Today’s VERT Alert addresses the Microsoft
April 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-720 on Wednesday, April 12th.
With the elimination of Security Bulletins, the VERT Alert will be changing. This shortened version will act as a placeholder until the launch of the improved VERT Alert. For more details,
please see this blog post.
In-The-Wild & Disclosed CVEs
CVE-2017-0199
FireEye referenced this vulnerability on April 8
th in their blog post,
Acknowledgement of Attacks Leveraging Microsoft Zero-Day. They published additional details in the April 11
th blog post,
CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. This vulnerability has been utilized in multiple attacks that have dropped malware on systems, making this a critical vulnerability that should be patched immediately.
CVE-2017-0210
Microsoft has indicated that CVE-2017-0210 has been publicly disclosed and actively exploited. This Internet Explorer vulnerability occurs due to a flaw in the enforcement of cross-domain policies.
CVE-2017-0203
This vulnerability is not currently being exploited but it has been publicly disclosed. Microsoft has indicated that older software is not affected and that the latest software releases are unlikely to be exploited. The vulnerability allows an attacker to bypass the Edge Content Security Policy (CSP) due to a failure to properly validate certain documents.
FYI Vulnerabilities
While many of the issues fixed today are the same as we saw in the pre-Security Guidance world, there are a few that are worth highlighting.
Silverlight
Once again, patches were released for Microsoft Silverlight. This is a web technology that’s slowly being phased out. Based on
Web Technology Surveys data, only 0.1% of all websites use Silverlight. If you don’t need Silverlight for your day-to-day use of the Internet, this is a good time to uninstall it entirely to remove the related attack surface.
Hyper-V
While it isn’t called out directly in the release notes, Hyper-V has a number of vulnerabilities resolved this month. As IT departments continues to virtualize more and more systems, the number of hypervisors in the enterprise will continue to increase. A number of Hyper-V vulnerabilities are patched including a pair of Guest OS escapes that could allow authenticated users on a Hyper-V Guest to execute code on the Hyper-V Host (
CVE-2017-0180 &
CVE-2017-0181)
Other Information
In addition to the Microsoft vulnerabilities included in the April Security Guidance, there were two other documents published that look like CVEs but aren’t. These documents were published document IDs in the details column using the format YYYY-####, this leads to a misunderstanding as the assumption is made that it is the same a CVE (CVE-YYYY-####).
2017-2605
The first of these non-CVE documents, this article references a Defense-in-Depth update for Microsoft Office to mitigate “limited targeted attacks that could leverage an unpatched vulnerability in the EPS filter”. Microsoft is releasing this mitigation as a temporary fix until a proper security update can be released. There is no indication in the Microsoft material of a CVE that may be associated with this issue.
2017-3447
The second non-CVE document this month is a container for the Adobe
APSB17-10 update. This Adobe Flash update resolves the following CVEs: CVE-2017-3058, CVE-2017-3059, CVE-2017-3060, CVE-2017-3061, CVE-2017-3062, CVE-2017-3063, and CVE-2017-3064.