TippingPoint Threat Intelligence and Zero-Day Coverage – Week of May 8, 2017

Credit to Author: Elisa Lippincott (TippingPoint Global Product Marketing)| Date: Fri, 12 May 2017 16:47:57 +0000

Although I’m still dreaming of the sandy beaches of Cancun, it’s time to get back to reality. Security vulnerabilities never take a holiday and this week is no exception. In addition to our normal Digital Vaccine (DV) package delivered earlier this week, we also issued an out-of-band DV package to address zero-day vulnerabilities for Intel Active Management Technology (AMT) (CVE-2017-5689) and Windows Defender (CVE-2017-0290).

The Intel AMT vulnerability is an escalation of privilege vulnerability that allows an unprivileged attacker to gain control of the manageability features provided by the affected Intel AMT products. The Windows Defender vulnerability is much scarier because allows a remote attacker to take over a system without any interaction from the system owner. Just the mere execution of Windows Defender scanning an email or instant message from an attacker is enough. But don’t worry – customers using TippingPoint solutions are protected from these vulnerabilities with the following DV filters:

  • 28214: HTTP: Null response digest
  • 28221: HTTP: Microsoft Malware Protection Engine mpengine Type Confusion Vulnerability

Microsoft Update

This week’s Digital Vaccine (DV) package includes coverage for Microsoft updates released on or before May 9, 2017. Microsoft released patches for 55 new CVEs in Internet Explorer, Edge, Office, Windows, and .NET Framework. A total of 14 of these CVEs are rated Critical while the rest are rated Important in severity. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an (*) shipped prior to this DV package, providing zero-day protection for our customers. You can get more detailed information on this month’s security updates from Dustin Childs’ May 2017 Security Update Review:

CVE #Digital Vaccine Filter #Status
CVE-2017-0064Insufficient Vendor Information
CVE-2017-007728112
CVE-2017-0171Insufficient Vendor Information
CVE-2017-017528183
CVE-2017-0190Insufficient Vendor Information
CVE-2017-0212Insufficient Vendor Information
CVE-2017-021328184
CVE-2017-021428189
CVE-2017-022028198
CVE-2017-022128114
CVE-2017-0222Insufficient Vendor Information
CVE-2017-0224Insufficient Vendor Information
CVE-2017-0226Insufficient Vendor Information
CVE-2017-022728130
CVE-2017-0228*27538
CVE-2017-0229Insufficient Vendor Information
CVE-2017-0230Insufficient Vendor Information
CVE-2017-0231Insufficient Vendor Information
CVE-2017-0233Insufficient Vendor Information
CVE-2017-0234*27532
CVE-2017-0235Insufficient Vendor Information
CVE-2017-0236*27536
CVE-2017-0238*27540
CVE-2017-0240*27541, *27542
CVE-2017-0241Insufficient Vendor Information
CVE-2017-0242Insufficient Vendor Information
CVE-2017-024328192
CVE-2017-0244Insufficient Vendor Information
CVE-2017-024528185
CVE-2017-024628111
CVE-2017-0248Insufficient Vendor Information
CVE-2017-0254Insufficient Vendor Information
CVE-2017-0255Insufficient Vendor Information
CVE-2017-025828199
CVE-2017-025928200
CVE-2017-0261Insufficient Vendor Information
CVE-2017-0262Insufficient Vendor Information
CVE-2017-026328186
CVE-2017-0264Insufficient Vendor Information
CVE-2017-0265Insufficient Vendor Information
CVE-2017-026628193
CVE-2017-0267Insufficient Vendor Information
CVE-2017-0268Insufficient Vendor Information
CVE-2017-0269Insufficient Vendor Information
CVE-2017-0270Insufficient Vendor Information
CVE-2017-0271Insufficient Vendor Information
CVE-2017-0272Insufficient Vendor Information
CVE-2017-0273Insufficient Vendor Information
CVE-2017-0274Insufficient Vendor Information
CVE-2017-0275Insufficient Vendor Information
CVE-2017-0276Insufficient Vendor Information
CVE-2017-0277Insufficient Vendor Information
CVE-2017-0278Insufficient Vendor Information
CVE-2017-0279Insufficient Vendor Information
CVE-2017-0280Insufficient Vendor Information
CVE-2017-0281Insufficient Vendor Information

 

Zero-Day Filters

There are 14 new zero-day filters covering three vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Adobe (5)

  • 28094: ZDI-CAN-4564: Zero Day Initiative Vulnerability (Adobe Flash)
  • 28099: ZDI-CAN-4565: Zero Day Initiative Vulnerability (Adobe Flash)
  • 28100: ZDI-CAN-4566: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 28101: ZDI-CAN-4567: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 28202: ZDI-CAN-4715, 4716: Zero Day Initiative Vulnerability (Adobe Reader DC) 

EMC (6)

  • 28102: ZDI-CAN-4694: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)
  • 28103: ZDI-CAN-4695: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)
  • 28104: ZDI-CAN-4696: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)
  • 28105: ZDI-CAN-4698: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)
  • 28106: ZDI-CAN-4699: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)
  • 28107: ZDI-CAN-4710: Zero Day Initiative Vulnerability (EMC AppSync) 

NetGain (3)

  • 28108: ZDI-CAN-4749: Zero Day Initiative Vulnerability (NetGain Enterprise Manager)
  • 28109: ZDI-CAN-4750: Zero Day Initiative Vulnerability (NetGain Enterprise Manager)
  • 28110: ZDI-CAN-4751: Zero Day Initiative Vulnerability (NetGain Enterprise Manager) 

Updated Existing Zero-Day Filters

This section highlights specific filter(s) of interest in this week’s Digital Vaccine package that have been updated as a result of a vendor either issuing a patch for a vulnerability found via the Zero Day Initiative or a vulnerability that has been published by the Zero Day Initiative in accordance with its Disclosure Policy.

Three of the filters we have for this month’s Microsoft bulletins are a direct result of the Zero Day Initiative’s Pwn2Own contest held in March. These filters have been updated to reflect the fact that the vulnerabilities have been patched:

  • 27532: HTTP: Microsoft Edge Chakra JIT Array Memory Corruption Vulnerability (Pwn2Own)
  • 27538: HTTP: Microsoft Edge Chakra Array Splice Use-After-Free Vulnerability (Pwn2Own)
  • 27540: HTTP: Microsoft Edge Chakra Array Unshift Buffer Overflow Vulnerability (Pwn2Own) 

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

http://feeds.trendmicro.com/TrendMicroSimplySecurity