If you miss a Patch Tuesday things begin to accumulate. March’s lineup makes this very apparent. Microsoft just released two months’ worth of updates that include 18 total bulletins (Yes, I said bulletins, we will get to that), 9 Critical \ 9 Important, a total of 136 unique CVEs, 3 Zero Days, and 12 Public Disclosures. We do get the SMB disclosure (CVE-2017-0016 in MS17-012) which was disclosed the week before February Patch Tuesday. There are also two bulletins from Adobe, and two from VMware that we will discuss.
Microsoft had been planning a few things to happen in February and I wanted to run down that list first off to see where we are at.
- SMB Public Disclosure closure: CVE-2017-0016 has been resolved as part of MS17-012. This brings a bit of closure to the vulnerability in SMB that was disclosed the week before February Patch Tuesday.
- IE Splitting out of Security Bundles: There were a few references flying around about Microsoft looking to split Internet Explorer updates out of the Security Only Bundles for Windows 7 and 8.1. They have done so! For those who are deploying the Security Only Bundle to Windows 7 and 8.1 For everything pre-Windows 10 for that matter.
- Microsoft to stop releasing Bulletins: By the fact that we have 18 new bulletins this month, I suspect Microsoft backed down from this change at least for now.
On to the Bulletins!
There are lot this month, so we are going to target the high profile ones. Each of these have Public Disclosures or Exploits in the wild (Zero Days) and make Ivanti’s Top Priority list for this month.
MS17-006 is a Cumulative Update for Internet Explorer. It is rated as Critical and resolves a total of 12 vulnerabilities including 5 Publicly Disclosed (CVE-2017-0008, CVE-2017-0037, CVE-2017-0012, CVE-2017-0033, CVE-2017-0154) and one Zero Day (CVE-2017-0149). The Zero Day is a User Targeted vulnerability that could allow the attacker to gain equal rights to the logged on user. The attacker could exploit this vulnerability by hosting specially crafted websites or taking advantage of a compromised website or user hosting user contributed content or ads.
MS17-007 is a Cumulative Update for the Edge browser. It is rated as Critical and resolves a total of 32 vulnerabilities including 5 Publicly Disclosed (CVE-2017-0065, CVE-2017-0012, CVE-2017-0033, CVE-2017-0069, CVE-2017-0037) vulnerabilities. A Zero Day is obviously the biggest risk factor for prioritizing a Bulletin, but Public Disclosures are higher risk because enough information may be available to a Threat Actor for them to build an exploit. Many of the vulnerabilities are User Targeted meaning they are perfect for Phishing attacks. Crafted web content, ads, etc. Privilege Management can also mitigate the impact of many of the vulnerabilities. Meaning the attacker only gains equal rights to the user who was exploited and would then have to escalate privileges to progress further.
MS17-013 is an update for Office, Lync, Skype, and Silverlight. It is rated as Critical and resolves a total of 12 vulnerabilities including one Publicly Disclosed (CVE-2017-0014) and one Zero Day (CVE-2017-0005) vulnerability. There are many user targeted vulnerabilities in this bulletin including a few that could utilize the Preview Pane as an attack vector.
MS17-022 is an update for Microsoft XML Core Services. It is only rated as important and resolves one vulnerability, but that happens to be a Zero Day that could allow for Information Disclosure. In this case an attacker can host a specially crafted website designed to exploit the XML vulnerability and allow the attacker to test for the presence of files on disk. From there an attacker could validate if other exploits may be possible.
There are many more Microsoft bulletins, but those are the higher priority items. Shifting gears to 3rd Parties, we have two Adobe Bulletins and two VMware Bulletins this month.
Adobe Flash Player is an expected addition to the list. In 2016 there was only one Patch Tuesday that did not include an update for Flash Player. As always it is important to note that Adobe Flash and plug-ins for IE, Chrome, and FireFox all need to be updated to completely protect against the vulnerabilities. This month’s bulletin, APSB17-07 includes fixes for 7 vulnerabilities, user targeted, and could allow an attacker to gain control of the affected system. The update is rated as Priority 1 by Adobe and makes our top priority list as well.
VMware VMSA-2017-0005 is a Critical vulnerability in VMware Workstation Fusion and Player. One vulnerability is resolved by this update. It is an out-of-bounds memory access vulnerability which could allow code execution.
There were some other releases from vendors such as FileZilla, CCleaner, and Libre Office, but no security information coming forth as of yet. Libre Office in particular was of interest since they were on the CIA Fine Dining list (part of the Vault 7 Wikileaks) as a product with a known DLL Hijack available. We are watching the list of vendors on the DLL Hijack list to see when updates are made available to protect against such attacks, but so far none to add to the list today. For more details you can check out our Vault 7 Tracker on the Ivanti blog.
As always we will have more details on the Ivanti Patch Tuesday webinar on Wednesday the 15th at 10am Central time. Talk to you then.