Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.0663 MS17-012 - Critical: Security Update for Microsoft Windows (4013078) 15 March 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Windows Publisher: Microsoft Operating System: Windows Impact/Access: Administrator Compromise -- Remote/Unauthenticated Increased Privileges -- Existing Account Denial of Service -- Remote with User Interaction Provide Misleading Information -- Existing Account Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-0104 CVE-2017-0100 CVE-2017-0057 CVE-2017-0039 CVE-2017-0016 CVE-2017-0007 Original Bulletin: https://technet.microsoft.com/en-us/library/security/MS17-012 - --------------------------BEGIN INCLUDED TEXT-------------------- Microsoft Security Bulletin MS17-012: Security Update for Microsoft Windows (4013078) Bulletin Number: MS17-012 Bulletin Title: Security Update for Microsoft Windows Severity: Critical KB Article: 4013078 Version: 1.0 Published Date: 14/03/2017 Executive Summary This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker runs a specially crafted application that connects to an iSNS Server and then issues malicious requests to the server. This security update is rated Critical for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 10 Version 1607 and Windows Server 2016, and Important for Windows Vista, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, and Windows 10 Version 1511. For more information, see the Affected Software and Vulnerability Severity Ratings section. The security update addresses the vulnerabilities by correcting how: - -Device Guard validates certain elements of signed PowerShell scripts. - -The Microsoft SMBv2/SMBv3 Client handles specially crafted requests. - -Windows validates input before loading DLL files. - -Modifying how Windows dnsclient handles requests. - -Correcting how Windows enforces RunAs permissions when registering DCOM objects. - -Modifying how the iSNS Server service parses requests. For more information about the vulnerabilities, see the Vulnerability Information section. For more information about this update, see Microsoft Knowledge Base Article 4013078. Affected Software Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows 8.1 Windows Server 2012 Windows Server 2012 R2 Windows RT 8.1 Windows 10 Windows Server 2016 Update FAQ Does this update contain any additional security-related changes to functionality? Yes. In addition to the changes that are listed for the vulnerabilities described in this bulletin, this update includes defense-in-depth updates to help improve security-related features. Vulnerability Information Device Guard Security Feature Bypass Vulnerability CVE-2017-0007 A security feature bypass exists when Device Guard does not properly validate certain elements of a signed PowerShell script. An attacker who successfully exploited this vulnerability could modify the contents of a PowerShell script without invalidating the signature associated with the file. Because Device Guard relies on the signature to determine the script is non-malicious, Device Guard could then allow a malicious script to execute. In an attack scenario, an attacker could modify the contents of a PowerShell script without invalidating the signature associated with the file. The update addresses the vulnerability by correcting how Device Guard validates certain elements of signed PowerShell scripts. Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability CVE-2017-0016 A denial of service vulnerability exists in implementations of the Microsoft Server Message Block 2.0 and 3.0 (SMBv2 & SMBv3) client. The vulnerability is due to improper handling of certain requests sent by a malicious SMB server to the client. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding until it is manually restarted. To exploit the vulnerability, an attacker could use various methods such as redirectors, injected HTML header links, etc., which could cause the SMB client to connect to a malicious SMB server. The security update addresses the vulnerability by correcting how the Microsoft SMBv2/SMBv3 Client handles specially crafted requests. Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. Windows DLL Loading Remote Code Execution Vulnerability CVE-2017-0039 A remote code execution vulnerability exists when Microsoft Windows fails to properly validate input before loading certain dynamic link library (DLL) files. An attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker must first gain access to the local system and have the ability to execute a malicious application. The security update addresses the vulnerability by correcting how Windows validates input before loading DLL files. Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds The following workarounds may be helpful in your situation: Use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. For Office 2007 a. Run regedit.exe as Administrator and navigate to the following subkey: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock] b. Set the RtfFiles DWORD value to 1. Note To use 'FileOpenBlock' with Office 2007, all of the latest Office 2007 security updates as of May 2007 must be applied. For Office 2010 a. Run regedit.exe as Administrator and navigate to the following subkey: [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock] b. Set the RtfFiles DWORD value to 2. c. Set the OpenInProtectedView DWORD value to 0. For Office 2013 a. Run regedit.exe as Administrator and navigate to the following subkey: [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock] b. Set the RtfFiles DWORD value to 2. c. Set the OpenInProtectedView DWORD value to 0. Impact of Workaround. Users who have configured the File Block policy and have not configured a special exempt directory as discussed in Microsoft Knowledge Base Article 922849 will be unable to open documents saved in the RTF format. How to undo the workaround For Office 2007 a. Run regedit.exe as Administrator and navigate to the following subkey: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock] b. Set the RtfFiles DWORD value to 0. For Office 2010 a. Run regedit.exe as Administrator and navigate to the following subkey: [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock] b. Set the RtfFiles DWORD value to 0. c. Leave the OpenInProtectedView DWORD value set to 0. For Office 2013 a. Run regedit.exe as Administrator and navigate to the following subkey: [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock] b. Set the RtfFiles DWORD value to 0. c. Leave the OpenInProtectedView DWORD value set to 0. Set the killbit for IMJPTIP Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer. To set the kill bit for a CLSID with a value of {03B5835F-F03C-411B-9CE2-AA23E1171E36}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03B5835F-F03C-411B-9CE2-AA23E1171E36}] "Compatibility Flags"=dword:00000400 You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites: Group Policy collection What is Group Policy Object Editor? Core Group Policy tools and settings Note You must restart Internet Explorer for your changes to take effect. Impact of Workaround Users will be unable to open documents saved in the RTF format. How to undo the workaround Microsoft does not recommend unkilling (undoing the kill action on) an ActiveX control. If you do so, you may create security vulnerabilities. The kill bit is typically set for a reason that may be critical, and because of this, extreme care must be used when you unkill an ActiveX control. Also, because the procedure is highly technical, do not continue unless you are very comfortable with the procedure. It is a good idea to read the whole procedure before you start. Windows DNS Query Information Disclosure Vulnerability CVE-2017-0057 An information disclosure vulnerability exists when Windows dnsclient fails to properly handle requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability: If the target is a workstation, the attacker could convince a user to visit an untrusted webpage. If the target is a server, the attacker would have to trick the server into sending a DNS query to a malicious DNS server. The security update addresses the vulnerability by modifying how Windows dnsclient handles requests. Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. Windows COM Elevation of Privilege Vulnerability - CVE-2017-0100 An elevation of privilege vulnerability exists in Windows when the Windows COM session moniker fails to properly enforce RunAs permissions when registering DCOM objects. An attacker who successfully exploited the vulnerability could run arbitrary code in another users session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability once another user logged in to the same system via Terminal Services or Fast User Switching. The update addresses the vulnerability by correcting how Windows enforces RunAs permissions when registering DCOM objects. Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. iSNS Server Memory Corruption Vulnerability - CVE-2017-0104 A remote code execution vulnerability exists in Windows when the iSNS Server service fails to properly validate input from the client, leading to an integer overflow. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SYSTEM account. An attacker could exploit the vulnerability by creating a specially crafted application to connect to the iSNS Server and then issue malicious requests to it. The update addresses the vulnerability by modifying how the iSNS Server service parses requests. Mitigating Factors Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. Security Update Deployment For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary. Acknowledgments Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information. Disclaimer The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWMiG4Yx+lLeg9Ub1AQjreA/7B+sAecLYr1utgTY2hDQDQTxa/SvmRiR7 PsaCSHH4TfAXjW0v0rdV7c8/cKGs19kvJUNRuv2FbIszcbIsPJKVMcOL9SscBOWC XWBIXPat4XPmk3vebTp9WuIZkVpIXjaKwZ80Kx/9j7tXDMedLeRHJ6GDq0wdq0xz Aev3JhsywMoFXtmwFT3PVnotoNYL2P759eqxoB03iFXDDHDJ7YN8XfASKSPMP29G vp6jpZYEpQKPyooTCegFt9anWHeKPqXh0qImU/gWG8y7LZ7DT6RQvbCF1GwfQAFu 1bVs9Rz1VernaYqlpn1Wi+WA2xD/p2ljx8k7OblvoTVejxkndnHP2Pk4HNEIMIJZ //tyGO/cwa9CeylrbTyvjk7+PE470dHCc+0+w2gnbneybKdTvj2k/C4tgHaR4G1A rhTZCR/oVrHiESV7rNmhK4kSIiE7iZmGXEJsKakjORxcdD+gMGtSO5N0NGcYestQ AujZguk7L+HWmoM/Cj7tpO96oKte589CLouskh44tDhzlErci6Ozk5v9OBnr/yhO G87xrazZ6EKnK2FWXRDysYeYMX2vgjB1HpM4A0V8hBcOQ5AILFxNXe4gs0ClhkSb G61Uno2n86YbACy3bdXlHEBinSk6q0SDH01oEnALLgwe6rw6oSBYIGfeVbFeaTph a7W6W5OexoM= =hHz1 -----END PGP SIGNATURE-----