Patch Tuesday

Earlier today, Microsoft officially released its monthly updates, something that sysadmins all over the world call Patch Tuesday.

This month's updates train includes security and non-security updates, for the company's main operating systems, but also for products such as Internet Explorer, Microsoft Edge, the .NET Framework, and various Office suite apps.

Highlights:

  • Microsoft patches 3 zero-days detected in live attacks
  • No more support in Edge and IE for SSL/TLS certs signed with SHA1
  • A bunch of .NET Framework fixes
  • As usual, Adobe's Flash Player fixes are included as well

Last month, in April, Microsoft ditched the classic Security Bulletin format for a new interactive table called the Security Update Guide.

Most people hate this new format since information about crucial updates is now scattered across tens of pages. Nonetheless, most administrators will have to learn to navigate this new tool, as it's the only way Microsoft plans to release details update security updates in the future.

Below is a summary of all the major security updates from Microsoft's May 2017 Patch Tuesday.

Security Updates

KB4018271 - Cumulative security update for Internet Explorer

Includes fixes for:

CVE-2017-0064 - A security feature bypass vulnerability exists in Internet Explorer that allows for bypassing Mixed Content warnings. This could allow for the loading of unsecure content (HTTP) from secure locations (HTTPS). The security update addresses the security feature bypass by correcting how Internet Explorer handles mixed content.

CVE-2017-0222 - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

CVE-2017-0226 - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

CVE-2017-0228 -  A remote code execution vulnerability exists in the way JavaScript engines render when handling objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

CVE-2017-0231 - A spoofing vulnerability exists when Microsoft browsers render SmartScreen Filter. An attacker who successfully exploited this vulnerability could trick a user by redirecting the user to a specially crafted website. The specially crafted website could then either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.

CVE-2017-0238 - A remote code execution vulnerability exists in the way JavaScript scripting engines handle objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

KB4019213 - Security-only update for Windows 8.1 and Windows Server 2012 R2

This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Updated Windows Cryptography API to deprecate SHA-1 for SSL/TLS Server Authentication, including in Microsoft Edge and Internet Explorer 11. See Advisory 4010323 for more information.

  • Security updates to Microsoft Graphics Component, Microsoft Windows DNS, Windows COM, Windows Server and Windows kernel.

KB4019216 - Security-only update for Windows Server 2012

No information published.

KB4019263 - Security-only update for Windows 7 and Windows Server 2008 R2

This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Updated Windows Cryptography API to deprecate SHA-1 for SSL/TLS Server Authentication, including in Microsoft Edge and Internet Explorer 11 . See Advisory 4010323 for more information.

  • Security updates to Microsoft Graphics Component, Windows COM, Microsoft ActiveX, Windows Server, Windows kernel, and Microsoft Windows DNS.

KB4019108 - Security-only update for the .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, and 4.6.2

Security-only update for the .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, and 4.6.2 updates for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1.

This security update for the Microsoft .NET Framework resolves a security feature bypass vulnerability in which the .NET Framework (and the .NET Core) components don't completely validate certificates. To learn more about this vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2017-0248.

KB4019109 - Security-only update for the .NET Framework 2.0 Service Pack 2, 4.5.2, and 4.6

Security-only update for the .NET Framework 2.0 Service Pack 2, 4.5.2, and 4.6 updates for Windows Server 2008 Service Pack 2.

This security update for the Microsoft .NET Framework resolves a security feature bypass vulnerability in which the .NET Framework (and the .NET Core) components don't completely validate certificates. To learn more about this vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2017-0248.

KB4019110 - Security-only update for the .NET Framework 3.5 Service Pack 1, 4.5.2, 4.6, 4.6.1, and 4.6.2

Security-only update for the .NET Framework 3.5 Service Pack 1, 4.5.2, 4.6, 4.6.1, and 4.6.2 updates for Windows Server 2012.

This security update for the Microsoft .NET Framework resolves a security feature bypass vulnerability in which the .NET Framework (and the .NET Core) components don't completely validate certificates. To learn more about this vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2017-0248.

KB4019111 - Security-only update for the .NET Framework 3.5 Service Pack 1, 4.5.2, 4.6, 4.6.1, and 4.6.2

Security-only update for the .NET Framework 3.5 Service Pack 1, 4.5.2, 4.6, 4.6.1, and 4.6.2 updates for Windows 8.1 and Windows Server 2012 R2.

This security update for the Microsoft .NET Framework resolves a security feature bypass vulnerability in which the .NET Framework (and the .NET Core) components don't completely validate certificates. To learn more about this vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2017-0248.

Important bug fixes

CVE-2017-0261 - Microsoft Office Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Microsoft Office that could be exploited when a user opens a file containing a malformed graphics image or when a user inserts a malformed graphics image into an Office file. Such a file could also be included in an email attachment. An attacker could exploit the vulnerability by constructing a specially crafted EPS file that could allow remote code execution. An attacker who successfully exploited this vulnerability could take control of the affected system.

This vulnerability could not be exploited automatically through a Web-based attack scenario. An attacker could host a specially crafted website containing an Office file that is designed to exploit the vulnerability, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker's website, or by getting them to open an attachment sent through email.

Workstations and terminal servers that have Microsoft Office installed are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

When this fix is published, Microsoft had received reports of limited targeted attacks using this vulnerability.

Fixed via KB3118310, KB3172458, and KB3114375.

Affects: Microsoft Office 2010, 2013, and 2016.

CVE-2017-0262 - Microsoft Office Remote Code Execution Vulnerability

Description identical to CVE-2017-0261, above.

Fixed via KB3118310, KB3172458, and KB3114375.

Affects: Microsoft Office 2010, 2013, and 2016.

When this fix is published, Microsoft had received reports of limited targeted attacks using this vulnerability.

CVE-2017-0263 - Win32k Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.

Fixed in KB4019263 and KB4019213.

Microsoft says this issue was exploited in the wild.

CVE-2017-0222 - Internet Explorer Memory Corruption Vulnerability

A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by an enticement in an email or instant message, or by getting them to open an attachment sent through email.

The update addresses the vulnerability by modifying how Internet Explorer handles objects in memory.

Fixed via KB4018271.

Microsoft says this issue was exploited in the wild.

CVE-2017-0290 - Microsoft Malware Protection Engine Remote Code Execution Vulnerability

A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file leading to memory corruption.

An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine. There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.

If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned. If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited.  All systems running an affected version of antimalware software are primarily at risk. The update addresses the vulnerability by correcting the manner in which the Microsoft Malware Protection Engine scans specially crafted files.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security advisory was originally issued.

The issue was addressed yesterday, in an out-of-band update prior to the Patch Tuesday release train.

The article was updated on March 10 to include details about a fourth zero-day.