July's Microsoft Patch Tuesday

Published: 2017-07-11
Last Updated: 2017-07-12 00:18:52 UTC
by Renato Marinho (Version: 1)
2 comment(s)

Today's Microsoft Patch Tuesday fixes critical and important flaws that, if exploited, could give an attacker a range of possibilities - from privilege escalation to remote code execution (RCE) - on different Windows OS and Microsoft Office versions.

One that caught my attention was the RCE which affects the Windows Search service [1] and may allow an unauthenticated attacker to take control over the target system through a SMB connection giving him the possibility to install programs, view, change or delete data or create new accounts with full user rights.

According to Microsoft Advisories, most of the vulnerabilities were privately disclosed and there is no exploit available [yet] for the most critical ones. In either case, make sure to proceed with the updates – the recent Wannacry and NotPetya outbreaks told us that maintaining critical vulnerabilities on enterprise Microsoft environments is not a healthy policy, especially when it may allow lateral movement.

I’ve summarized the flaws that I consider more important on the list below with the associated CVE, CVSS base score and advisory URLs. Before I forget, besides Microsoft vulnerabilities, there is an important Flash Player update [2].

 

CVE-2017-8590 | Windows CLFS Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory.

In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control of the affected system. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

The update addresses the vulnerability by correcting how CLFS handles objects in memory.

Note: The Common Log File System (CLFS) is a high-performance, general-purpose log file subsystem that dedicated client applications can use and multiple clients can share to optimize log access.

CVSS base: 8.8
CVE: CVE-2017-8590
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8590

CVE-2017-8589 | Windows Search Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit the vulnerability, the attacker could send specially crafted messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.

The security update addresses the vulnerability by correcting how Windows Search handles objects in memory.

CVSS base: 8.1
CVE: CVE-2017-8589
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8589

--

CVE-2017-8563 | Windows Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in Microsoft Windows when Kerberos falls back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol.

In a remote attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to send malicious traffic to a domain controller. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

The update addresses this vulnerability by incorporating enhancements to authentication protocols designed to mitigate authentication attacks. It revolves around the concept of channel binding information.

CVE: CVE-2017-8563
CVSS base: 7.5
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563

CVE-2017-8565 | Windows PowerShell Remote Code Execution Vulnerability

A remote code execution vulnerability exists in PowerShell when PSObject wraps a CIM Instance. An attacker who successfully exploited this vulnerability could execute malicious code on a vulnerable system.

In an attack scenario, an attacker could execute malicious code in a PowerShell remote session.

The update addresses the vulnerability by correcting how PowerShell deserializes user supplied scripts.

CVE: CVE-2017-8565
CVSS base: 7.5
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8565

CVE-2017-8495 | Kerberos SNAME Security Feature Bypass Vulnerability

A security feature bypass vulnerability exists in Microsoft Windows when Kerberos fails to prevent tampering with the SNAME field during ticket exchange. An attacker who successfully exploited this vulnerability could use it to bypass Extended Protection for Authentication.

To exploit this vulnerability, an attacker would have to be able to launch a man-in-the-middle (MiTM) attack against the traffic passing between a client and the server.

The update addresses this vulnerability by adding integrity protection to the SNAME field.

CVE: CVE-2017-8495
CVSS base: 7.5
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8495

CVE-2017-8588 | WordPad Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the way that Microsoft WordPad parses specially crafted files.

Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft WordPad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file.

The update addresses the vulnerability by correcting the way that Microsoft WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft WordPad will leverage to resolve the identified issue.

CVE: CVE-2017-8588
CVSS base: 6.7
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8588

CVE-2017-8463 | Windows Explorer Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Windows Explorer improperly handles executable files and shares during rename operations. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another user. Users not running as administrators would be less affected.

To exploit this vulnerability, an attacker would first share both a folder and malware named with an executable extension, and then trick the user into thinking that the malware was the folder. The attacker could not force the user to open or browse the share but could use email or instant messages to trick them into doing so.

The update addresses the vulnerability by correcting how Windows Explorer handles executable files and shares during rename operations.

CVE: CVE-2017-8463
CVSS base: 6.3
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8463

ADV170009 | July Flash Security Update

This security update addresses the following vulnerabilities, which are described in Adobe Security Bulletin APSB17-21: CVE-2017-3099, CVE-2017-3080, CVE-2017-3100

Severity: Critical

Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170009

 

References

[1] https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8589

[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170009

--
Renato Marinho
Morphus Labs | LinkedInTwitter

2 comment(s)
ISC Stormcast For Wednesday, July 12th 2017 https://isc.sans.edu/podcastdetail.html?id=5578

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives