August is here and in most of the U.S., we’re now on the downside of summer. Here in north central Texas, you can’t exactly say autumn is in the air, but we are enjoying a (relatively) cool week as I write this, with mid-day temperatures in the 80s and a nice breeze coming over the lake.
Would I prefer to be out on the patio rather than at my desk, sorting through this month’s patches? I confess: the answer is yes, but duty calls and security, as always, takes precedence. The good news is that this month’s update load is (again, relatively) light, with fixes for Windows, both the Edge and IE web browsers, SharePoint and SQL Server.
Let’s take a look at some of this month’s updates and the issues they address this month.
On August 8, Microsoft issued Security Advisory 4038556, which provides guidance for securing applications that host the WebBrowser control. These are applications developed with the Microsoft Internet Explorer layout engine, also known as the Trident layout engine.
Microsoft also issued Security Advisory ADV170010, which maps to Adobe Security Bulletin APSB17-23. This is an update to Adobe Flash Player that affects Windows 10, 8.1 and 8.1 RT. It is rated critical and assigned priority level 1, and addresses two vulnerabilities, a type confusion issue that can be exploited to accomplish remote code execution and a security bypass vulnerability that can lead to information disclosure.
- Windows 10, Cumulative update (v 1703). KB4034674 includes security fixes for Microsoft Edge, Microsoft Windows Search Component, Microsoft Scripting Engine, Microsoft Windows PDF Library, Windows Hyper-V, Windows Server, Windows kernel-mode drivers, Windows Subsystem for Linux, Windows shell, Common Log File System Driver, Internet Explorer, and the Microsoft JET Database Engine, although with addressing several non-security issues. Note that if you use the Czech or Arabic languages, there is a known issue whereby this update may change the language to English for some applications, including the Edge browser. Microsoft plans to release an update for the update to fix this problem, but we have no ETA as of this writing.
- Windows 7 SP1 and Windows Server 2008 R2 SP1 security update. KB4034679 is a security-only update with fixes for vulnerabilities in Windows Server, Microsoft JET Database Engine, Windows kernel-mode drivers, Common Log File System Driver, Microsoft Windows Search Component, and Volume Manager Driver. KB4034664 is the monthly rollup that contains the same content as the security-only update.
- Windows 8.1 and Windows Server 2012 R2 monthly rollup. KB4034681 includes the updates that were contained in an update released July 18, KB4025335 along with a number of additional issues. These include an issue where a LUN connection that was received after the buffer allocation during iSCSI statistic collection overflowed the buffer and caused error 0x19, along with security fixes for vulnerabilities in Windows Server, Microsoft Windows Search Component, Internet Explorer, Volume Manager Driver, Common Log File System Driver, Microsoft Windows PDF Library, Microsoft JET Database Engine, Windows kernel-mode drivers, and Windows Hyper-V.
- Microsoft SQL Server Analysis Services security update. KB4019092 addresses an information disclosure vulnerability that is due to improperly enforced permissions. Non-security updates were issued for Windows 10, Windows Server 2008 R2 and 2012 R2, and several versions of the .NET Framework.
- Microsoft Office SharePoint security update. 2956099 addresses a cross-site scripting (XSS) vulnerability that exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. This applies to SharePoint Server 2010 SP2.
The vulnerabilities addressed by these patches include nine vulnerabilities (two critical) in Windows 7, 11 vulnerabilities (four critical) in Windows 8.1, and fourteen vulnerabilities (five critical) in Windows 10. On the server side, Microsoft fixed 10 vulnerabilities (three critical) in Server 2008 R2, 11 (four critical) in Server 2012 and 2012 R2, and 12 (four critical) in Server 2016.
These patches also fix eight vulnerabilities (seven critical) in Internet Explorer 11 and a whopping 28 vulnerabilities (twenty-one of which are rated critical) in the Microsoft Edge web browser.
Some of the critical vulnerabilities that are patched by this Tuesday’s updates include:
- CVE-02017-8591. This is a remote code execution vulnerability in the Windows Input Method Editor when IME improperly handles parameters in a method of a DCOM class. The DCOM server is a Windows component installed regardless of which languages/IMEs are enabled. An attacker can instantiate the DCOM class and exploit the system even if IME is not enabled. The affected operating systems include Windows 10, 8.1, 8.1 RT, Server 2012 and 2012 R2, and Server 2016 (including the server core installations).
- CVE-2017-0250. This is a buffer overflow issue in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. Exploitation of this vulnerability requires that a user open or preview a specially crafted database file while using an affected version of Microsoft Windows. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted database file to the user and then convincing the user to open the file. The affected operating systems include all currently supported versions of Windows client and server (including the server core installation).
- CVE-2017-8669. This is a Microsoft browser memory corruption issue that can be exploited to accomplish remote code execution that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. The affected software includes Microsoft Edge and Internet Explorer 11.
- CVE-2017-0293. This is a vulnerability in the Windows PDF Library due to improper handling of objects in memory that can be exploited to accomplish remote code execution and enable an attacker to execute arbitrary code in the context of the current user. The affected operating systems include Windows 10, 8.1 and 8.1 RT clients and Windows Server 2008 R2, 2012/2012 R2, and 2016 (including server core installations). Only Windows 10 systems with Microsoft Edge set as the default browser can be compromised simply by viewing a website. Web browsers for all other affected operating systems do not automatically render PDF content, so an attacker would have to convince users to open a specially crafted PDF document.
These are only some examples of some of the critical vulnerabilities that are fixed by the August updates. In total, Microsoft patched 48 vulnerabilities across products and technologies. In addition to software and components discovered above, these include vulnerabilities in the Common Log File System Driver, Windows Search component, the Volume Manager Driver, kernel-mode drivers, Windows Shell, Windows Remote Desktop Protocol, Hyper-V, and the Windows subsystem for Linux.
Those of us who attempt to summarize each month’s updates for readers continue to struggle since Microsoft discontinued the security bulletins that contained that information in easily accessed format and moved everything to the Security Update Guide portal that provides a deluge of unwieldy information. You can view or download the full Excel spreadsheet by entering the date range (August 8, 2017 to August 8, 2017) in the Guide interface. You can then sort and filter the data in different ways (although not, as far as I can tell, in a way that will provide us with the same formatted info as the gone-but-not-forgotten security bulletins).