Exploits & Vulnerabilities
December Patch Tuesday: MMPE Vulnerability Updates
It was a relatively low-key year-ender for Microsoft’s Patch Tuesday, as the company’s monthly release of updates was relatively light in terms of noteworthy vulnerabilities. There were only a few notable vulnerabilities that were addressed.
It was a relatively low-key year-ender for Microsoft’s Patch Tuesday, as the company’s monthly release of updates was relatively light in terms of noteworthy vulnerabilities. With that said, there were still a few notable vulnerabilities that were addressed. Perhaps the most significant of these were CVE-2017-11937 and CVE-2017-11940, two remote code execution vulnerabilities concerning the Microsoft Malware Protection Engine (MMPE), which can cause memory corruption due to MMPE’s inability to scan certain files properly. Attackers can use specially crafted files to exploit the vulnerability, resulting in a compromised system. The fix for these vulnerabilities is actually available in out-of-band updates that were later included in the general Patch Tuesday release.
Overall, Patch Tuesday addressed 12 Critical-rated vulnerabilities and 10 rated as Important, of which two were disclosed via Trend Micro’s Zero Day Initiative. In addition to the MMPE vulnerability updates, some of the other noteworthy fixes include:
- CVE-2017-11899: A security feature bypass that exists when Device Guard incorrectly validates an untrusted file. An attacker successfully exploiting this vulnerability could make untrusted files appear to be trusted once, causing Device Guard to allow a malicious file to execute.
- CVE-2017-11927: An information disclosure vulnerability that exists when the Windows its:// protocol handler unnecessarily sends traffic to a remote site to determine the zone of a provided URL. Attackers exploiting this vulnerability can use various tactics such as phishing to lure users into browsing a malicious website or to an SMB or UNC path destination. A successful attack can potentially lead to the disclosure of sensitive information to a malicious site.
Meanwhile, Adobe released their security update for December that addresses a single vulnerability:
- APSB17-42: A security update for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS that addresses a regression that could lead to the unintended reset of the global settings preference file.
Trend Micro™ Deep Security and Vulnerability Protection protect user systems from any threats that may target the vulnerabilities mentioned above via the following DPI rules:
- 1008769 - Microsoft Windows RRAS Service Remote Code Execution Vulnerability (CVE-2017-11885)
- 1008770-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-11886)
- 1008771-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-11888)
- 1008772-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-11889)
- 1008773-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-11890)
- 1008774-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-11893)
- 1008775-Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2017-11894)
- 1008776-Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2017-11895)
- 1008777-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-11901)
- 1008778-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-11903)
- 1008779-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-11907)
- 1008780-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-11909)
- 1008781-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-11911)
- 1008782-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-11913)
- 1008783-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-11914)
- 1008784-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-11916)
- 1008785-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-11918)
- 1008787-Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2017-11930)
- 1008788-Microsoft Excel Remote Code Execution Vulnerability (CVE-2017-11935)
- 1008789-Microsoft Malware Protection Engine Remote Code Execution Vulnerability (CVE-2017-11937)
Trend Micro™ TippingPoint™ customers are protected from threats that may exploit the vulnerabilities via these MainlineDV filters:
- 30068: HTTP: Microsoft jscript RegExp Memory Corruption Vulnerability
- 30069: HTTP: Microsoft Internet Explorer VBScript ReDim Use-After-Free Vulnerability
- 30070: HTTP: Microsoft Edge edgehtml.dll Use-After-Free Vulnerability
- 30074: HTTP: Microsoft Edge Memory Corruption Vulnerability
- 30075: HTTP: Microsoft Edge Array Use-After-Free Vulnerability
- 30076: HTTP: Microsoft Edge Math Type Confusion Vulnerability
- 30077: HTTP: Microsoft Edge Regular Expression Integer Overflow Vulnerability
- 30078: HTTP: Microsoft Edge Type Confusion Vulnerability
- 30079: HTTP: Microsoft Internet Explorer Array.prototype Use-After-Free Vulnerability
- 30080: HTTP: Microsoft Edge Type Confusion Vulnerability
- 30081: HTTP: Microsoft Internet Explorer Array Sort Memory Corruption Vulnerability
- 30082: HTTP: Microsoft Edge Array Memory Corruption Vulnerability
- 30083: HTTP: Microsoft Edge ASM Memory Corruption Vulnerability
- 30085: HTTP: Microsoft Edge Array Type Confusion Vulnerability
- 30086: HTTP: Microsoft Edge Array Integer Overflow Vulnerability
- 30088: HTTP: Microsoft Excel Use-After-Free Vulnerability
- 30092: SMB: Microsoft Windows iprtrmgr.dll Memory Corruption Vulnerability
- 30093: HTTP: Microsoft Defender Archive Buffer Overflow Vulnerability