Hyper-V guest escape, drive-by PDF pwnage, Office holes, SMB flaws – and more now patched

Secure programming is hard, kids

Patch Tuesday After taking a month off, Microsoft's Patch Tuesday is back – and it's a blockbuster edition. There are 18 bundles of patches covering 140 separate security vulnerabilities.

These flaws range from a hypervisor escape in Hyper-V, remote-code execution via PDF and Office files and malicious SMB traffic, to the usual barrage of information leaks and privilege escalations.

This follows Microsoft postponing its February Patch Tuesday due to problems within its build system: Microsoft is consolidating more and more of its Windows code – from Server and client to mobile – into one source base, dubbed OneCore. Issuing security patches from that code base last month proved problematic enough to delay their distribution, El Reg understands.

An SMB link-of-death bug disclosed before February's Patch Tuesday was patched by a third-party security vendor – and now Redmond has its official patch out, and so sysadmins can get their fix from the horse's mouth.

We've got a full rundown of this month's security fixes – make sure you install them ASAP before miscreants start exploiting them in the wild:

  • MS17-006 This fixes 12 CVE-listed flaws in Internet Explorer. The bulk deal with memory corruption issues, but the worst would allow a remote code execution attack when an IE user visited a malicious website. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," said Microsoft, which is super bad if the user is an administrator.
  • MS17-007 Microsoft's other browser, Edge, was supposed to be lighter weight and more secure, but this bundle resolves a whopping 32 vulnerabilities. "The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge," said Redmond. "An attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
  • MS17-008 Hyper-V gets an 11-fix bundle this month, the worst being a hypervisor escape from guest to host. Gulp. Microsoft warns "an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code." However, if you're not running the Hyper-V hypervisor then you're safe from this kind of attack.
  • MS17-009 This patch contains a single critical fix for the Windows PDF library. The internet is full of dodgy PDFs, and reading one using Windows 8 or above or any version of Windows Server from 2012 on could allow remote code execution. Windows 7 systems aren't affected by this issue. Opening a PDF booby-trapped with malicious code on a vulnerable machine will cause that code to run; if you open a page on Windows 10 with Edge, with a bad PDF embedded, you'll be potentially owned immediately. Here's the skinny from Microsoft:

    A remote code execution vulnerability exists when Microsoft Windows PDF Library improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

    To exploit the vulnerability on Windows 10 systems with Microsoft Edge set as the default browser, an attacker could host a specially crafted website that contains malicious PDF content and then convince users to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted PDF content to such sites.

  • MS17-010 Windows SME Server gets 6 vulnerabilities patched. In the worst case, a specially built Server Message Block (SMB) 1.0 packet can inject malicious code into a server on the network, and run that code. Microsoft admitted: "Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server. To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server."
  • MS17-011 Based on this patch update, Uniscribe is a mess. Redmond included 29 fixes in this bundle going all the way back to Windows Vista. The bulk cover information disclosure problems, but there are a handful of remote code execution flaws that allow code execution but not privilege escalation.
  • MS17-012 Windows only gets six bugfixes, but they are critical ones, including for the SMB link-of-death vulnerability as well as code injection and execution. There are patches here for all versions of Windows going back to Vista and the worse of them could "allow remote code execution if an attacker runs a specially crafted application that connects to an iSNS Server and then issues malicious requests to the server."
  • MS17-013 The last of the so-called critical patches contains a dozen fixes for the Microsoft Graphics Component used in Office, Skype, Lync, and Silverlight. Visiting the wrong website or opening a malware-ridden document could completely pwn your system without this patch, and everyone back to Windows Vista is vulnerable. This includes a fix for CVE-2017-0005, in the Windows GDI, that is explained in-depth here. This was under active attack by the Zirconium hacker gang against systems running Windows 2000 to Windows 8.
  • MS17-014 The first of the important (arguably still critical) patches covers 12 flaws in Office. Some of these go back to Office 2007 (including Mac versions), and can be exploited by a dodgy Word or Excel file to run code on a system when opened.
  • MS17-015 Microsoft Exchange Server 2013 and 2016 get a single bugfix, but it's a doozy. A link within an email could exploit a vulnerability in Outlook Web Access to run code on a vulnerable system.
  • MS17-016 Microsoft Internet Information Services gets a long-term issue going back to Windows Vista resolved. This would allow an attacker to monitor a user's web sessions.
  • MS17-017 Redmond's kernel gets four fixes and all versions of the operating system are affected. While none of them would allow a crook to break into a system, they would all allow someone already in to elevate their status to admin level by fooling the Transaction Manager or instigating buffer overruns.
  • MS17-018 Kernel-mode drivers also need an upgrade, with eight flaws resolved, going back to Vista. Again, memory problems are to blame and can give a logged-in attacker admin privileges to ransack an infected PC.
  • MS17-019 This fixes a single hole in Active Directory Federation Services that is for server-side-only operating systems. Unpatched versions of Server 2008 and above would allow a hacker to read information on the system.
  • MS17-020 Fans of retro storage media who are using Windows DVD Maker will need to patch this single vulnerability for the Vista and Windows 7 builds. It's not a critical flaw, but would allow an attacker to scan a vulnerable system for information-gathering purposes.
  • MS17-021 Windows DirectShow gets a fix for a flaw affecting all client and server operating systems since Vista. Again, it's an information gathering bug that can be exploited by code hidden in a website's media display engine.
  • MS17-022 Microsoft XML Core Services also gets a single fix for a problem spread by social engineering. Clicking on the wrong link could cause information leakage to a cunning criminal using this vulnerability.
  • MS17-023 It wouldn't be a Patch Tuesday without a critical hole in Adobe's Flash Player, and this month is no exception. Windows 8.1 machines and those with more recent operating systems will need to patch their Adobe Flash libraries with this update, which makes IE 10 and 11, and Edge browsers, unsafe.

Adobe has also released its own patches, one Windows-only and the other hitting users of Macintosh, Linux and Chrome OS as well.

  • APSB17-07 This is the big one for all Flash users, pretty much whatever your operating system if you're running version 24.0.0.221 and earlier. The patch fixes memory and buffer overflow issues that would allow remote code execution and others that cause information leakage.
  • APSB17-08 This fix is for Windows users only using version 12.2.7.197 and earlier of Shockwave. It's not a critical flaw, but would allow escalation of privileges.

As ever with all of these, get your patching done early – the bad hombres won't wait. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017