exploited XI - Latest XI - Older
CVE-2017-8620 Windows Search Remote Code Execution Vulnerability Critical Yes No 1 1
CVE-2017-8627 Windows Subsystem for Linux Denial of Service Vulnerability Important Yes No 3 N/A
CVE-2017-8633 Windows Error Reporting Elevation of Privilege Vulnerability Important Yes No 1 1
CVE-2017-0250 Microsoft JET Database Engine Remote Code Execution Vulnerability Critical No No 3 3
CVE-2017-0293 Windows PDF Remote Code Execution Vulnerability Critical No No 2 2
CVE-2017-8591 Windows IME Remote Code Execution Vulnerability Critical No No 2 2
CVE-2017-8622 Windows Subsystem for Linux Elevation of Privilege Vulnerability Critical No No 3 N/A
CVE-2017-8634 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8635 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-8636 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-8638 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A
CVE-2017-8639 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8640 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8641 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-8645 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8646 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A
CVE-2017-8647 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A
CVE-2017-8653 Microsoft Browser Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-8655 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A
CVE-2017-8656 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8657 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8661 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8669 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-8670 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8671 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-8672 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A
CVE-2017-8674 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-0174 Windows NetBIOS Denial of Service Vulnerability Important No No 2 2
CVE-2017-8503 Microsoft Edge Elevation of Privilege Vulnerability Important No No 1 N/A
CVE-2017-8516 Microsoft SQL Server Analysis Services Information Disclosure Vulnerability Important No No 3 3
CVE-2017-8593 Win32k Elevation of Privilege Vulnerability Important No No 1 1
CVE-2017-8623 Windows Hyper-V Denial of Service Vulnerability Important No No 3 3
CVE-2017-8624 Windows CLFS Elevation of Privilege Vulnerability Important No No 1 1
CVE-2017-8625 Internet Explorer Security Feature Bypass Vulnerability Important No No 2 2
CVE-2017-8637 Scripting Engine Security Feature Bypass Vulnerability Important No No 2 N/A
CVE-2017-8642 Microsoft Edge Elevation of Privilege Vulnerability Important No No 3 N/A
CVE-2017-8644 Microsoft Edge Information Disclosure Vulnerability Important No No 1 N/A
CVE-2017-8652 Microsoft Edge Information Disclosure Vulnerability Important No No 1 N/A
CVE-2017-8654 Microsoft Office SharePoint XSS Vulnerability Important No No 3 3
CVE-2017-8659 Scripting Engine Information Disclosure Vulnerability Important No No 1 N/A
CVE-2017-8662 Microsoft Edge Information Disclosure Vulnerability Important No No 1 N/A
CVE-2017-8664 Windows Hyper-V Remote Code Execution Vulnerability Important No No 2 2
CVE-2017-8666 Win32k Information Disclosure Vulnerability Important No No 1 1
CVE-2017-8668 Volume Manager Extension Driver Information Disclosure Vulnerability Important No No 2 2
CVE-2017-8673 Windows Remote Desktop Protocol Denial of Service Vulnerability Important No No 2 N/A
CVE-2017-8691 Express Compressed Fonts Remote Code Execution Vulnerability Important No No 2 2
CVE-2017-8650 Microsoft Edge Security Feature Bypass Vulnerability Moderate No No 3 N/A
CVE-2017-8651 Internet Explorer Memory Corruption Vulnerability Moderate No No N/A 1

Obviously, the patches impacting Edge, IE, and SharePoint should top deployment lists due to the ubiquitous nature of the programs. Similar to the previous month, there are many Edge and IE cases quite simply titled “Scripting Engine Memory Corruption Vulnerability.” Recently, ZDI researcher Simon Zuckerbraun blogged about how JavaScript has inadvertently become the assembly language of the web and the implications that brings for risk in an enterprise. There are also a couple of patches for the Windows Subsystem for Linux (WSL) – a new Windows 10 feature aimed primarily at developers. If you understand I’m not misspelling the word “sed,” this patch should matter to you. This release is completed with updates for the Windows kernel, Remote Desktop Protocol, and a few other Windows components.

While not officially a part of the August release, Microsoft rather quietly released patches for Outlook and Office Click-to-Run to correct three new vulnerabilities on July 27. None of the updates for CVE-2017-8571, CVE-2017-8572, or CVE-2017-8663 are listed as public or under active attack. They do, however, all state “the security updates address known issues 1 through 4 described in the Office Support Article Outlook known issues in the June 2017 security updates.” Apparently, some issues with these updates remain as Microsoft continues to investigate iCloud failing to properly load in Outlook. If you’ve run into issues with Outlook since the June updates, this could alleviate some of those problems. That could also be why they were released “out of band” – meaning a day other than Patch Tuesday. Microsoft also added CVE-2017-8518 to the June release, but confusingly, it was published on August 4. Since it is not listed as being under active attack, this is likely due to a clerical error.

Finally, Microsoft also released its version of the Adobe patch for Flash in Internet Explorer. In case you’re wondering, Microsoft did officially state it too would end Flash support at the end of 2020.

Looking Ahead

The next patch Tuesday falls on September 12, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!