Last month’s Patch Tuesday highlighted updates for older Windows versions to address vulnerabilities responsible for the WannaCry outbreak. This month’s Patch Tuesday shifts its focus to other technologies, with an update that addresses 54 vulnerabilities – including one in the augmented reality sphere.
One notable vulnerability in this month’s Patch Tuesday is CVE-2017-8584, a remote code execution vulnerability that deals with Microsoft’s augmented reality device known as HoloLens. This vulnerability is triggered when HoloLens improperly handles objects in memory when an attacker sends a specially crafted WiFi packet. In terms of prevalence, it is unlikely to cause much real world damage due to the niche nature of augmented reality devices. However, it still poses an interesting talking point and might be an indicator that these kinds of technology can potentially be used for malicious purposes.
Another important vulnerability addressed in this release was CVE-2017-8589, which is a remote code execution vulnerability that exists when Windows Search handles objects in memory. Attackers exploiting this vulnerability do so by sending specially crafted messages to the Windows search service. Successfully exploiting this flaw could allow an attacker to take control of the affected system. This vulnerability can potentially use the Windows Server Message Block (SMB) as an attack vector. However, unlike EternalBlue, the vulnerability is not in the SMB protocol itself.
Microsoft also included a cumulative update for Internet Explorer that addresses the following vulnerabilities:
- CVE-2017-8592: A security feature bypass vulnerability that exists when Microsoft Browsers improperly handle redirect requests. This vulnerability allows Microsoft Browsers to bypass CORS redirect restrictions and follow redirect requests that should otherwise be ignored.
- CVE-2017-8594: A remote code execution vulnerability that exists when Internet Explorer improperly accesses objects in memory. Attackers can execute arbitrary code in the context of the current user by exploiting this vulnerability, which could potentially corrupt memory.
- CVE-2017-8618: A remote code execution vulnerability exists in the way that the VBScript engine, when rendered in Internet Explorer, handles objects in memory. Attackers exploiting this vulnerability in a web-based scenario could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
Adobe also released their own set of security updates, which includes APSB17-21, which addresses critical vulnerabilities for Flash player that can allow attackers to take control of an affected system. In addition, it also released APSB17-22 for Adobe Connect, addressing the input vulnerabilities CVE-2017-3102, which could be used in reflected attacks, and CVE-2017-3103, which could be used in stored cross-site scripting attacks. It also includes a fix that protects users from CVE-2017-3101, which can be exploited for clickjacking attacks. Users are encouraged to update to version 188.8.131.52, which is the latest version of Adobe Flash Player, or version 184.108.40.206 for Edge and Internet Explorer 11.
Trend Micro’s Zero Day Initiative (ZDI) took part in the discovery of the following vulnerabilities and/or security improvements:
Trend Micro Solutions
- 1008340-Microsoft Office Remote Code Execution Vulnerability (CVE-2017-0243)
- 1008481-Microsoft Windows Security Feature Bypass Vulnerability (CVE-2017-8592)
- 1008482-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-8594)
- 1008483-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-8598)
- 1008484-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-8601)
- 1008485-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-8605)
- 1008486-Microsoft Edge Remote Code Execution Vulnerability (CVE-2017-8617)
- 1008487-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-8619)
- 1008488-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-8618)
- 1008489-Microsoft Windows Multiple Elevation Of Privilege Vulnerabilities (CVE-2017-8577, CVE-2017-8578, CVE-2017-8580)
TippingPoint customers are protected via the following MainlineDV filters:
- 29045: HTTP: Internet Explorer VarType Memory Corruption Vulnerability
- 29046: HTTP: Microsoft Internet Explorer SVG foreignObject Type Confusion Vulnerability
- 29047: HTTP: Microsoft Edge Uint8ClampedArray Type Confusion Vulnerability
- 29048: HTTP: Internet Explorer CORS Header Policy Bypass Vulnerability
- 29049: HTTP: Microsoft Edge DataView Use-After-Free Vulnerability
- 29050: HTTP: Microsoft Edge constructor Memory Corruption Vulnerability
- 29051: HTTP: Microsoft Word Memory Corruption Vulnerability
- 29054: HTTP: Microsoft Windows gdi32 Privilege Escalation Vulnerabilit
- 29055: HTTP: Microsoft Windows gdi32 Privilege Escalation Vulnerability
- 29056: HTTP: Microsoft Edge Lang Use-After-Free Vulnerability
- 29057: HTTP: Microsoft Edge ArrayBuffer Memory Corruption Vulnerability