March 2017 Patch Tuesday
Welcome to the March Patch Tuesday update. Sorry for the delayed response. It took our labs some time to get through all the testing and release of 8 MTIS reports. I knew we would pay the price for missing last month, as this month Microsoft released a total of Eighteen (18) new security bulletins, including one for Adobe Flash. For this month, Nine(9) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Nine(9) are rated Important.
New format update: It looks like this month MS decided to stay with the existing way they have been doing patch updates. We’ll see how long that continues going forward, stay tuned.
Clarification of the Intel Security Coverage column in the table below
Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.
This month’s patches include the following:
Let’s take a closer look at each of the Microsoft Security Bulletins:
MS17-006 (CVE-2017-0008, 0009, 0012, 0018, 0033, 0037, 0040, 0049, 0059, 0130, and 0149)
The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS17-007 (CVE-2017-0009, 0010, 0011, 0012, 0015, 0017, 0023, 0032, 0033, 0034, 0035, 0037, 0046, 0065, 0066, 0067, 0068, 0069, 0070, ,071, 0094, 0131, 0132, 0133, 0134, 0135, 0136, 0137, 0138, 0140, 0141, 0150, 0151, and 0152)
The update addresses the vulnerabilities by modifying how Microsoft Edge handles objects in memory.
MS17-008 ( CVE-2017-0021, 0051, 0074, 0075, 0076, 0095, 0096, 0097, 0098, 0099, and 0109)
The security update addresses the vulnerabilities by correcting how Hyper-V validates guest operating system user input.
MS17-009 (CVE-2017-0023 )
The security update addresses the vulnerability by correcting how affected systems handle objects in memory.
MS17-010 (CVE-2017-0143 thru 0148 )
The security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests.
MS17-011 (CVE-2017-0072, 0083 thru 0092, and 0111 thru 0128)
The security update addresses these vulnerabilities by correcting how Windows Uniscribe handles objects in memory.
MS17-012 (CVE-2017-0007, 0016, 0039, 0057, 0100, and 0104)
The security update addresses the vulnerabilities by correcting how:
· Device Guard validates certain elements of signed PowerShell scripts.
· The Microsoft SMBv2/SMBv3 Client handles specially crafted requests.
· Windows validates input before loading DLL files.
· Modifying how Windows dnsclient handles requests.
· Correcting how Windows enforces RunAs permissions when registering DCOM objects.
· Modifying how the iSNS Server service parses requests.
MS17-013 (CVE-2017-0001, 0005, 0014, 0025, 0038, 0047, 0060, 0061, 0062, 0063, 0073, and 0108)
The security update addresses the vulnerabilities by correcting how the Windows handles objects in memory.
MS17-014 (CVE-2017-0006, 0019, 0020, 0027, 0029, 0030, 0031, 0052, 0053, 0105, 0107, and 0129)
The security update addresses the vulnerabilities by correcting how:
· Correcting how Office handles objects in memory
· Changing the way certain functions handle objects in memory
· Properly initializing the affected variable
· Helping to ensure that SharePoint Server properly sanitizes web requests
· Correcting how the Lync for Mac 2011 client validates certificates
The security update addresses the vulnerabilities by correcting how Microsoft Exchange validates web requests.
The security update addresses the vulnerability by modifying the way that Microsoft IIS Server sanitizes web requests.
MS17-017 (CVE-2017-0050, 0101, 0102, and 0103)
The security update addresses the vulnerability by helping to ensure that the Windows Kernel API properly enforces permissions.
MS17-018 (CVE-2017-0024, 0026, 0056, 0078, 0079, 0080, 0081, and 0082)
The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.
The update addresses the vulnerability by adding additional verification checks in ADFS.
The security update addresses the vulnerability by correcting how Windows DVD Maker parses files.
The security update addresses the vulnerability by correcting how Windows DirectShow handles objects in memory.
The update addresses the vulnerability by changing the way MSXML handles objects in memory.
This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.
NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.
Memory Corruption Vulnerabilities:
Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.
Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.