Last month, in reaction to the WannaCry outbreak that affected Windows users all over the world, Microsoft released a patch for Windows XP—an operating system it had stopped supporting in 2014. As part of the June Patch Tuesday cycle, Microsoft has decided to issue patches for XP and other older platforms that have reached End of Support (EOS) status. They cited the “elevated risk of cyber attacks by government organizations, sometimes referred to as nation-states” that could use the now-fixed vulnerabilities. These fixes are on top of the patches for supported versions of Windows that are also part of this month’s cycle.
This batch of updates is particularly large—96 CVEs for Windows, Internet Explorer, Microsoft Office, Skype, and the Edge browser. Out of this group, there are a couple of items that require particular attention:
- CVE-2017-8543: present in most Windows versions, it is a feature that handles file and printer sharing (Server Message Block or SMB). Potentially, if left unpatched on a network this vulnerability could be exploited to affect all vulnerable connected systems very rapidly.
- CVE-2017-8464: a LNK Remote Code Execution (RCE) vulnerability that allows RCE if a specifically crafted shortcut is displayed.
Aside from the above, Microsoft has also identified several vulnerabilities that they presume to be under imminent attack and should be considered priority updates:
- CVE-2017-0176: This vulnerability exists if the Remote Desktop Protocol (RDP) server has Smart Card authentication enabled. It could allow an attacker to execute malicious code on the target system.
- CVE-2017-0222: If Internet Explorer improperly accesses objects in memory, the memory could be corrupted in such a way that an attacker could execute arbitrary code in the context of the current user, and also gain the same user rights.
- CVE-2017-0267 and CVE-2017-0280: The most critical of these vulnerabilities could also allow RCE if an attacker sends specially crafted packets to a Microsoft Server Message Block 1.0 (SMBv1) server.
- CVE-2017-7269: The vulnerability exists if WebDAV improperly handles objects in memory, which could allow an attacker to run arbitrary code on the user’s system.
- CVE-2017-8461: A remote code execution vulnerability exists in RPC if the server has Routing and Remote Access enabled. An attacker who successfully exploits this vulnerability could execute code on the target system.
- CVE-2017-8487: A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code.
- CVE-2017-8552: An elevation of privilege vulnerability exists when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.
Adobe has also issued patches for Flash Player, Shockwave Player, Captivate and Adobe Digital Editions. All of the critical vulnerabilities in the Adobe Flash Player could lead to remote code execution (APSB17-17), while the critical vulnerabilities categorized as “Memory Corruption” in the Adobe Digital Editions (APSB17-20) can also lead to remote code execution. Users are encouraged to update to the latest version of Adobe Flash Player, which is 188.8.131.52. For Edge and IE 11 users it is version 184.108.40.206.
The following discovery was disclosed by Trend Micro researchers:
Trend Micro’s Zero Day Initiative (ZDI) took part in the discovery of the following vulnerabilities and/or security improvements:·
Trend Micro Solutions
The list of Trend Micro Deep Security and Vulnerability Protection DPI rules for this month’s Patch Tuesday are listed below. We also note that these products are supported for Windows XP and Server 2003 until 2020.
- 1008434-Microsoft Device Guard Code Integrity Policy Security Feature Bypass Vulnerability (CVE-2017-0215)
- 1008435-Microsoft Windows LNK Remote Code Execution Vulnerability (CVE-2017-8464)
- 1008439-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-8496)
- 1008440-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-8497)
- 1008441-Microsoft Office Remote Code Execution Vulnerability (CVE-2017-8509)
- 1008442-Microsoft Office Remote Code Execution Vulnerability (CVE-2017-8510)
- 1008443-Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-8524)
- 1008444-Microsoft Internet Explorer And Edge Information Disclosure Vulnerability (CVE-2017-8529)
- 1008446-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-8547)
- 1008448-Microsoft Windows Multiple Elevation Of Privilege Vulnerabilities (June-2017)
TippingPoint customers are protected via the following MainlineDV filters:
- 6291: HTTP: Internet Explorer Server Response Memory Corruption Vulnerability
- 6290: HTTP: Internet Explorer HTML Parsing Memory Corruption Vulnerability
- 10683: HTTP: Internet Explorer Memory Corruption Vulnerability
- 11241: SMB: Adobe Acrobat Reader tesselate.x3d language.engtesselate.ln File Retrieval (ZDI-11-218)
- 11242: SMB: Adobe Acrobat Reader 3difr.x3d language.eng3difr.ln File Retrieval (ZDI-11-219)
- 13164: HTTP: Microsoft Excel PtgMemFunc Read Access Violation Vulnerability
- 16650: HTTP: Adobe Flash Player Malicious File Download
- 16926: HTTP: Microsoft Windows OLE Packer Memory Corruption Vulnerability
- 21680: HTTP: Microsoft Windows win32k Privilege Escalation Vulnerability
- 22080: HTTP: Microsoft Windows win32k Palette Use-After-Free Vulnerability
- 22081: HTTP: Microsoft Windows gpuenergydrv.sys Buffer Overflow Vulnerability
- 24957: HTTP: Microsoft Windows PDF Library AES Encryption Out-Of-Bounds Read Information (ZDI-16-369)
- 27643: HTTP: Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow Vulnerability (ExplodingCan)
- 27931: SMB: Microsoft Windows SMBv1 Information Disclosure Vulnerability (EternalRomance)·
- 28193: HTTP: Microsoft Edge Chakra DataView Type Confusion Vulnerability (ZDI-17-371)
- 28543: ZDI-CAN-4719: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 28544: ZDI-CAN-4729: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 28545: HTTP: Microsoft Office EPS Use-After-Free Vulnerability
- 28546: ZDI-CAN-4730: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 28547: ZDI-CAN-4731: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 28548: ZDI-CAN-4732: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
- 28611: HTTP: Microsoft Internet Explorer ArrayBuffer Buffer Overflow Vulnerability
- 28613: HTTP: Microsoft Edge clip-path Use-After-Free Vulnerability
- 28614: HTTP: Microsoft Windows Explorer LNK File Code Execution Vulnerability
- 28615: HTTP: Microsoft Edge caretPositionFromPoint Type Confusion Vulnerability
- 28616: HTTP: Microsoft Windows Cursor Privilege Escalation Vulnerability
- 28618: HTTP: Microsoft Windows Cursor Privilege Escalation Vulnerability
- 28619: HTTP: Microsoft Word Use-After-Free Vulnerability
- 28620: HTTP: Microsoft Windows Cursor Privilege Escalation Vulnerability
- 28621: HTTP: Microsoft Word RTF Type Confusion Vulnerability
- 28622: HTTP: Microsoft Edge defineSetter Type Confusion Vulnerability
- 28628: HTTP: Microsoft Device Guard Workflow Security Bypass Vulnerability
- 28629: SMB: Microsoft Windows Search Service Memory Corruption Vulnerability