The September 2017 Security Update Review
September 12, 2017 | Dustin ChildsTake a break from this soggy season, put down your latest pumpkin-spiced beverage and turn your attention instead to the latest security patches from Adobe, Google, Apache, and Microsoft.
Adobe Patches for September 2017
We begin this month’s review by looking at another small patch for Adobe Flash. Similar to last month, only two Critical-rated bugs are being addressed. Neither of these bugs are reported as being under active attack. That patch resolves two memory corruption issues that can lead to an out-of-bounds memory access, which could allow an access violation exception resulting in code execution. This makes four months in a row with a single-digit number of issues being fixed in Flash. It’s unknown if this drop-off is the result of Adobe announcing the end of Flash or if it is the result of some other factor.
In addition to the Flash update, Adobe also released updates for Coldfusion and RoboHelp for Windows. The patch for ColdFusion addresses a Critical-rated XML parsing vulnerability as well as an Important-rated cross-site scripting (XSS) bug. Also included in the patch are mitigations for unsafe Java deserialization, which are always welcome. The update Adobe RoboHelp for Windows covers an Important-rated XSS bug and a Moderate URL-redirect bug. None of these issues are listed as being publicly known or under active attack at the time of release.
Google Android Patches for September 2017
In case you missed the announcement, the Google Pixel phone will be again included in Mobile Pwn2Own in a few months. Accordingly, it makes sense to take a look this month’s security updates for the Android OS. A total of 81 issues were fixed by the September patches, with 13 of those being Critical-rated remote code execution bugs. None are reported to be under active attack. The worst of these issues reside in the media framework that could allow a remote attacker to execute code within the context of a privileged process using a specially crafted file.
Also included in these patches were Critical-rated fixes for Qualcomm components, various kernel components, and the Broadcom Wi-Fi driver. Any time you say “Broadcom” and “Android” in the same sentence, people immediately think of the BroadPwn bug from earlier this year. Fortunately, this month’s bug is not as severe. Instead of allowing kernel-level code execution like BroadPwn, this bug only allows privileged user-level code execution. Still, the bug is definitely severe, and Android users should update as soon as possible to resolve all of the listed vulnerabilities.
It’s also interesting to see many of these bugs were reported by previous (and hopefully future) Mobile Pwn2Own contestants. We’ve seen some teams in the past race to close bugs they know of but aren’t targeting in an attempt to hinder the competition. How many more bugs will be patched before the contest begins at PacSec in November? Time will tell.
Apache Struts Patches for September 2017
Any attempt to discuss patches for September 2017 fails without at least mentioning CVE-2017-9805. This vulnerability in Apache Struts could allow remote code execution when using the Struts REST plugin with XStream handler to deserialise XML requests. This is notable for a couple of different reasons. The open-source program is widely deployed, with some estimates showing as much as 65 percent of Fortune 500 companies using it in some fashion. The researchers who discovered the vulnerability stated the bug was easy to exploit as well. Not surprisingly, several exploits for the bugs were made public following the announcement of the patch. Finally, unsubstantiated reports place the blame for the recent Equifax breach on Apache Struts. As others have noted, no evidence exists showing this bug – or any Apache vuln – were used in the Equifax breach, so take such news with more than just a few grains of salt.
Also, please remember that with Apache Struts, it’s not just applying a patch. You must also recompile your Java web applications. While we can’t attribute any past events to this vulnerability, it most certainly will be targeted in the future. Praemonitus, praemunitus.
Microsoft Patches for September 2017
Microsoft released 81 security patches for September covering Windows, Internet Explorer (IE), Edge, Exchange, .NET Framework, Office, and Hyper-V. Of these 81 CVEs, 26 are listed as Critical, 53 are rated Important, and two are Moderate in severity. A total of ten of these CVEs came through the ZDI program. Three of these bugs are listed as publically known prior to release, with one bug listed as being under active attack.
A few of the CVEs addressed by Microsoft this month deserve some extra attention, and we’ll start by looking at the one under active attack.
- CVE-2017-8759 - .NET Framework Remote Code Execution Vulnerability
This bug represents the only CVE listed as being under attack for this month, although Microsoft doesn’t give any indication of how widespread the attacks may be. According to the write-up, the vulnerability allows attackers to “take control of an affected system.” This implies a successful exploit will be executing with elevated privileges. However, since the severity is set to Important, it indicates user interaction is involved here – likely opening an Office document or PDF file. Another vector would involve executing a malicious application as a low-privileged user. Either way, this patch should be your top priority this month since .NET is deployed just about everywhere, and it’s already being exploited – just likely in a limited fashion.
- CVE-2017-8628 - Microsoft Bluetooth Driver Spoofing Vulnerability
You don’t often see patches to fix issues that depend on physical proximity, but Bluetooth attacks are definitely an exception. This bug could allow an attacker to perform a man-in-the-middle attack on vulnerable Bluetooth stacks. This means that your Bluetooth traffic would go through the attacker’s system before being routed to where you intend – likely without you even noticing. This bug is already making waves due to the snazzy “BlueBorne” name and logo. For the Windows OS, code execution over BlueTooth cannot directly not occur with this bug. Still, the MiTM attack is still severe enough to warrant extra attention.
- CVE-2017-0161 - NetBIOS Remote Code Execution Vulnerability
Ah, the venerable Network Basic Input/Output System – connecting systems on a LAN since 1983. Although not publicly known prior to release, this bug certainly deserves some extra attention. It allows an attacker to execute code on a target system just through sending some specially crafted NetBT Session Service packets. The good news is that NetBIOS isn’t a routable protocol, so the impact is limited. The bad news is that this is practically wormable within a LAN. This could also impact multiple virtual clients if the guest OSes all connect to the same (virtual) LAN. In this scenario, one guest OS could execute code on the others if NetBIOS is enabled. Another factor in this bug is that’s a race condition. That fact significantly lowers the reliability of any exploit that may be created.
- CVE-2017-9417 - Broadcom BCM43xx allows Remote Code Execution
The HoloLens headset received its first security update in July, and now it has its second. This patch covers the previously mentioned BroadPwn vulnerability in the HoloLens headset, which apparently also has a Broadcom WiFi chip. It’s unknown if this will be the last BroadPwn-related patch seen in the industry, but I’d wager it’s the most unexpected one.
Here’s the full list of CVEs released by Microsoft for September 2017.
| CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older |
| CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability | Important | No | Yes | 0 | 0 |
| CVE-2017-9417 | Broadcom BCM43xx allows Remote Code Execution | Important | Yes | No | 2 | 2 |
| CVE-2017-8746 | Device Guard Security Feature Bypass Vulnerability | Important | Yes | No | 2 | 2 |
| CVE-2017-8723 | Microsoft Edge Security Feature Bypass | Moderate | Yes | No | 3 | N/A |
| CVE-2017-8747 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8749 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8750 | Microsoft Browser Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8731 | Microsoft Edge Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8734 | Microsoft Edge Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8751 | Microsoft Edge Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8755 | Microsoft Edge Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8756 | Microsoft Edge Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11766 | Microsoft Edge Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8757 | Microsoft Edge Remote Code Execution Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8696 | Microsoft Graphics Component Remote Code Execution | Critical | No | No | 2 | 2 |
| CVE-2017-8737 | Microsoft PDF Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 |
| CVE-2017-8728 | Microsoft PDF Remote Code Execution Vulnerability | Critical | No | No | 2 | N/A |
| CVE-2017-0161 | NetBIOS Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 |
| CVE-2017-8649 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8660 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8729 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8738 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8740 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8741 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8752 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8753 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11764 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-8748 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-8682 | Win32k Graphics Remote Code Execution Vulnerability | Critical | No | No | 2 | 1 |
| CVE-2017-8686 | Windows DHCP Server Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 |
| CVE-2017-8695 | Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8704 | Hyper-V Denial of Service Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-8706 | Hyper-V Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8707 | Hyper-V Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8711 | Hyper-V Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8712 | Hyper-V Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8713 | Hyper-V Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8733 | Internet Explorer Spoofing Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-8628 | Microsoft Bluetooth Driver Spoofing Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8736 | Microsoft Browser Information Disclosure Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-8597 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 2 | N/A |
| CVE-2017-8643 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 1 | N/A |
| CVE-2017-8648 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 1 | N/A |
| CVE-2017-8754 | Microsoft Edge Security Feature Bypass Vulnerability | Important | No | No | 2 | N/A |
| CVE-2017-8724 | Microsoft Edge Spoofing Vulnerability | Important | No | No | 3 | N/A |
| CVE-2017-8758 | Microsoft Exchange Cross-Site Scripting Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-11761 | Microsoft Exchange Information Disclosure Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-8630 | Microsoft Office Memory Corruption Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8631 | Microsoft Office Memory Corruption Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8632 | Microsoft Office Memory Corruption Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8744 | Microsoft Office Memory Corruption Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8725 | Microsoft Office Publisher Remote Code Execution | Important | No | No | 2 | 2 |
| CVE-2017-8567 | Microsoft Office Remote Code Execution | Important | No | No | N/A | 3 |
| CVE-2017-8745 | Microsoft SharePoint Cross Site Scripting Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-8629 | Microsoft SharePoint XSS Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-8684 | Microsoft Win32k GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8685 | Microsoft Win32k GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8688 | Microsoft Windows GDI+ Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8679 | Microsoft Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8742 | PowerPoint Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8743 | PowerPoint Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8714 | Remote Desktop Virtual Host Remote Code Execution Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8739 | Scripting Engine Information Disclosure Vulnerability | Important | No | No | 2 | N/A |
| CVE-2017-8692 | Uniscribe Remote Code Execution Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8675 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-8720 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8683 | Win32k Graphics Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8677 | Win32k Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8678 | Win32k Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8680 | Win32k Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8681 | Win32k Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8687 | Win32k Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8702 | Windows Elevation of Privilege Vulnerability | Important | No | No | N/A | 3 |
| CVE-2017-8676 | Windows GDI+ Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8710 | Windows Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8708 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8709 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8719 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8716 | Windows Security Feature Bypass Vulnerability | Important | No | No | 3 | N/A |
| CVE-2017-8699 | Windows Shell Remote Code Execution Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-8735 | Microsoft Edge Spoofing Vulnerability | Moderate | No | No | 3 | N/A |
Beyond what we’ve already discussed, the updates for Edge, IE, and Exchange should top the deployment lists. Take care with the Exchange update, as even Microsoft recommends testing Exchange updates in a non-production environment prior to deployment. Similar to the previous month, there are many Edge and IE cases quite simply titled “Scripting Engine Memory Corruption Vulnerability,” which show the not-always-positive impact JavaScript has on security. There are also a number of kernel and kernel-mode drivers (KMD) patches fixing information disclosure bugs. On the surface, these aren’t too interesting. However, kernel info leaks are a key component of sandbox escapes, so shutting down as many as possible has an asymmetric impact to the security of a system.
Rounding out the Microsoft patches for September are updates for Office, GDI+, SharePoint, and Hyper-V. These Hyper-V bugs are fascinating as they could allow someone on a guest OS to disclose sensitive information from the underlying host OS. Again, these bugs wouldn’t directly lead to code execution, but they would likely be used in the early part of a virtual machine escape. Microsoft also released its version of the Adobe patch for Flash in Internet Explorer to address the two Flash bugs previously mentioned. Finally, Microsoft an advisory for defense-in-depth changes to Office, but no other details on what changes were made are available.
Looking Ahead
The next patch Tuesday falls on October 10, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!