Exploits & Vulnerabilities
March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB). This vulnerability potentially allows cyber criminals to render affected systems inaccessible via a Denial of Service (DOS) attack. A second update for Windows SMB, MS17-010 which addresses issues connected to the SMBv1 server, is also included.
Another high priority bulletin for this month is MS17-013, which addresses a Windows Graphic Device Interface (GDI) bug that was disclosed by Google on February 2017. In particular, it resolves issues surrounding gdi32.dll that allowed remote attackers access to sensitive information from heap memory using a crafted EMF file. The update also addresses the CVE-2017-0005 vulnerability, which is reportedly a zero day under active attack.
In addition, Microsoft also implemented its regular cumulative updates that address 12 vulnerabilities for Internet Explorer (MS17-006) and 32 vulnerabilities for Microsoft Edge (MS17-007). Both critical bulletins address issues concerning attackers gaining control of affected systems when users access and view malicious webpages using these two Microsoft web browsers. Here are the other critical bulletins for March:
- MS17-008: Addresses vulnerabilities with Windows Hyper-V, including one which allows remote code execution if an authenticated attacker using a guest operating system runs a customized application that causes the host operating system to execute arbitrary code.
- MS17-009: Addresses a vulnerability involving Microsoft Windows PDF Library. This vulnerability allows an attacker remote access to a user’s system if the user views or opens malicious PDF documents.
- MS17-011: Addresses vulnerabilities with Windows Uniscribe. Eight of these deal with remote code execution, while the rest are information disclosure vulnerabilities.
Adobe also released their own security bulletin for March in sync with Microsoft. The most important being APSB17-07, which deals with critical vulnerabilities in Adobe Flash Player that can allow attackers to take control of an affected system. These vulnerabilities are also tackled by the critical MS17-023 bulletin, covering the Internet Explorer and Edge version of Flash Player distributed by Microsoft. This update raises Adobe Flash Player to version 25.0.0.127.
Trend Micro researchers took part in the discovery of the following vulnerabilities and/or security improvements:
- CVE-2017-0023 (MS17-009)
- CVE-2017-0022 (MS17-022)
The following vulnerabilities were disclosed via Trend Micro’s Zero Day Initiative (ZDI):
- CVE-2017-0018 (MS17-006)
- CVE-2017-0011 (MS17-007)
- CVE-2017-0015 (MS17-007)
- CVE-2017-0032 (MS17-007)
- CVE-2017-0067 (MS17-007)
- CVE-2017-0094 (MS17-007)
- CVE-2017-0047 (MS17-013)
- CVE-2017-3001 (APSB17-07)
Trend Micro Solutions
Trend Micro Deep Security and Vulnerability Protection protect user systems from any threats that may target these Microsoft vulnerabilities via the following DPI rules:
- 1008149-Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2017-0008)
- 1008150-Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2017-0009)
- 1008151-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-0018)
- 1008152-Microsoft Internet Explorer And Edge Spoofing Vulnerability (CVE-2017-0033)
- 1008154-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-0040)
- 1008155-Microsoft Internet Explorer Scripting Engine Information Disclosure Vulnerability (CVE-2017-0049)
- 1008156-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0010)
- 1008157-Microsoft Edge Information Disclosure Vulnerability (CVE-2017-0011)
- 1008158-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0015)
- 1008159-Microsoft Edge Information Disclosure Vulnerability (CVE-2017-0017)
- 1008160-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0032)
- 1008161-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0035)
- 1008163-Microsoft Office Memory Corruption Vulnerability (CVE-2017-0019)
- 1008164-Microsoft Office Memory Corruption Vulnerability (CVE-2017-0020)
- 1008165-Microsoft Office Information Disclosure Vulnerability (CVE-2017-0027)
- 1008167-Microsoft Office Memory Corruption Vulnerability (CVE-2017-0030 , CVE-2016-0031)
- 1008168-Microsoft Windows PDF Library Memory Corruption Vulnerability (CVE-2017-0023)
- 1008169-Microsoft Windows Graphics Component Remote Code Execution Vulnerability (CVE-2017-0014)
- 1008170-Microsoft Windows DLL Loading Vulnerability Over WebDAV (CVE-2017-0039)
- 1008172-Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2017-0050)
- 1008173-Microsoft XML Core Service Information Disclosure Vulnerability (CVE-2017-0022)
- 1008174-Microsoft Windows DirectShow Information Disclosure Vulnerability (CVE-2017-0042)
- 1008176-Microsoft Windows GDI Elevation Of Privilege Vulnerability (CVE-2017-0047)
- 1008177-Microsoft Windows DLL Loading Vulnerability Over Network Share (CVE-2017-0039)
- 1008187-Microsoft Office OLE DLL Loading Vulnerability Over Network Share (CVE-2016-7275)
- 1008208-Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2017-0059)
- 1008209-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-0130)
- 1008210-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-0034)
- 1008211-Microsoft Edge Information Disclosure Vulnerability (CVE-2017-0065)
- 1008212-Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-0066)
- 1008213-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0067)
- 1008215-Microsoft Edge Spoofing Vulnerability (CVE-2017-0069)
- 1008216-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0070)
- 1008217-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0071)
- 1008218-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0094)
- 1008219-Microsoft Edge Out Of Bounds Read Vulnerability (CVE-2017-0131)
- 1008220-Microsoft Edge Scripting Engine Memory Corruption Vulnerabilty (CVE-2017-0133)
- 1008221-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0140)
- 1008222-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0141)
- 1008224-Microsoft Windows SMB Remote Code Execution Vulnerabilities (CVE-2017-0144 and CVE-2017-0146)
- 1008225-Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145)
- 1008228-Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0148)
- 1008234-Microsoft Windows Uniscribe Multiple Remote Code Execution Vulnerabilities (CVE-2017-0088, CVE-2017-0089)
- 1008235-Microsoft Windows Uniscribe Multiple Remote Code Execution Vulnerabilities (CVE-2017-0083, CVE-2017-0086, CVE-2017-0087, CVE-2017-0090)
- 1008236-Microsoft Windows Uniscribe Multiple Remote Code Execution Vulnerabilities (CVE-2017-0072, CVE-2017-0121)
- 1008237-Microsoft Windows COM Elevation Of Privilege Vulnerability (CVE-2017-0100)
- 1008238-Microsoft Windows GDI+ Information Disclosure vulnerability (CVE-2017-0060)
- 1008239-Microsoft Windows GDI+ Information Disclosure vulnerability (CVE-2017-0062)
- 1008240-Microsoft Windows GDI+ Information Disclosure vulnerability (CVE-2017-0073)
- 1008241-Microsoft Windows GDI+ Remote Code Execution Vulnerability (CVE-2017-0108)
- 1008242-Microsoft Office Memory Corruption Vulnerability (CVE-2017-0006)
- 1008243-Microsoft Office Memory Corruption Vulnerability (CVE-2017-0052)
- 1008244-Microsoft Office Memory Corruption Vulnerability (CVE-2017-0053)
- 1008245-Microsoft Office Information Disclosure Vulnerability (CVE-2017-0105)
- 1008247-Microsoft Windows Registry Elevation Of Privilege Vulnerability (CVE-2017-0103)
- 1008248-Microsoft Windows Multiple Elevation Of Privilege Vulnerabilities (CVE-2017-0056, CVE-2017-0078, CVE-2017-0079, CVE-2017-0080, CVE-2017-0081, CVE-2017-0082)
- 1008249-Microsoft Internet Explorer Elevation Of Privilege Vulnerability (CVE-2017-0154)
- 1008250-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-0149)
TippingPoint customers are protected from attacks exploiting these vulnerabilities with the following MainlineDV filters:
- 26887: HTTP: Microsoft Internet Explorer Float64Array Memory Corruption Vulnerability
- 26897: HTTP: Microsoft Edge ASM Memory Corruption Vulnerability
- 26902: HTTP: Microsoft Edge Array Symbol Memory Corruption Vulnerability
- 26904: HTTP: Microsoft Windows EMF Parsing Information Disclosure Vulnerability
- 27035: HTTP: Microsoft Edge CSS Animation Information Disclosure Vulnerability
- 27038: HTTP: Microsoft Edge Array Object Type Confusion Vulnerability
- 27039: HTTP: Microsoft Internet Explorer mhtml Resource Usage
- 27040: HTTP: Microsoft Edge InsertOrderedList Memory Corruption Vulnerability
- 27041: HTTP: Data URI with JavaScript in iframe
- 27042: HTTP: Microsoft Internet Explorer and Edge Area target Use-After-Free Vulnerability
- 27043: HTTP: Microsoft Windows DrawIconEx Buffer Overflow Vulnerability
- 27044: HTTP: Microsoft Edge Data URI Same-Origin Policy Bypass Vulnerability
- 27047: HTTP: Microsoft Internet Explorer parseError Information Disclosure Vulnerability
- 27048: HTTP: Microsoft Word RTF DLL Sideloading Vulnerability
- 27049: HTTP: Microsoft Windows NtCreateProfile Denial-of-Service Vulnerability
- 27050: HTTP: Windows Media Player ActiveX errorDescription Usage
- 27051: HTTP: Microsoft Edge JavascriptArray Out-of-Bounds Write Vulnerability
- 27052: HTTP: Microsoft Internet Explorer JavaScript sort Information Disclosure Vulnerability
- 27053: HTTP: Microsoft Windows TTF LoadUvsTable Buffer Overflow Vulnerability
- 27054: HTTP: Microsoft Word Memory Corruption Vulnerability
- 27055: HTTP: Microsoft Word Font Use-After-Free Vulnerability
- 27058: HTTP: Microsoft Internet Explorer and Edge ms-appx-web Spoofing Vulnerability
- 27059: HTTP: Microsoft Edge AsmJs Memory Corruption Vulnerability
- 27061: HTTP: Microsoft Internet Explorer ActiveX parseError.errorCode Invocation
- 27115: HTTP: Microsoft Internet Explorer mhtml Information Disclosure Vulnerability
- 27116: HTTP: Microsoft Excel File Recovery Use-After-Free Vulnerability
- 27117: HTTP: Microsoft Excel Memory Corruption Vulnerability
- 27118: HTTP: Microsoft Word Use-After-Free Vulnerability
- 27375: HTTP: Microsoft Edge Reading View Information Disclosure Vulnerability
- 27376: HTTP: Microsoft Edge Frames Security Bypass Vulnerability
- 27378: HTTP: Microsoft Windows TTF Memory Corruption Vulnerability
- 27379: HTTP: Microsoft Edge AsmJs Memory Corruption Vulnerability
- 27380: HTTP: Microsoft Windows OTF Memory Corruption Vulnerability
- 27381: HTTP: Microsoft Internet Explorer textarea Use-After-Free Vulnerability
- 27382: HTTP: Microsoft Edge Address Bar Forgery Vulnerability
- 27391: HTTP: Microsoft Windows win32k Use-After-Free Vulnerability
- 27392: HTTP: Microsoft Windows Win86GDI Access Violation Vulnerability
- 27393: HTTP: Microsoft Windows usp10.dll Buffer Overflow Vulnerability
- 27394: HTTP: Microsoft Windows GDI Type Confusion Vulnerability
- 27395: HTTP: Microsoft Windows Win32k Device Driver Interface Privilege Escalation Vulnerability
- 27396: HTTP: Microsoft Windows Win32k Device Driver Interface ResizePool Denial-of-Service Vulnerability
- 27397: HTTP: Microsoft Windows win32k Out-of-Bounds Read Vulnerability
- 27398: HTTP: Microsoft Windows releaseResource Type Confusion Vulnerability
- 27399: HTTP: Microsoft Windows Registry Hive Use-After-Free Vulnerability
- 27400: HTTP: Microsoft Windows TTF User-Mode Library Privilege Escalation Vulnerability
- 27403: HTTP: Microsoft Internet Explorer Array Type Confusion Vulnerability
- 27404: HTTP: Microsoft Windows TTF Memory Corruption Vulnerability
- 27405: HTTP: Microsoft Windows TTF Memory Corruption Vulnerability
- 27406: HTTP: Microsoft Windows TTF Memory Corruption Vulnerability
- 27407: HTTP: Microsoft Windows TTF Memory Corruption Vulnerability
- 27408: HTTP: Microsoft Windows TTF Memory Corruption Vulnerability
- 27409: HTTP: Microsoft Windows TTF Memory Corruption Vulnerability
- 27412: HTTP: Microsoft Edge valueOf Type Confusion Vulnerability
- 27413: HTTP: Microsoft Edge Proxy Type Confusion Vulnerability
- 27414: HTTP: Microsoft Edge Chakra Memory Corruption Vulnerability
- 27415: HTTP: Microsoft Edge ArrayBuffer Type Confusion Vulnerability
- 27416: HTTP: Microsoft Edge lookupGetter Use-After-Free Vulnerability
- 27418: HTTP: Fetch API Usage
- 27419: HTTP: Microsoft Edge Array Memory Corruption Vulnerability
- 27420: HTTP: Microsoft Excel Printer Settings Memory Corruption Vulnerability
- 27426: HTTP: Microsoft Edge Fetch API Same-Origin Policy Bypass Vulnerability
- 27427: HTTP: Microsoft Windows Session Moniker Privilege Escalation Vulnerability
- 27430: HTTP: Microsoft Excel sharedStrings Access Violation Vulnerability
- 27433: SMB: Microsoft Windows SMB Server MID Type Confusion Vulnerability
- 27483: HTTP: Microsoft Word wwlib Use-After-Free Vulnerability
- 27484: HTTP: Microsoft Word RTF Memory Corruption Vulnerability
- 27486: HTTP: Microsoft Internet Explorer VBScript Array Memory Corruption Vulnerability
- 27487: HTTP: Microsoft Internet Explorer ActiveX Cross-Site Scripting Vulnerability