Hi Everyone,

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for March 14, 2017.

 

Welcome to the March Patch Tuesday update. I knew we would pay the price for missing last month, as this month Microsoft released a total of Eighteen (18) new security bulletins, including one for Adobe Flash. For this month, Nine(9) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Nine(9) are rated Important.

 

New format update: It looks like this month MS decided to stay with the existing way they have been doing patch updates. We’ll see how long that continues going forward, stay tuned.

 

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

 

  This month’s patches include the following:

Bulletin Number

KB Number

Title

Bulletin Rating (highest )

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS17-006

4013073

Security Update for Microsoft Internet Explorer

Critical

-Memory Corruption

-Information Disclosure

-Spoofing

MTIS17-007

Covered Products:

  • BOP
  • HIPS
  • NSP
  • Vulnerability Manager
  • Application Control

Under Analysis:

  • DAT
  • Web Gateway

MS17-007

4013071

4010319

Security Update for Microsoft Edge

Critical

-Memory Corruption

-Information Disclosure

-Spoofing

-Security Feature Bypass

MTIS17-007

MTIS17-008

Covered Products:

  • NSP
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Enterprise Firewall

MS17-008

4013082

Security Update for Windows Hyper-V

Critical

-Remote Code Execution

-Information Disclosure

-Denial of Service

MTIS17-009

Covered Products:

  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS17-009

4010319

Security Update for Windows PDF Library

Critical

-Memory Corruption

MTIS17-009

Covered Products:

  • NSP
  • BOP
  • HIPS
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS17-010

4013389

Security Update for Windows SMB Server

Critical

-Remote Code Execution

-Information Disclosure

MTIS17-009

Covered Products:

  • NSP
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS17-011

4013076

Security Update for Microsoft Uniscribe

Critical

-Remote Code Execution

-Information Disclosure

MTIS17-009

MTIS17-010

Covered Products:

  • NSP
  • BOP
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS17-012

4013078

Security Update for Microsoft Windows

Critical

- Memory Corruption

-Elevation of Privileges

-Information Disclosure

-Remote Code Execution

-Security Feature Bypass

-Denial of Service

MTIS17-011

Covered Products:

  • NSP
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS17-013

4013075

Security Update for Microsoft Graphics Components

Critical

-Remote Code Execution

-Elevation of Privileges

-Information Disclosure

 

MTIS17-011

Covered Products:

  • NSP
  • HIPS
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS17-014

4013241

Security Update for Microsoft Office

Important

-Memory Corruption

-Denial of Service

-SharePoint XSS

-Mac Certificate Validation

MTIS17-012

Covered Products:

  • NSP
  • BOP
  • HIPS
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS17-015

4013242

Security Update for Microsoft Exchange Server

Important

-Elevation of Privileges

MTIS17-012

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS17-016

4013074

Security Update for Internet Information Services

Important

-Elevation of Privileges

MTIS17-012

Covered Products:

  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS17-017

4013081

Security Update for Windows Kernel

Important

-Elevation of Privileges

MTIS17-012

Covered Products:

  • NSP
  • HIPS
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS17-018

4010320

Security Update for Windows Kernel-Mode Drivers

Important

-Elevation of Privileges

MTIS17-013

Covered Products:

  • Host IPS
  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS17-019

4010320

Security Update for Active Directory Federation Services

Important

-Information Disclosure

MTIS17-013

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS17-020

3208223

Security Update for Windows DVD Maker

Important

-Cross-Site Request Forgery

MTIS17-013

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS17-021

4010318

Security Update for DirectShow

Important

-Information Disclosure

MTIS17-013

Covered Products:

  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS17-022

4010321

Security Update for Microsoft XML Core Services

Important

-Information Disclosure

MTIS17-013

Covered Products:

  • DAT
  • NSP
  • Host IPS
  • Web Gateway
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS17-023

4014329

Security Update for Adobe Flash Player

Critical

Security Update

N/A

N/A

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS17-006 (CVE-2017-0008, 0009, 0012, 0018, 0033, 0037, 0040, 0049, 0059, 0130, and 0149)

The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS17-007 (CVE-2017-0009, 0010, 0011, 0012, 0015, 0017, 0023, 0032, 0033, 0034, 0035, 0037, 0046, 0065, 0066, 0067, 0068, 0069, 0070, ,071, 0094, 0131, 0132, 0133, 0134, 0135, 0136, 0137, 0138, 0140, 0141, 0150, 0151, and 0152)
These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The update addresses the vulnerabilities by modifying how Microsoft Edge handles objects in memory.

MS17-008  ( CVE-2017-0021, 0051, 0074, 0075, 0076, 0095, 0096, 0097, 0098, 0099, and 0109)
The most severe of the vulnerabilities could allow remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.

The security update addresses the vulnerabilities by correcting how Hyper-V validates guest operating system user input.

MS17-009 (CVE-2017-0023 )
The vulnerability could allow remote code execution if a user views specially crafted PDF content online or opens a specially crafted PDF document.

The security update addresses the vulnerability by correcting how affected systems handle objects in memory.

 

MS17-010 (CVE-2017-0143 thru 0148 )
The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Windows SMBv1 server.

The security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests.

 

MS17-011 (CVE-2017-0072, 0083 thru 0092, and 0111 thru 0128)
The most severe of these vulnerabilities could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The security update addresses these vulnerabilities by correcting how Windows Uniscribe handles objects in memory.

 

MS17-012 (CVE-2017-0007, 0016, 0039, 0057, 0100, and 0104)
The most severe of the vulnerabilities could allow remote code execution if an attacker runs a specially crafted application that connects to an iSNS Server and then issues malicious requests to the server.

The security update addresses the vulnerabilities by correcting how:

  • Device Guard validates certain elements of signed PowerShell scripts.
  • The Microsoft SMBv2/SMBv3 Client handles specially crafted requests.
  • Windows validates input before loading DLL files.
  • Modifying how Windows dnsclient handles requests.
  • Correcting how Windows enforces RunAs permissions when registering DCOM objects.
  • Modifying how the iSNS Server service parses requests.

 

MS17-013 (CVE-2017-0001, 0005, 0014, 0025, 0038, 0047, 0060, 0061, 0062, 0063, 0073, and 0108)
The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The security update addresses the vulnerabilities by correcting how the Windows handles objects in memory.

 

MS17-014 (CVE-2017-0006, 0019, 0020, 0027, 0029, 0030, 0031, 0052, 0053, 0105, 0107, and 0129)
The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

The security update addresses the vulnerabilities by correcting how:

  • Correcting how Office handles objects in memory
  • Changing the way certain functions handle objects in memory
  • Properly initializing the affected variable
  • Helping to ensure that SharePoint Server properly sanitizes web requests
  • Correcting how the Lync for Mac 2011 client validates certificates

 

MS17-015 (CVE-2017-0110)
This security update resolves vulnerability in Microsoft Exchange Outlook. Web Access (OWA). The most severe of the vulnerabilities could allow remote code execution in Exchange Server if an attacker sends an email with a specially crafted attachment to a vulnerable Exchange server.

The security update addresses the vulnerabilities by correcting how Microsoft Exchange validates web requests.

 

MS17-016 (CVE-2017-0055)
The vulnerability could allow elevation of privilege if a user clicks a specially crafted URL which is hosted by an affected Microsoft IIS Server. An attacker who successfully exploited this vulnerability could potentially execute scripts in the user’s browser to obtain information from web sessions.

The security update addresses the vulnerability by modifying the way that Microsoft IIS Server sanitizes web requests.

 

MS17-017 (CVE-2017-0050, 0101, 0102, and 0103)
These vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application.

The security update addresses the vulnerability by helping to ensure that the Windows Kernel API properly enforces permissions.

 

MS17-018 (CVE-2017-0024, 0026, 0056, 0078, 0079, 0080, 0081, and 0082)
The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.

 

MS17-019 (CVE-2017-0043)
The vulnerability could allow information disclosure if an attacker sends a specially crafted request to an ADFS server, allowing the attacker to read sensitive information about the target system.

The update addresses the vulnerability by adding additional verification checks in ADFS.

 

MS17-020 (CVE-2017-0045)
The vulnerability could allow an attacker to obtain information to further compromise a target system. This security update is rated Important for Windows Vista and Windows 7.

The security update addresses the vulnerability by correcting how Windows DVD Maker parses files.

 

MS17-021 (CVE-2017-0042)
The vulnerability could allow an information disclosure if Windows DirectShow opens specially crafted media content that is hosted on a malicious website. An attacker who successfully exploited the vulnerability could obtain information to further compromise a target system.

The security update addresses the vulnerability by correcting how Windows DirectShow handles objects in memory.

 

MS17-022 (CVE-2017-0022)
The vulnerability could allow information disclosure if a user visits a malicious website. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message.

The update addresses the vulnerability by changing the way MSXML handles objects in memory.

 

MS17-023 (2017-8633)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

 

 

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

You can also review the Microsoft Summary for March 2017 at the Microsoft site.

 

Safe Computing!

Thank you,

  Kelly Housman