{"id":6971,"date":"2017-03-14T12:00:25","date_gmt":"2017-03-14T20:00:25","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/14\/news-762\/"},"modified":"2017-03-14T12:00:25","modified_gmt":"2017-03-14T20:00:25","slug":"news-762","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/14\/news-762\/","title":{"rendered":"The March 2017 Security Update Review"},"content":{"rendered":"

Credit to Author: Dustin Childs (Zero Day Initiative Communications)| Date: Tue, 14 Mar 2017 19:30:56 +0000<\/strong><\/p>\n

\"\"<\/p>\n

Just a day before Pwn2Own kicks off its 10th anniversary, join us in looking at the security updates released by Google, Adobe, VMWare, Firefox, and Microsoft for the month of March 2017. It\u2019s shaping up to be the largest Patch Tuesday in history, which is fitting to coincide with the largest Pwn2Own ever.<\/p>\n

tl:dr \u2013 Everyone has patched ahead of the largest Pwn2Own ever. Start your updating early.<\/em><\/p>\n

 <\/p>\n

Google Chrome Update for March 2017<\/strong>\u00a0<\/strong><\/p>\n

The Chrome team released version 57.0.2987.98<\/a> on Thursday, March 9, to correct nine high-severity bugs in the browser plus some medium-severity bugs and other fixes<\/a>. The most severe of these issues \u2013 at least based on price \u2013 involves a memory corruption in the V8 JavaScript engine. In the past, Google had also said it would deprecate the use of the SHA-1 algorithm in version 56, but no announcements about the outdated algorithm have been made. Surprisingly, they released version 58.0.3029.12<\/a> the following day with additional security fixes<\/a>. The folks in Mountain View did say more information regarding Chrome will be published via the\u00a0Chrome<\/a>\u00a0and\u00a0Chromium<\/a>\u00a0blog. Hopefully we\u2019ll get more details then.<\/p>\n

VMware Security Advisories for March 2017<\/strong><\/p>\n

Ahead of its inclusion in Pwn2Own 2017, the folks from VMware released multiple updates for March<\/a>. The most recent<\/a> update corrects a remote code execution problem in Apache Struts 2 in Horizon Desktop as-a-Service Platform (DaaS), VMware vCenter Server (vCenter), vRealize Operations Manager (vROps), and vRealize Hyperic Server (Hyperic). A separate<\/a> update for VMware Workstation and Fusion fixes an out-of-bounds memory access vulnerability. Both are rated Critical and were released within days of each other. A different Important-rated update<\/a> for VMware Workstation corrects multiple security issues, including a DLL-loading issue and a null pointer dereference.<\/p>\n

VMware does not patch on a regular schedule like some vendors, so it\u2019s interesting to see a flurry of patches come from them. While the inclusion of VMware in Pwn2Own may not have driven these patches, but I am certain it didn\u2019t discourage these patches either.<\/p>\n

Mozilla Firefox Update for March 2017<\/strong><\/p>\n

The Firefox update for March<\/a> addresses 28 CVEs, seven of which are related Critical. The worst of these bugs could allow remote code execution if a user browses to a\u00a0malicious website. The code execution would occur at the logged on user level, another reminder to operate as a non-admin user for daily activities.\u00a0<\/strong><\/p>\n

Microsoft Patches for March 2017<\/strong>\u00a0<\/strong><\/p>\n

Microsoft failed to deliver any updates in February, and they also failed to provide an exact reason why. Combine that fact with a light January and we\u2019re left with the largest patch Tuesday in Microsoft\u2019s history. There are 17 updates addressing 135 CVEs (plus the bulletin for Flash, which addresses seven more CVEs). Eight of these updates are rated as Critical and nine are rated as Important. The updates for IE and GDI have CVEs listed as under active attack. Seven of these updates include CVEs that are publicly known:<\/p>\n

\u2022\u00a0IE (CVE-2017-0008, -0012, -0033, -0037, -0154)<\/p>\n

\u2022\u00a0Edge (CVE-2017-0012, -0033, -0037, -0065, -0069)<\/p>\n

\u2022\u00a0Hyper-V (CVE-2017-0097)<\/p>\n

\u2022\u00a0SMB (CVE-2017-0143)<\/p>\n

\u2022\u00a0Windows (CVE-2017-0016)<\/p>\n

\u2022\u00a0Office (CVE-2017-0014)<\/p>\n

\u2022\u00a0Kernel (CVE-2017-0050)<\/p>\n

On an interesting side note, Microsoft had previously stated that as of today, security bulletins would no longer be available outside the \u201cSecurity Update Guide<\/a>.\u201d However, the standard monthly summary<\/a> linking to individual bulletins remains. It will be interesting to see how this evolves over time. Hopefully Microsoft continues to make it easy to digest this vital information in various forms. Until then, let\u2019s take a deep dive into the security updates for March.<\/p>\n

MS17-006<\/a> \u2013 Internet Explorer (Critical)<\/p>\n

This bulletin addresses 12 vulnerabilities, five of which are publicly known and one which is under active attack. This should likely be the priority for most enterprises and consumers alike. IE is widely deployed and active attacks tend to be widespread. The CVE under attack is listed as \u201cmemory corruption\u201d, which usually means a use-after-free (UAF) bug.<\/p>\n

MS17-007<\/a> \u2013 Edge (Critical)<\/p>\n

This bulletin addresses 32 vulnerabilities, five of which are publicly known but not reported to be under active attack. This is one of the rare times where the Edge browser has more bugs being fixed than IE. Over 20 of the CVEs receive an Exploit Index (XI) rating of 1, which means Microsoft indicates exploitation is more likely for these issues. Microsoft touts many of the security\u00a0enhancements<\/a>\u00a0in Edge, but clearly issues remain.<\/p>\n

MS17-008<\/a> \u2013 Hyper-V (Critical)<\/p>\n

This bulletin addresses 11 vulnerabilities, one of which is publicly known but not reported to be under active attack. The worst case for these bugs would allow someone on the guest OS to execute code on the host OS. We actually have this scenario as a category in this year\u2019s Pwn2Own. You may be offered this update even if you don\u2019t have Hyper-V enabled since, according to the bulletin, \u201cthe update is applicable to all supported products and versions that contain the vulnerable code.\u201d<\/p>\n

MS17-009<\/a> \u2013 Widows PDF Viewer (Critical)<\/p>\n

This bulletin addresses one Critical bug, which is also discussed in the Edge bulletin. Both updates will be needed for full protection, but they may be applied in any order.<\/p>\n

MS17-010<\/a> \u2013 SMB Server (Critical)<\/p>\n

This bulletin addresses 6 vulnerabilities, one of which is publicly known but not reported to be under active attack. All of these issues rely on SMBv1, which really should be disabled<\/a> on your systems.<\/p>\n

MS17-011<\/a> \u2013 Uniscribe (Critical)<\/p>\n

This bulletin addresses 29 vulnerabilities, none of which are reported as publicly known. Only eight of these issues are listed as remote code execution (RCE), and all of these have lower XI ratings. If you have to prioritize your testing, you may want to push this down the list.<\/p>\n

MS17-012<\/a> \u2013 Windows (Critical)<\/p>\n

This bulletin addresses one Critical and five Important bugs in a veritable potpourri of Windows components. Included in this update is a fix for CVE-2017-0016, which was publicly disclosed in February<\/a>. Although Microsoft does not show this as being exploited, there are reports<\/a> to the contrary.<\/p>\n

MS17-013<\/a> \u2013 Graphics Components (Critical)<\/p>\n

This bulletin addresses 12 vulnerabilities, one of which is reported to be under active attack. Flaws in the GDI<\/a> and GDI+<\/a> make for attractive target, so it\u2019s no surprise attackers use these bugs. While this patch does correct the GDI bug publicly disclosed by Google, the CVE under attack is actually a different issue.<\/p>\n

MS17-014<\/a> \u2013 Office (Important)<\/p>\n

This bulletin addresses 12 vulnerabilities, one of which is publicly known but not reported to be under active attack. While you may be tempted to pass on this patch, remember Office applications are widely targeted and often used in ransomware attacks.<\/p>\n

MS17-015<\/a>\u2013 Exchange Server (Important)<\/p>\n

This bulletin addresses one privately reported vulnerability in Exchange Server 2013. While the bug impacts Outlook Web Access (OWA), this is another case where waiting may be prudent, as Exchange patches have a bad history where quality is concerned.<\/p>\n

MS17-016<\/a> \u2013 Windows IIS (Important)<\/p>\n

This bulletin addresses one privately reported vulnerability in all supported releases of Microsoft Windows. This is a simple cross-site scripting (XSS) issue, but don\u2019t ignore this if you\u2019re running IIS.<\/p>\n

MS17-017<\/a> \u2013 Windows Kernel (Important)<\/p>\n

This bulletin addresses four vulnerabilities, one of which is publicly known but not reported to be under active attack. Kernel bugs are key factors in many sandbox escapes \u2013 a highlight of many Pwn2Own exploits. It will be interesting to see if any of the Pwn2Own contestants will need to scramble due to this patch.<\/p>\n

MS17-018<\/a> \u2013 Windows Kernel-Mode Drivers (Important)<\/p>\n

This bulletin addresses eight elevation of privilege (EoP) vulnerabilities, none of which are reported as publicly known. Similar to kernel bugs, KMD bugs are often seen in sandbox escapes.<\/p>\n

MS17-019<\/a> \u2013 Active Directory Federation Services (Important)<\/p>\n

This bulletin addresses one privately reported vulnerability in all supported releases of Windows server. Since this is an info disclosure issue, an attacker would need to pair this with something else to really create a problem.<\/p>\n

MS17-020<\/a> \u2013 Windows DVD Maker (Important)<\/p>\n

This bulletin addresses one privately reported vulnerability in all Windows Vista and Windows 7. As with ADFS, this is only an info disclosure issue.<\/p>\n

MS17-021<\/a> \u2013 DirectShow (Important)<\/p>\n

This bulletin addresses one privately reported vulnerability in all supported releases of Microsoft Windows. Another info disclosure issue that requires user action, such as visiting a website.<\/p>\n

MS17-022<\/a> \u2013 XML Core Services (Important)<\/p>\n

This bulletin addresses one privately reported vulnerability in XML Core Service 3.0 on all supported releases of Microsoft Windows. This is the final info disclosure issue for March.<\/p>\n

The final bulletin for the month is Microsoft\u2019s repackage of the Adobe Flash update<\/a>, which is detailed below.\u00a0<\/strong><\/p>\n

Adobe Patches for March 2017<\/strong><\/p>\n

For this month, Adobe released two Critical Flash Player and Shockwave Player. The Flash update corrects seven CVEs, the worst of which could allow remote code execution if a user viewed specially content with an affected Flash version. None of these are listed as being under active attack. The Shockwave update addresses just one CVE and is listed as Important in severity. The fixes an issue in the directory search path used to find resources that could allow an\u00a0escalation of privilege.\u00a0<\/strong><\/p>\n

Looking Ahead<\/strong>\u00a0<\/strong><\/p>\n

The next patch Tuesday falls on April 11, and we\u2019ll be back with details and analysis then. Follow us on Twitter<\/a> to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!<\/p>\n

http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Dustin Childs (Zero Day Initiative Communications)| Date: Tue, 14 Mar 2017 19:30:56 +0000<\/strong><\/p>\n

\"\"Just a day before Pwn2Own kicks off its 10th anniversary, join us in looking at the security updates released by Google, Adobe, VMWare, Firefox, and Microsoft for the month of March 2017. It\u2019s shaping up to be the largest Patch Tuesday in history, which is fitting to coincide with the largest Pwn2Own ever. tl:dr \u2013…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[714,10752,10415],"class_list":["post-6971","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-security","tag-vulnerabilities","tag-zero-day-initiative"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6971","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6971"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6971\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6971"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6971"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6971"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}