Today’s VERT Alert addresses the Microsoft April 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-720 on Wednesday, April 12th.
With the elimination of Security Bulletins, the VERT Alert will be changing. This shortened version will act as a placeholder until the launch of the improved VERT Alert. For more details, please see this blog post.
In-The-Wild & Disclosed CVEs
FireEye referenced this vulnerability on April 8th in their blog post, Acknowledgement of Attacks Leveraging Microsoft Zero-Day. They published additional details in the April 11th blog post, CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. This vulnerability has been utilized in multiple attacks that have dropped malware on systems, making this a critical vulnerability that should be patched immediately.
Microsoft has indicated that CVE-2017-0210 has been publicly disclosed and actively exploited. This Internet Explorer vulnerability occurs due to a flaw in the enforcement of cross-domain policies.
This vulnerability is not currently being exploited but it has been publicly disclosed. Microsoft has indicated that older software is not affected and that the latest software releases are unlikely to be exploited. The vulnerability allows an attacker to bypass the Edge Content Security Policy (CSP) due to a failure to properly validate certain documents.
While many of the issues fixed today are the same as we saw in the pre-Security Guidance world, there are a few that are worth highlighting.
Once again, patches were released for Microsoft Silverlight. This is a web technology that’s slowly being phased out. Based on Web Technology Surveys data, only 0.1% of all websites use Silverlight. If you don’t need Silverlight for your day-to-day use of the Internet, this is a good time to uninstall it entirely to remove the related attack surface.
While it isn’t called out directly in the release notes, Hyper-V has a number of vulnerabilities resolved this month. As IT departments continues to virtualize more and more systems, the number of hypervisors in the enterprise will continue to increase. A number of Hyper-V vulnerabilities are patched including a pair of Guest OS escapes that could allow authenticated users on a Hyper-V Guest to execute code on the Hyper-V Host (CVE-2017-0180 & CVE-2017-0181)
In addition to the Microsoft vulnerabilities included in the April Security Guidance, there were two other documents published that look like CVEs but aren’t. These documents were published document IDs in the details column using the format YYYY-####, this leads to a misunderstanding as the assumption is made that it is the same a CVE (CVE-YYYY-####).
The first of these non-CVE documents, this article references a Defense-in-Depth update for Microsoft Office to mitigate “limited targeted attacks that could leverage an unpatched vulnerability in the EPS filter”. Microsoft is releasing this mitigation as a temporary fix until a proper security update can be released. There is no indication in the Microsoft material of a CVE that may be associated with this issue.
The second non-CVE document this month is a container for the Adobe APSB17-10 update. This Adobe Flash update resolves the following CVEs: CVE-2017-3058, CVE-2017-3059, CVE-2017-3060, CVE-2017-3061, CVE-2017-3062, CVE-2017-3063, and CVE-2017-3064.