Today’s VERT Alert addresses the Microsoft August 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-737 on Wednesday, August 9th.
In-The-Wild & Disclosed CVEs
The first publicly disclosed vulnerability this month is a denial of service in the Windows Subsystem for Linux. Given that this is a local denial of service that requires running a specially crafted application, the likelihood of exploitation seems low, especially since this is not a default component.
Microsoft has rated this as a 3 on the Exploitability Index (Exploitation Unlikely)
Up next, we have a vulnerability in Windows Error Reporting. As with the above CVE, this vulnerability has been publicly disclosed but has not been exploited. Successful exploitation of this vulnerability could lead to elevated privileges.
Microsoft has rated this as a 1 on the Exploitability Index (Exploitation More Likely)
While many of the issues fixed today are typical for Patch Tuesday, there are a few that are worth highlighting.
Aside from the inclusion of SQL Server patches this month, the update list is pretty standard. One vulnerability worth highlighting is CVE-2017-8673, a denial of service in RDP. This vulnerability was discovered by Tripwire VERT and is trivial to exploit as it can occur during seemingly normal RDP usage. The vulnerability was introduced in Windows 10 version 1703 and no other versions of Windows have been found to be vulnerable.
Prior CVEs & Windows 10
Microsoft has announced a major revision increment for a number of vulnerabilities and a security bulletin that impact Windows 10. Their guidance is to install the July 2017 security updates to fully protect from a number of older vulnerabilities (CVE-2017-0071 [MS17-007], CVE-2017-0228, and CVE-2017-0299). While most of these were updated for only Windows 10 Version 1703, CVE-2017-0071 was updated for multiple versions of Windows 10.
In addition to the Microsoft vulnerabilities included in the August Security Guidance, a security advisory was also published.
August Flash Security Update [ADV170010]
Microsoft has published an advisory for the August Adobe Flash Security Update (APSB17-23). This includes updates for the following vulnerabilities: CVE-2017-3085, CVE-2017-3106