Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: February and March Microsoft Patch Tuesday - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
February and March Microsoft Patch Tuesday

Today, Microsoft released its monthly security bulletins. February's delayed release was combined with this March release, which likely caused the large number of bulletins (18 total, which includes the Adobe Flash bulletin)

You can review the patch summary here: https://isc.sans.edu/mspatchdays.html?viewday=2017-03-14 or via our API

Probably the most "scary" set of vulnerabilities in this update are CVE 2017-0143,  CVE 2017-0144, CVE 2017-0145,CVE 2017-0146CVE 2017-0148 . These are remote code execution vulnerabilities that allow an unauthenticated user to execute arbitrary code. Microsoft rates the exploitability with "1", indicating that it wouldn't be terribly difficult to develop an exploit for these. Yes, you already blocked SMB at your perimeter. But further reducing your attack surface is always a good idea. You may want to consider disabling SMBv1 (which should not cause any problems if you only use currently supported Windows versions).

The other two server related bulletins, MS17-015 for Exchange and MS17-016 for IIS, are more benign in comparison. Both are XSS vulnerabilities and could be used to elevate privileges by running code in an administrators browser.

Some of the highlights:

Six of the bulletins include vulnerabilities that have either already been made public or that are already being exploited:

MS17-006: One of the Internet Explorer information disclosure vulnerabilities (CVE 2017-0008) has been publicly disclosed in the past. This vulnerability applies to Internet Explorer and Edge (MS17-007).

MS17-007: In addition to CVE 2017-0008, there is a remote code execution vulnerability (%cve:2017-0037%%) that has been disclosed publicly. There are also three different spoofing vulnerabilities that have been disclosed publicly. 

MS17-012: A denial of service vulnerability (CVE 2017-0016) has been publicly disclosed. Microsoft does not list this one as exploited, but an exploit has been publicly available for a bit over a month now. This is the SMB_TREE_CONNECT vulnerability that made quite a few headlines when it was released.

MS17-013: One of the 4 GDI elevation of privilege vulnerabilities (CVE 2017-0005) has already been exploited, but details had not been disclosed publicly.

MS17-017: A privilege escalation vulnerability in the Windows Kernel (CVE 2017-0050) has been publicly disclosed.

MS17-022: The XML Core Services Information Disclosure Vulnerability (CVE 2017-0022) has already been exploited. This exploit would target a client, and by loading a malicious XML file and attacker may learn about the existence of files on the disk. 

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Johannes

3111 Posts
ISC Handler
I'm just looking at this as I reference the one patch now you have listed. It doesn't see that KB4013073 has shown up in WSUS as of this morning.
Xotan

2 Posts Posts
For ie on Windows 7 this seems to be KB4012204
Jim

3 Posts Posts
None of the links for those "scary" vulns are working: CVE 2017-0143, CVE 2017-0144, CVE 2017-0145,CVE 2017-0146, CVE 2017-0148.
AAInfoSec

46 Posts Posts
Two Bloomberg terminals where I installed KB4012215 (monthly rollup), KB3178687/KB3178688/KB3178690 (for MS Office) and KB4013867 (Silverlight) for testing showed problems with Excel sheets using the Bloomberg API. Removing KB4012215 resolved the problems.

Has anyone similar problems?
K

5 Posts Posts
We had similar problems testing at AdvantoSoftware.com, but resolved by removing the file as you mentioned.
Advanto Software

1 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!