Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 18 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins and expects to ship ASPL-716 on Wednesday, March 15th.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
MS17-006
MS17-007
MS17-008
MS17-013
MS17-014
MS17-017
MS17-018
 MS17-012
No Known Exploit
MS17-019
MS17-021
MS17-022
 
MS17-009
MS17-011
MS17-020
MS17-023
 
MS17-015
MS17-016
 
 MS17-010
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

 

MS17-006 Cumulative Security Update for Internet Explorer KB4013073
MS17-007 Cumulative Security Update for Microsoft Edge KB4013071
MS17-008 Security Update for Windows Hyper-V KB4013082
MS17-009 Security Update for Microsoft Windows PDF Library KB4010319
MS17-010 Security Update for Microsoft Windows SMB Server KB4013389
MS17-011 Security Update for Microsoft Uniscribe KB4013076
MS17-012 Security Update for Microsoft Windows KB4013078
MS17-013 Security Update for Microsoft Graphics Component KB4013075
MS17-014 Security Update for Microsoft Office KB4013241
MS17-015 Security Update for Microsoft Exchange Server KB4013242
MS17-016 Security Update for Windows IIS KB4013074
MS17-017 Security Update for Windows Kernel KB4013081
MS17-018 Security Update for Windows Kernel-Mode Drivers KB4013083
MS17-019 Security Update for Active Directory Federation Services KB4010320
MS17-020 Security Update for Windows DVD Maker KB3208223
MS17-021 Security Update for Windows DirectShow KB4010318
MS17-022 Security Update for Microsoft XML Core Services KB4010321
MS17-023 Security Update for Adobe Flash Player KB4014329

MS17-006

The first bulletin this month (Microsoft published bulletins to ensure a smooth transition away from bulletins) is the typical Internet Explorer cumulative update. While this bulletin contains your traditional mix of IE-only and IE/Edge vulnerabilities, the most important aspect of it is found in the ‘Update FAQ’. Customers must install both the cumulative update and a second standalone update for Microsoft IMAPI on Vista and Server 2008.

CVE-2017-0008 has been publicly disclosed.

CVE-2017-0037 has been publicly disclosed.

CVE-2017-0012 has been publicly disclosed.

CVE-2017-0033 has been publicly disclosed.

CVE-2017-0154 has been publicly disclosed.

MS17-007

Up next, we have the cumulative update for Microsoft Edge. Like MS17-006 this is a rather standard update and there’s nothing out of the ordinary here. 5 of the 32 included CVEs have been publicly disclosed, 3 of which overlap with CVEs in MS17-006 that had been publicly disclosed.

CVE-2017-0037 has been publicly disclosed.

CVE-2017-0012 has been publicly disclosed.

CVE-2017-0033 has been publicly disclosed.

CVE-2017-0069 has been publicly disclosed.

CVE-2017-0065 has been publicly disclosed.

MS17-008

This bulletin contains a number of Hyper-V related vulnerabilities, including multiple code execution vulnerabilities that could allow a malicious guest OS user to execute code on the host OS.

CVE-2017-0097 has been publicly disclosed.

MS17-009

Up next, we have a single CVE for the Microsoft PDF library. If you’ve been paying attention to the details, you’ll notice that the CVE resolved here was also referenced in MS17-007. That is because, for Windows 10, the update for this is part of the Edge update. It is worth nothing that Windows 10 systems with Edge are the only platform that can be compromised by drive-by exploitation.

MS17-010

MS17-010 describes a number of Windows SMBv1 vulnerabilities that impact all supported versions of Windows. If it is not possible to apply the update immediately, Microsoft has provided guidance for disabling SMBv1 in KB2696547.

MS17-011

This bulletin contains 29 vulnerabilities impacting Microsoft Uniscribe. Microsoft has noted that there is overlap between MS17-011 and MS17-013, as update 4012853 is available in both bulletins, however, users do not need to install the fix twice.

MS17-012

MS17-012 is the mixed bag of patches this month. It contains fixes for vulnerabilities impacting Device Guard, SMBv2/SMBv3 Client, DLL Loading, dnsclient, helppane.exe, and the iSNS server. Be sure to pay close attention to the affected software table for this bulletin as not every version of Windows is impacted by every vulnerability.

CVE-2017-0016 has been publicly disclosed.

MS17-013

This bulletin is another ‘everything but the kitchen sink’ bulletin with patches for Windows, Office, Skype, Lync, and Silverlight. This bulletin includes 12 vulnerabilities in total and, in addition to the overlap in MS17-001, also contains overlap with security update 4012497 in MS17-018.

CVE-2017-0005 has been exploited.

CVE-2017-0014 has been publicly disclosed.

MS17-014

As is usually this case, this month’s Microsoft Office update provides fixes for both the traditional Microsoft Office suite as well as the various Microsoft Office web applications. Microsoft has also provided details on how to prevent Microsoft Office from opening RTF documents from unknown or untrusted sources. Even if you can apply the patch, this workaround provides additional peace of mind and should be applied if possible.

CVE-2017-0029 has been publicly disclosed.

MS17-015

The next bulletin this month, MS17-015 provides a fix for a single vulnerability affecting OWA in Microsoft Exchange. A user would have to follow a malicious URL in order for this vulnerability to be exploited.

MS17-016

This bulletin resolves a single Cross-Site Scripting vulnerability impacting Microsoft IIS. As with MS17-015, a user would have to follow a malicious link in order for this vulnerability to be exploited.

MS17-017

Next up, we have a fix for a number of vulnerabilities impacting the Windows kernel.

CVE-2017-0050 has been Publicly Disclosed.

MS17-018

With this bulletin, we have the other update that overlaps with MS17-013 and resolves 8 Win32k privilege elevation vulnerabilities.

MS17-019

In MS17-019, we have a single vulnerability in Microsoft Active Directory Federation Services, an information disclosure that can occur when working with XML External Entities.

MS17-020

Windows DVD Maker contains a Cross-Site Request Forgery (CSRF) based on the details in MS17-020. This vulnerability is exploited when parsing malicious .msdvd files.

MS17-021

Continuing the information disclosure trend, we have a single information disclosure vulnerability in MS17-021 impacting Windows DirectShow. As with many other vulnerabilities this month, the user would have to follow a malicious link in order for this vulnerability to be exploited.

MS17-022

The penultimate vulnerability this month is an information disclosure in MSXML that can allow an attacker to test for the presence of files on the disk. A user would have to visit a malicious website that calls MSXML to see this vulnerability exploited.

CVE-2017-0022 has been exploited.

MS17-023

The final update this month is, as always, the Adobe Flash update. Specifically, this update addresses the vulnerabilities found in APSB17-07.

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

SANS White Paper: Security Basics