While others go looking for the latest school supplies, let’s beat the heat and turn our attention instead to the latest security patches from Adobe and Microsoft.
Adobe Patches for August 2017
For this month, Adobe released two Critical-rated updates for Adobe Flash, Digital Edition, and Reader, and one Important-rated update for Adobe Experience Manager. The Flash update is again rather small with only two CVEs being addressed – one of which came through the ZDI program. Since Adobe put a solid expiration date on Flash, it also declared an expiration date for Flash updates. Of course, this doesn’t mean attackers will stop targeting remaining Flash instances past 2020, so administrators need to take appropriate measures before that time. The update for Adobe Reader is much larger. It covers 43 Critical and 24 Important CVEs. A total of 57 of these unique CVEs were due to 65 separate bug submissions to the ZDI program. The patch mostly addresses Use-After-Free and memory corruption issues that could allow a remote attacker to execute their code on a target system if they can convince a user to open a maliciously crafted file.
The update for Adobe Digital Editions addresses two Critical CVEs and seven Important CVEs. Again, one of these CVEs came through the ZDI program. Most of these bugs result in information disclosure due to leaking memory addresses. The final Adobe update for August corrects three different issues in the Experience Manager. While Adobe lists the overall bulletin as Moderate, it identifies CVE-2017-3108 as an Important-severity arbitrary code execution. Either way, if you are running the Experience Manager product within your enterprise, this patch definitely should not be ignored. And if you’re keeping score at home, you should note that over 70% of the CVEs patched by Adobe this month came through the ZDI program at some point.
Microsoft Patches for July 2017
Microsoft released 48 security patches for August covering Windows, Internet Explorer (IE), Edge, the subsystem for Linux, Kernel, SharePoint, SQL Server, and Hyper-V. Of these 48 CVEs, 25 are listed as Critical, 21 are rated Important, and two are Moderate in severity. A total of seven of these CVEs came through the ZDI program. Two of these bugs are listed as publically known prior to release, with one bug listed as having publicly available PoC.
A few of the CVEs addressed by Microsoft this month deserve some extra attention, and we’ll start by looking at the one under active attack.
- CVE-2017-8620 – Windows Search Remote Code Execution Vulnerability
This is by far the most critical bug for this month. In addition to being similar to a previous Search vulnerability – which was under active attack when it was released – this bug allows a malicious SMB request to execute code on a target system. As with the previous Search flaw, within an enterprise, an attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer. That’s pretty close to wormable and just the sort of thing malware writers look for in a bug. Also, let this be your monthly reminder to disable SMBv1.
- CVE-2017-8664 – Windows Hyper-V Remote Code Execution Vulnerability
Although neither publically known nor actively exploited, this bug certainly warrants extra attention. According to Microsoft, “Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.” This could allow for an attacker on a guest OS to escape and execute code on the underlying hypervisor. Back at the 2017 Pwn2Own competition, a Hyper-V escape like this one would have earned the contestant $100,000 USD. Although we didn’t have anyone attempt this product this year, it’s safe to say we’ll likely get some attempts should the category return.
Here’s the full list of CVEs released by Microsoft for August 2017.
| CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older |
| CVE-2017-8620 | Windows Search Remote Code Execution Vulnerability | Critical | Yes | No | 1 | 1 |
| CVE-2017-8627 | Windows Subsystem for Linux Denial of Service Vulnerability | Important | Yes | No | 3 | N/A |
| CVE-2017-8633 | Windows Error Reporting Elevation of Privilege Vulnerability | Important | Yes | No | 1 | 1 |
| CVE-2017-0250 | Microsoft JET Database Engine Remote Code Execution Vulnerability | Critical | No | No | 3 | 3 |
| CVE-2017-0293 | Windows PDF Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 |
| CVE-2017-8591 | Windows IME Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 |
| CVE-2017-8622 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Critical | No | No | 3 | N/A |
| CVE-2017-8634 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8635 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8636 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8638 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A |
| CVE-2017-8639 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8640 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8641 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8645 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8646 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A |
| CVE-2017-8647 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A |
| CVE-2017-8653 | Microsoft Browser Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8655 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A |
| CVE-2017-8656 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8657 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8661 | Microsoft Edge Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8669 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8670 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8671 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8672 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A |
| CVE-2017-8674 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-0174 | Windows NetBIOS Denial of Service Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8503 | Microsoft Edge Elevation of Privilege Vulnerability | Important | No | No | 1 | N/A |
| CVE-2017-8516 | Microsoft SQL Server Analysis Services Information Disclosure Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-8593 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8623 | Windows Hyper-V Denial of Service Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-8624 | Windows CLFS Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8625 | Internet Explorer Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8637 | Scripting Engine Security Feature Bypass Vulnerability | Important | No | No | 2 | N/A |
| CVE-2017-8642 | Microsoft Edge Elevation of Privilege Vulnerability | Important | No | No | 3 | N/A |
| CVE-2017-8644 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 1 | N/A |
| CVE-2017-8652 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 1 | N/A |
| CVE-2017-8654 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-8659 | Scripting Engine Information Disclosure Vulnerability | Important | No | No | 1 | N/A |
| CVE-2017-8662 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 1 | N/A |
| CVE-2017-8664 | Windows Hyper-V Remote Code Execution Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8666 | Win32k Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8668 | Volume Manager Extension Driver Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8673 | Windows Remote Desktop Protocol Denial of Service Vulnerability | Important | No | No | 2 | N/A |
| CVE-2017-8691 | Express Compressed Fonts Remote Code Execution Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8650 | Microsoft Edge Security Feature Bypass Vulnerability | Moderate | No | No | 3 | N/A |
| CVE-2017-8651 | Internet Explorer Memory Corruption Vulnerability | Moderate | No | No | N/A | 1 |
Obviously, the patches impacting Edge, IE, and SharePoint should top deployment lists due to the ubiquitous nature of the programs. Similar to the previous month, there are many Edge and IE cases quite simply titled “Scripting Engine Memory Corruption Vulnerability.” Recently, ZDI researcher Simon Zuckerbraun blogged about how JavaScript has inadvertently become the assembly language of the web and the implications that brings for risk in an enterprise. There are also a couple of patches for the Windows Subsystem for Linux (WSL) – a new Windows 10 feature aimed primarily at developers. If you understand I’m not misspelling the word “sed,” this patch should matter to you. This release is completed with updates for the Windows kernel, Remote Desktop Protocol, and a few other Windows components.
While not officially a part of the August release, Microsoft rather quietly released patches for Outlook and Office Click-to-Run to correct three new vulnerabilities on July 27. None of the updates for CVE-2017-8571, CVE-2017-8572, or CVE-2017-8663 are listed as public or under active attack. They do, however, all state “the security updates address known issues 1 through 4 described in the Office Support Article Outlook known issues in the June 2017 security updates.” Apparently, some issues with these updates remain as Microsoft continues to investigate iCloud failing to properly load in Outlook. If you’ve run into issues with Outlook since the June updates, this could alleviate some of those problems. That could also be why they were released “out of band” – meaning a day other than Patch Tuesday. Microsoft also added CVE-2017-8518 to the June release, but confusingly, it was published on August 4. Since it is not listed as being under active attack, this is likely due to a clerical error.
Finally, Microsoft also released its version of the Adobe patch for Flash in Internet Explorer. In case you’re wondering, Microsoft did officially state it too would end Flash support at the end of 2020.
Looking Ahead
The next patch Tuesday falls on September 12, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!
