Today's Microsoft Patch Tuesday fixes critical and important flaws that, if exploited, could give an attacker a range of possibilities - from privilege escalation to remote code execution (RCE) - on different Windows OS and Microsoft Office versions.

One that caught my attention was the RCE which affects the Windows Search service [1] and may allow an unauthenticated attacker to take control over the target system through a SMB connection giving him the possibility to install programs, view, change or delete data or create new accounts with full user rights.

According to Microsoft Advisories, most of the vulnerabilities were privately disclosed and there is no exploit available [yet] for the most critical ones. In either case, make sure to proceed with the updates – the recent Wannacry and NotPetya outbreaks told us that maintaining critical vulnerabilities on enterprise Microsoft environments is not a healthy policy, especially when it may allow lateral movement.

I’ve summarized the flaws that I consider more important on the list below with the associated CVE, CVSS base score and advisory URLs. Before I forget, besides Microsoft vulnerabilities, there is an important Flash Player update [2].

 

CVE-2017-8590 | Windows CLFS Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory.

In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control of the affected system. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

The update addresses the vulnerability by correcting how CLFS handles objects in memory.

Note: The Common Log File System (CLFS) is a high-performance, general-purpose log file subsystem that dedicated client applications can use and multiple clients can share to optimize log access.

CVSS base: 8.8
CVE: CVE-2017-8590
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8590

—

CVE-2017-8589 | Windows Search Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit the vulnerability, the attacker could send specially crafted messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.

The security update addresses the vulnerability by correcting how Windows Search handles objects in memory.

CVSS base: 8.1
CVE: CVE-2017-8589
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8589

--

CVE-2017-8563 | Windows Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in Microsoft Windows when Kerberos falls back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol.

In a remote attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to send malicious traffic to a domain controller. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

The update addresses this vulnerability by incorporating enhancements to authentication protocols designed to mitigate authentication attacks. It revolves around the concept of channel binding information.

CVE: CVE-2017-8563
CVSS base: 7.5
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563

—

CVE-2017-8565 | Windows PowerShell Remote Code Execution Vulnerability

A remote code execution vulnerability exists in PowerShell when PSObject wraps a CIM Instance. An attacker who successfully exploited this vulnerability could execute malicious code on a vulnerable system.

In an attack scenario, an attacker could execute malicious code in a PowerShell remote session.

The update addresses the vulnerability by correcting how PowerShell deserializes user supplied scripts.

CVE: CVE-2017-8565
CVSS base: 7.5
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8565

—

CVE-2017-8495 | Kerberos SNAME Security Feature Bypass Vulnerability

A security feature bypass vulnerability exists in Microsoft Windows when Kerberos fails to prevent tampering with the SNAME field during ticket exchange. An attacker who successfully exploited this vulnerability could use it to bypass Extended Protection for Authentication.

To exploit this vulnerability, an attacker would have to be able to launch a man-in-the-middle (MiTM) attack against the traffic passing between a client and the server.

The update addresses this vulnerability by adding integrity protection to the SNAME field.

CVE: CVE-2017-8495
CVSS base: 7.5
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8495

—

CVE-2017-8588 | WordPad Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the way that Microsoft WordPad parses specially crafted files.

Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft WordPad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file.

The update addresses the vulnerability by correcting the way that Microsoft WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft WordPad will leverage to resolve the identified issue.

CVE: CVE-2017-8588
CVSS base: 6.7
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8588

—

CVE-2017-8463 | Windows Explorer Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Windows Explorer improperly handles executable files and shares during rename operations. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another user. Users not running as administrators would be less affected.

To exploit this vulnerability, an attacker would first share both a folder and malware named with an executable extension, and then trick the user into thinking that the malware was the folder. The attacker could not force the user to open or browse the share but could use email or instant messages to trick them into doing so.

The update addresses the vulnerability by correcting how Windows Explorer handles executable files and shares during rename operations.

CVE: CVE-2017-8463
CVSS base: 6.3
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8463

—

ADV170009 | July Flash Security Update

This security update addresses the following vulnerabilities, which are described in Adobe Security Bulletin APSB17-21: CVE-2017-3099, CVE-2017-3080, CVE-2017-3100

Severity: Critical

Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170009

 

References

[1] https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8589

[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170009

--
Renato Marinho
Morphus Labs | LinkedIn | Twitter