March 2017 – Microsoft Patch Tuesday

It’s the day that some have been dreading for months: the first Microsoft Patch Tuesday without our old friends, the security bulletins that we turned to for a quick and dirty synopsis of each patch and what vulnerabilities it addressed.

That day was originally planned to come last month, but according to their announcement, problems with the patches caused Microsoft to postpone their release entirely – something that had never happened in the years that I’ve been writing the Patch Tuesday roundup articles – so we got a brief reprieve. This morning, I steeled myself for what I thought was the inevitable.

Imagine my surprise when, just for fun, I went to the Security Bulletins web site and found that the March Bulletins summary and bulletins were there, just like always. Instead of weeping and wailing and gnashing of teeth, there’s rejoicing in the streets – at least here in my home office.

I know it’s only a temporary panacea. The March Bulletin summary contains the following statement:

As a reminder, the Security Updates Guide will be replacing security bulletins. Please see our blog post, Furthering our commitment to security updates, for more details.

That blog post is from November and says the Bulletins will go away after January, so I have no clue on what the real timeframe is now. But I won’t look a gift security bulletin in the mouth. Next month, we might (or might not) be changing the format of this post to match the new way of getting the information, but for now, it’s business as usual.

You can find the Security Bulletin Summary for March here: https://technet.microsoft.com/library/security/ms17-mar

As you might expect, given that Microsoft skipped releasing updates in February, this month is a killer. We have a whopping 18 patches to address, although of course not everyone will be dealing with all of them. Nine of them are rated critical.

While most of the updates are for Windows, there is also a patch for Exchange Server and a couple for Office. We also have the usual Internet Explorer and Edge browser cumulative updates. In addition, some of the updates are for Windows roles or features that not everyone will have enabled.

It’s a big plate of updates, so let’s dig in:

Critical updates

MS17-006 (KB4013073) This is the monthly cumulative update for Internet Explorer versions 9, 10 and 11, running on all currently supported versions of Windows. It is rated critical for client operating systems and moderate for servers.

The update addresses 12 vulnerabilities. Vulnerability types include remote code execution, browser spoofing, elevation of privilege, information disclosure and security feature bypass, with memory corruption issues that can lead to RCE being the most serious. There are no mitigations or workarounds published.

The update fixes the problems by changing the way the browsers, JScript and VBScript handle objects in memory, parse HTTP responses, and restricting what information is returned to affected browsers.

MS17-007 (KB4013071) This is the monthly cumulative update for the Edge browser, running on Windows 10 and Server 2016. It’s rated critical for the client and moderate for the server.

The update addresses an impressive 32 vulnerabilities, which include a plethora of memory corruption issues that can be exploited for remote code execution, along with browser spoofing, elevation of privilege, information disclosure and security feature bypass. There is an interesting PDF memory corruption vulnerability by which Windows 10 systems with Edge set as default browser could be compromised simply by viewing a web site.

The update fixes the problems by changing the way the browsers, JScript and VBScript handle objects in memory, parse HTTP responses, and restricting what information is returned to affected browsers.

MS17-008 (KB 4013082) This is an update for Hyper-V in Windows, running on all supported versions of Windows client and server operating systems. Some of these vulnerabilities affect the server core installation. It is rated critical for all.

The update addresses 11 vulnerabilities, which include remote code execution, denial of service, and information disclosure. In all cases, systems that do not have the Hyper-V role enabled are not affected.

The update fixes the problems by preventing out-of-bound memory access, correcting how Windows Hyper-V validates vSMB packet data, and correcting how Hyper-V validates guest operating system user input.

MS17-009 (KB 4010319) This is an update for the Windows PDF Library in Windows 8.1 and RT 8.1, Windows 10, and Windows Server 2012, 2012 R2, and 2016. It is rated critical for all.

The update addresses a single vulnerability, which is a PDF memory corruption issue (also addressed and discussed in the cumulative browser update above). Windows 10 systems with Microsoft Edge set as the default browser can be compromised simply by viewing a website. The browsers for other affected operating systems do not automatically render PDF content, so an attacker would have no way to force users to view attacker-controlled content.

The update fixes the vulnerability by modifying how affected systems handle objects in memory.

MS17-010 (KB 4013389) This is an update for the Windows SMB Server service in all supported versions of Windows, including RT and the server core installations. It is rated critical for both client and server operating systems.

The update addresses six vulnerabilities, which include five SMB remote code execution vulnerabilities and one SMB information disclosure issue. There is an identified workaround that involves disabling SMBv1 and is described in the security bulletin at https://technet.microsoft.com/library/security/MS17-010

The security update fixes the problems by correcting how SMBv1 handles specially crafted requests.

MS17-011 (KB 4013076) This is an update for Uniscribe in all supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows RT 8.1, Windows Server 2012 R2, Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, and Windows Server 2016. It is rated critical for all.

(Uniscribe is the Microsoft Windows set of services for rendering Unicode-encoded text).

The update addresses 29 vulnerabilities of both the remote code execution and information disclosure type.  They could be exploited via web-based or file-sharing attacks. There are no identified mitigations or workarounds.

The update fixes the problems by correcting how the Windows Uniscribe handles objects in memory.

MS17-012 (KB 4013078) This is an update for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 10 Version 1607 and Windows Server 2016, and Important for Windows Vista, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, and Windows 10 Version 1511. It is rated critical for all.

The update addresses six vulnerabilities that include security feature bypass in Device Guard, denial of service issues in SMB 2.0 and 3.0 clients, and a remote code execution issue related to Windows DLL loading, along with a DNS query information disclosure issue, an elevation of privilege issue caused by the way Helpane.exe authenticates clients, and an iSNS Server memory corruption vulnerability.

The security update addresses the vulnerabilities by correcting how Device Guard validates certain elements of signed PowerShell scripts, correcting how the Microsoft SMBv2/SMBv3 Client handles specially crafted requests, correcting how Windows validates input before loading DLL files, modifying how Windows dnsclient handles requests, correcting how Helppane.exe authenticates the client, and modifying how the iSNS Server service parses requests.

MS17-013 (KB 4013075) This is an update for the Microsoft graphics component in Windows, Microsoft Office, Skype for Business, Microsoft Lync, and Microsoft Silverlight. It is rated critical for all.

The update addresses twelve vulnerabilities, which include multiple Windows GDI elevation of privilege issues, information disclosure vulnerabilities related to GDI, GDI+ and Microsoft Color Management, and multiple remote code execution vulnerabilities.

The update fixes the problems by correcting how GDI handles objects in memory and memory addresses and by preventing instances of unintended user-mode privilege elevation.

MS170023 (KB 4014329) This is an update for Adobe Flash Player installed on IE 10 and 11 and the Edge browser running on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016. It is rated critical for all.

The update addresses seven vulnerabilities in the Flash Player software that include a buffer overflow vulnerability that could lead to code execution,  memory corruption vulnerabilities that could lead to code execution, a random number generator vulnerability used for constant blinding that could lead to information disclosure, and use-after-free vulnerabilities that could lead to code execution.

There are mitigations and workarounds for those who are unable to apply the update. These are described in the security bulletin at https://technet.microsoft.com/library/security/MS17-023

Important updates

MS17-014 (KB 4013241) This is an update for Microsoft Office 2007, 2010, 2013, 2013 RT and 2016, Office for Mac 2011 and 2016, Office Services and Web Apps,Microsoft Server Software,
Microsoft Communications Platforms and Software. It is rated important for all.

The update addresses seven memory corruption vulnerabilities, two information disclosure issues, a denial of service vulnerability, a SharePoint XSS vulnerability and a Lync for Mac certificate validation issue, for a total of twelve vulnerabilities.

The update fixes the problems by correcting how Office handles objects in memory, changing the way certain functions handle objects in memory, properly initializing the affected variable, helping to ensure that SharePoint Server properly sanitizes web requests, and correcting how the Lync for Mac 2011 client validates certificates.

MS17-015 (KB 4013242) This is an update for the Outlook Web Access component in Microsoft Exchange Server 2013 and 2016. It is rated important for both.

The update addresses a single elevation of privilege vulnerability caused by the way OWA handles web requests. There are no identified mitigations or workarounds.

The update fixes the problem by correcting how Exchange validates web requests.

MS17-016 (KB 4013074) This is an update for the Internet Information Services (IIS) web server component in all supported versions of Windows client and server operating systems. It is rated important for all.

The update addresses a single cross site scripting (XSS) issue caused when Microsoft IIS Server fails to properly sanitize a specially crafted request. There are no identified mitigations or workarounds.

The update fixes the problem by correcting how Microsoft IIS Server sanitizes web requests.

MS17-017 (KB 4013081) This is an update for the Windows kernel in all supported versions of Windows client and server operating systems. It is rated important for all.

The update addresses four separate EoP vulnerabilities, the exploitation of which could enable an attacker to run processes in an elevated context. There are no identified mitigations or workarounds.

The update fixes the problem by correcting how the Windows Kernel API validates input, correcting how the Transaction Manager handles objects in memory, correcting the way that Windows validates the buffer lengths, and helping to ensure that the Windows Kernel API properly handles objects in memory.

MS17-018 (KB 4013083) This is an update for the Windows kernel-mode drivers in all currently supported versions of the Windows client and server operating systems, including RT and the server core installations. It is rated important.

The update addresses eight specific vulnerabilities that occur when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could run arbitrary code in kernel mode. There are no identified mitigations or workarounds.

The update fixes the problems by correcting how the Windows kernel-mode driver handles objects in memory.

MS17-019 (KB 4010320) This is an update the Active Directory Federation Services (AD FS) in supported releases of Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. It is rated important for all.

The update addresses a single information disclosure vulnerability that occurs when Windows Active Directory Federation Services (ADFS) honors XML External Entities. An authenticated attacker who successfully exploited this vulnerability would be able to read sensitive information about the target system. There are no identified mitigations or workarounds.

The update fixes the problem by causing ADFS to ignore malicious entities.

MS17-020 (KB 3208223) This is an update for Windows DVD Maker in Windows Vista and Windows 7. It is rated important for both.

Windows DVD Maker is a DVD authoring utility developed by Microsoft for Windows Vista and included in Windows 7 that allows users to create DVD slideshows and videos for playback on media devices such as a DVD player. It is not part of Windows 8 and above.

The update addresses a single cross-site request forgery vulnerability that is due to Windows DVD Maker failing to properly parse a specially crafted .msdvd file. An attacker who successfully exploited the vulnerability could obtain information to further compromise a target system. There are no identified mitigations or workarounds.

The update fixes the problem by correcting how Windows DVD Maker parses files.

MS17-021 (KB 4010318) This is an update for DirectShow in all currently supported versions of Windows. It is rated important for all.

Windows DirectShow is an API and multimedia framework that provides a common interface for media across different programming languages. It replaced Video for Windows.

The update addresses an information disclosure vulnerability in DirectShow that is due to the way it handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a target system. There are no identified mitigations or workarounds.

The update fixes the problem by correcting how Windows DirectShow handles objects in memory.

MS17-022 (KB 4010321) This is an update for the Microsoft XML Core Services in all currently supported versions of Windows. It is rated important for all.

XML Core Services (MSXML) is a set of services that allow applications written in JScript, VBScript, and Microsoft development tools to build Windows-native XML-based applications. Some versions of Microsoft XML Core Services are included with Microsoft Windows; others are installed with non-operating system software from Microsoft or third-party providers. Some are also available as separate downloads.

The update addresses a single vulnerability that is due to improper handling of objects in memory. Successful exploitation of the vulnerability could allow the attacker to test for the presence of files on disk. There are no identified mitigations or workarounds.

The update fixes the problem by changing the way MSXML handles objects in memory.