It's 2017... And Windows PCs can be pwned via DNS, webpages, Office docs, fonts – and some TPM keys are fscked too
But at least there's no Flash update (not this week, anyway)
Microsoft today released patches for more than 60 CVE-listed vulnerabilities in its software. Meanwhile, Adobe is skipping October's Patch Tuesday altogether.
Among the latest holes that need papering over via Windows Update are three vulnerabilities already publicly disclosed – with one being exploited right now by hackers to infect vulnerable machines. That flaw, CVE-2017-11826, is leveraged when a booby-trapped Microsoft Office document is opened, allowing malicious code within it to run with the same rights as the logged-in user, and should be considered a top priority to patch.
Dustin Childs, of Trend Micro's Zero Day Initiative, noted today that users and administrators should also pay special attention to Microsoft's ADV170012, an advisory warning of weak cryptographic keys generated by Trusted Platform Modules (TPMs) on Infineon motherboards.
Essentially, you should install Microsoft's patch, which will generate new and stronger RSA keys in software as required, and next check to see if you should apply a firmware fix from Infineon.
Computers from HP Inc, Acer, Fujitsu, and others – even Chromebooks – as well as any hand-built machines using the blighted hardware, are affected by Infineon's TPM chipset bug. The flaw is not limited to Microsoft Windows: it affects all operating systems using the dodgy TPM. If you use BitLocker, biometric authentication, or similar, on the at-risk hardware, on Windows, you should sit up and read the following, though.
According to Microsoft:
This vulnerability is present in a specific vendor’s TPM firmware that is based on Trusted Computing Guidelines (TCG) specification family 1.2 and 2.0, not in the TPM standard or in Microsoft Windows. Some Windows security features and potentially third-party software rely on keys generated by the TPM (if available on the system).
Microsoft is releasing Windows security updates to help work around the vulnerability by logging events and by allowing the generation of software based keys. Even after the operating system and/or TPM firmware updates are installed, you will need to carry out additional remediation steps to force regeneration of previously created weak TPM keys, depending on the applicable services you are running and on your particular use-cases.
"While this doesn’t have the same broad attack surface as a vulnerability in a web browser, anyone who can [exploit the TPM bug] is likely a sophisticated and determined attacker," Childs said.
"While that remains unlikely, system administrators must take this critical-rated threat seriously."
Aside from the actively exploited Office flaw, the two other publicly disclosed but not yet targeted in the wild vulnerabilities are CVE-2017-11777, a cross-site scripting flaw in SharePoint Server, and CVE-2017-8703, an object handling error in the Windows Subsystem for Linux that would let a malicious app crash the machine.
A pair of flaws in the Windows font library, CVE-2017-11762 and CVE-2017-11763, can allow a web page or document execute malicious code on a vulnerable computer: visiting a website or opening a file with a specially crafted embedded font can cause malware within the font data to run and hijack the PC.
The scripting engine in Internet Explorer and Edge has 19 flaws that could allow webpages to achieve remote-code execution, with the logged-on user's permissions, via memory corruption (CVE-2017-11792, CVE-2017-11793, and CVE-2017-11796, for example). Opening a webpage on a vulnerable computer can potentially trigger the execution of malware, spyware, ransomware, and other software nasties. The Windows Shell was found to contain two remote code execution flaws, CVE-2017-11819 and CVE-2017-8727, that can be targeted through Redmond's browsers: a dodgy webpage can attack Microsoft's text-handling code to potentially run malware.
Qualys analyst Jimmy Graham noted that this patch load is the fourth consecutive release to address a remote code execution bug in Windows Search, the latest being CVE-2017-11771. The flaw can be leveraged by firing specially crafted messages over the network to the machine's Windows Search service, injecting potentially evil code into the machine to run.
"As with the others, this vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations," said Graham.
"While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya."
Elsewhere in the patch load was CVE-2017-11779, a remote code execution bug in the Windows DNS client that could be exploited by accidentally connecting to a malicious DNS server: more technical details on that can be found here. There's also flaw in Windows TRIE (CVE-2017-11769) that lets DLL files achieve remote code execution, and a programming blunder that leaves emails in Outlook open to eavesdropping (CVE-2017-11776) over supposedly secure connections. According to Microsoft:
An information disclosure vulnerability exists when Microsoft Outlook fails to establish a secure connection. An attacker who exploited the vulnerability could use it to obtain the email content of a user. The security update addresses the vulnerability by preventing Outlook from disclosing user email content.
While the 62 fixes are a heavy load from Microsoft, admins can take heart in the knowledge that there won't be a Flash update to wrangle this month. Instead Adobe said it would release an update to Flash Player that cleans up performance and stability bugs for Windows, macOS and Linux versions. ®
PS: Etienne Stalmans and Saif El-Sherei of SensePost say they've been able to achieve "command execution on Microsoft Word without any macros, or memory corruption," using the DDE protocol. We're told Microsoft, for now, considers it a feature, and not a bug.