Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.0663
MS17-012 - Critical: Security Update for Microsoft Windows (4013078)
15 March 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Windows
Publisher: Microsoft
Operating System: Windows
Impact/Access: Administrator Compromise -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Existing Account
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-0104 CVE-2017-0100 CVE-2017-0057
CVE-2017-0039 CVE-2017-0016 CVE-2017-0007
Original Bulletin:
https://technet.microsoft.com/en-us/library/security/MS17-012
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Bulletin MS17-012: Security Update for Microsoft Windows
(4013078)
Bulletin Number: MS17-012
Bulletin Title: Security Update for Microsoft Windows
Severity: Critical
KB Article: 4013078
Version: 1.0
Published Date: 14/03/2017
Executive Summary
This security update resolves vulnerabilities in Microsoft Windows. The most
severe of the vulnerabilities could allow remote code execution if an attacker
runs a specially crafted application that connects to an iSNS Server and then
issues malicious requests to the server.
This security update is rated Critical for Windows Server 2008, Windows Server
2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 10 Version 1607
and Windows Server 2016, and Important for Windows Vista, Windows 7, Windows
8.1, Windows RT 8.1, Windows 10, and Windows 10 Version 1511. For more
information, see the Affected Software and Vulnerability Severity Ratings
section.
The security update addresses the vulnerabilities by correcting how:
- -Device Guard validates certain elements of signed PowerShell scripts.
- -The Microsoft SMBv2/SMBv3 Client handles specially crafted requests.
- -Windows validates input before loading DLL files.
- -Modifying how Windows dnsclient handles requests.
- -Correcting how Windows enforces RunAs permissions when registering DCOM
objects.
- -Modifying how the iSNS Server service parses requests.
For more information about the vulnerabilities, see the Vulnerability
Information section.
For more information about this update, see Microsoft Knowledge Base Article
4013078.
Affected Software
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8.1
Windows Server 2012
Windows Server 2012 R2
Windows RT 8.1
Windows 10
Windows Server 2016
Update FAQ
Does this update contain any additional security-related changes to
functionality?
Yes. In addition to the changes that are listed for the vulnerabilities
described in this bulletin, this update includes defense-in-depth updates to
help improve security-related features.
Vulnerability Information
Device Guard Security Feature Bypass Vulnerability CVE-2017-0007
A security feature bypass exists when Device Guard does not properly validate
certain elements of a signed PowerShell script. An attacker who successfully
exploited this vulnerability could modify the contents of a PowerShell script
without invalidating the signature associated with the file. Because Device
Guard relies on the signature to determine the script is non-malicious, Device
Guard could then allow a malicious script to execute.
In an attack scenario, an attacker could modify the contents of a PowerShell
script without invalidating the signature associated with the file.
The update addresses the vulnerability by correcting how Device Guard
validates certain elements of signed PowerShell scripts.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability CVE-2017-0016
A denial of service vulnerability exists in implementations of the Microsoft
Server Message Block 2.0 and 3.0 (SMBv2 & SMBv3) client. The vulnerability is
due to improper handling of certain requests sent by a malicious SMB server to
the client. An attacker who successfully exploited this vulnerability could
cause the affected system to stop responding until it is manually restarted.
To exploit the vulnerability, an attacker could use various methods such as
redirectors, injected HTML header links, etc., which could cause the SMB
client to connect to a malicious SMB server.
The security update addresses the vulnerability by correcting how the
Microsoft SMBv2/SMBv3 Client handles specially crafted requests.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
Windows DLL Loading Remote Code Execution Vulnerability CVE-2017-0039
A remote code execution vulnerability exists when Microsoft Windows fails to
properly validate input before loading certain dynamic link library (DLL)
files. An attacker who successfully exploited the vulnerability could take
control of an affected system. An attacker could then install programs; view,
change, or delete data; or create new accounts with full user rights. Users
whose accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.
To exploit the vulnerability, an attacker must first gain access to the local
system and have the ability to execute a malicious application.
The security update addresses the vulnerability by correcting how Windows
validates input before loading DLL files.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
The following workarounds may be helpful in your situation:
Use Microsoft Office File Block policy to prevent Office from opening RTF
documents from unknown or untrusted sources
Warning If you use Registry Editor incorrectly, you may cause serious problems
that may require you to reinstall your operating system. Microsoft cannot
guarantee that you can solve problems that result from using Registry Editor
incorrectly. Use Registry Editor at your own risk.
For Office 2007
a. Run regedit.exe as Administrator and navigate to the following subkey:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock]
b. Set the RtfFiles DWORD value to 1.
Note To use 'FileOpenBlock' with Office 2007, all of the latest Office 2007
security updates as of May 2007 must be applied.
For Office 2010
a. Run regedit.exe as Administrator and navigate to the following subkey:
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock]
b. Set the RtfFiles DWORD value to 2.
c. Set the OpenInProtectedView DWORD value to 0.
For Office 2013
a. Run regedit.exe as Administrator and navigate to the following subkey:
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock]
b. Set the RtfFiles DWORD value to 2.
c. Set the OpenInProtectedView DWORD value to 0.
Impact of Workaround. Users who have configured the File Block policy and have
not configured a special exempt directory as discussed in Microsoft Knowledge
Base Article 922849 will be unable to open documents saved in the RTF format.
How to undo the workaround
For Office 2007
a. Run regedit.exe as Administrator and navigate to the following subkey:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock]
b. Set the RtfFiles DWORD value to 0.
For Office 2010
a. Run regedit.exe as Administrator and navigate to the following subkey:
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock]
b. Set the RtfFiles DWORD value to 0.
c. Leave the OpenInProtectedView DWORD value set to 0.
For Office 2013
a. Run regedit.exe as Administrator and navigate to the following subkey:
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock]
b. Set the RtfFiles DWORD value to 0.
c. Leave the OpenInProtectedView DWORD value set to 0.
Set the killbit for IMJPTIP
Warning If you use Registry Editor incorrectly, you may cause serious problems
that may require you to reinstall your operating system. Microsoft cannot
guarantee that you can solve problems that result from using Registry Editor
incorrectly. Use Registry Editor at your own risk.
For detailed steps that you can use to prevent a control from running in
Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these
steps in this article to create a Compatibility Flags value in the registry to
prevent a COM object from being instantiated in Internet Explorer.
To set the kill bit for a CLSID with a value of
{03B5835F-F03C-411B-9CE2-AA23E1171E36}, paste the following text in a text
editor such as Notepad. Then, save the file by using the .reg file name
extension.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{03B5835F-F03C-411B-9CE2-AA23E1171E36}]
"Compatibility Flags"=dword:00000400
You can apply this .reg file to individual systems by double-clicking it. You
can also apply it across domains by using Group Policy. For more information
about Group Policy, visit the following Microsoft Web sites:
Group Policy collection
What is Group Policy Object Editor?
Core Group Policy tools and settings
Note You must restart Internet Explorer for your changes to take effect.
Impact of Workaround Users will be unable to open documents saved in the RTF
format.
How to undo the workaround Microsoft does not recommend unkilling (undoing the
kill action on) an ActiveX control. If you do so, you may create security
vulnerabilities. The kill bit is typically set for a reason that may be
critical, and because of this, extreme care must be used when you unkill an
ActiveX control. Also, because the procedure is highly technical, do not
continue unless you are very comfortable with the procedure. It is a good idea
to read the whole procedure before you start.
Windows DNS Query Information Disclosure Vulnerability CVE-2017-0057
An information disclosure vulnerability exists when Windows dnsclient fails to
properly handle requests. An attacker who successfully exploited the
vulnerability could obtain information to further compromise the users system.
There are multiple ways an attacker could exploit the vulnerability:
If the target is a workstation, the attacker could convince a user to visit an
untrusted webpage. If the target is a server, the attacker would have to trick
the server into sending a DNS query to a malicious DNS server.
The security update addresses the vulnerability by modifying how Windows
dnsclient handles requests.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
Windows COM Elevation of Privilege Vulnerability - CVE-2017-0100
An elevation of privilege vulnerability exists in Windows when the Windows COM
session moniker fails to properly enforce RunAs permissions when registering
DCOM objects. An attacker who successfully exploited the vulnerability could
run arbitrary code in another users session. An attacker could then install
programs; view, change, or delete data; or create new accounts with full user
rights.
To exploit the vulnerability, an attacker would first have to log on to the
system. An attacker could then run a specially crafted application that could
exploit the vulnerability once another user logged in to the same system via
Terminal Services or Fast User Switching.
The update addresses the vulnerability by correcting how Windows enforces
RunAs permissions when registering DCOM objects.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
iSNS Server Memory Corruption Vulnerability - CVE-2017-0104
A remote code execution vulnerability exists in Windows when the iSNS Server
service fails to properly validate input from the client, leading to an
integer overflow. An attacker who successfully exploited the vulnerability
could run arbitrary code in the context of the SYSTEM account.
An attacker could exploit the vulnerability by creating a specially crafted
application to connect to the iSNS Server and then issue malicious requests to
it.
The update addresses the vulnerability by modifying how the iSNS Server
service parses requests.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
Security Update Deployment
For Security Update Deployment information, see the Microsoft Knowledge Base
article referenced here in the Executive Summary.
Acknowledgments
Microsoft recognizes the efforts of those in the security community who help
us protect customers through coordinated vulnerability disclosure. See
Acknowledgments for more information.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages, even
if Microsoft Corporation or its suppliers have been advised of the possibility
of such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages so the foregoing limitation
may not apply.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWMiG4Yx+lLeg9Ub1AQjreA/7B+sAecLYr1utgTY2hDQDQTxa/SvmRiR7
PsaCSHH4TfAXjW0v0rdV7c8/cKGs19kvJUNRuv2FbIszcbIsPJKVMcOL9SscBOWC
XWBIXPat4XPmk3vebTp9WuIZkVpIXjaKwZ80Kx/9j7tXDMedLeRHJ6GDq0wdq0xz
Aev3JhsywMoFXtmwFT3PVnotoNYL2P759eqxoB03iFXDDHDJ7YN8XfASKSPMP29G
vp6jpZYEpQKPyooTCegFt9anWHeKPqXh0qImU/gWG8y7LZ7DT6RQvbCF1GwfQAFu
1bVs9Rz1VernaYqlpn1Wi+WA2xD/p2ljx8k7OblvoTVejxkndnHP2Pk4HNEIMIJZ
//tyGO/cwa9CeylrbTyvjk7+PE470dHCc+0+w2gnbneybKdTvj2k/C4tgHaR4G1A
rhTZCR/oVrHiESV7rNmhK4kSIiE7iZmGXEJsKakjORxcdD+gMGtSO5N0NGcYestQ
AujZguk7L+HWmoM/Cj7tpO96oKte589CLouskh44tDhzlErci6Ozk5v9OBnr/yhO
G87xrazZ6EKnK2FWXRDysYeYMX2vgjB1HpM4A0V8hBcOQ5AILFxNXe4gs0ClhkSb
G61Uno2n86YbACy3bdXlHEBinSk6q0SDH01oEnALLgwe6rw6oSBYIGfeVbFeaTph
a7W6W5OexoM=
=hHz1
-----END PGP SIGNATURE-----