The November 2017 Security Update Review
November 14, 2017 | Dustin ChildsThis month has brought a bevy of new security patches from Adobe and Microsoft. Take a break from catching up on the latest Mobile Pwn2Own results as we review the details of the main security patches for November. For those curious, none of the bugs submitted through Mobile Pwn2Own have been patched yet. Let’s instead focus on the fixes we do have.
Adobe Patches for November 2017
Adobe released a total of nine bulletins for November addressing 86 CVEs in Flash Player (APSB17-33), Photoshop (APSB17-34), Connect (APSB17-35), Acrobat and Reader (APSB17-36), DNG Converter (APSB17-37), InDesign (APSB17-38), Digital Editions (APSB17-39), Shockwave Player (APSB17-40) and Experience Manager (APSB17-41). All of the bulletins have at least one Critical-rated CVE with the exception of the update for Experience Manager. In total, there are 70 Critical-, 15 Important-, and one Moderate-rated CVE. Adobe does not list any of these vulnerabilities as being under active attack or publicly known at the time of release.
The most pressing issues for deployment are the updates for Flash Player and Acrobat. The patch for Flash corrects three out-of-bounds (OOB) read and two UAF issues. As we’ve seen in the recent months since Adobe announced Flash end-of-life, the Flash updates continue to be small. It seems the days of dozens of Flash bugs being fixed at once are gone. That’s not the case for Reader and Acrobat, which have 62 bugs contained in the update. The most common bug type being addressed is OOB Read, but there are also UAFs, OOB Write, buffer overflows, type confusion, and untrusted pointer derefs being fixed by this patch.
Adobe lists the Flash, Reader, and Shockwave updates as Priority 2, but we recommend treating the Flash and Reader updates as Priority 1. Flash is a widely deployed target, and phishing campaigns often use malicious PDF documents. All of the other updates are listed as Priority 3. For those keeping score at home (who doesn’t?), roughly 20% of these bugs (17 of the 86) came through the ZDI program.
Microsoft Patches for November 2017
Microsoft released 54 security patches for November covering Internet Explorer (IE), Microsoft Edge, Microsoft Windows, Microsoft Office, ASP.NET Core and .NET Core, and Chakra Core. Of these 53 CVEs, 20 are listed as Critical, 31 are rated Important, and 3 are rated as Moderate in severity. A total of six of these CVEs came through the ZDI program. Four of these vulnerabilities are listed as publicly known. None of the CVEs are listed as being under active attack, but one of the advisories certainly looks as though it may be even though it's not stated.
There’s definitely a malware vibe to this month’s release, as many of the updates directly relate to techniques used to spread the unwanted software. Let’s take a closer look at some of these issues beginning with that odd-looking advisory.
- ADV170020 - Microsoft Office Defense in Depth Update
Microsoft hasn’t provided a wealth of information about this update other than saying it provides a defense-in-depth issue. I say “issue” here because they didn’t assign a CVE to the bug. If one were to guess, it’s likely this advisory is related to the recent spate of malware abusing the Dynamic Data Exchange (DDE) protocol. DDE provides data exchanges between Office and other Windows applications, however attackers leverage DDE fields to create documents that load malicious resources from an external server. Microsoft claims attackers may be abusing the feature, but it’s not a vulnerability per se. Hopefully, the update provided by this advisory restricts the abuse of this “feature” in some manner. If you’re concerned about attacks abusing DDE features, Microsoft has provided some guidance on how to disable DDE from the registry.
- CVE-2017-11830 - Device Guard Security Feature Bypass Vulnerability
Speaking of malware, this patch fixes a CVE that allows Device Guard to incorrectly validates an untrusted file. This means attackers could make an unsigned file appear to be signed. Since Device Guard relies on a valid signature to determine trustworthiness, malicious files could be executed by making untrusted files seem trusted. This is exactly the sort of bug malware authors seek, as it allows them to have their exploit appear as a trusted file to the target.
- CVE-2017-11877 - Microsoft Excel Security Feature Bypass Vulnerability
Continuing the malware theme, this patch corrects a vulnerability that fails to enforce macro settings within an Excel document. Macros have long been used by malware to spread since we too often view spreadsheets and other documents as relatively harmless. You may think we’ve educated users enough to stop them from opening unknown documents they didn’t expect, but the lure of “executive_compesantion.xlsx” is hard to deny. Fortunately, this one hasn’t been exploited yet, but expect malware authors to take the exploit index rating of “Exploitation Less Likely” as a challenge.
Here’s the full list of CVEs released by Microsoft for November 2017.
| CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older |
| CVE-2017-11827 | Microsoft Browser Memory Corruption Vulnerability | Important | Yes | No | 1 | 1 |
| CVE-2017-11883 | ASP.NET Core Denial Of Service Vulnerability | Important | Yes | No | 2 | 2 |
| CVE-2017-8700 | ASP.NET Core Information Disclosure Vulnerability | Moderate | Yes | No | 2 | 2 |
| CVE-2017-11848 | Internet Explorer Information Disclosure Vulnerability | Moderate | Yes | No | 2 | 2 |
| CVE-2017-11856 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11855 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11845 | Microsoft Edge Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11837 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11839 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11841 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11861 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11862 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11870 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11836 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11838 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11840 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11843 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11846 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11859 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11866 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11858 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11869 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2017-11871 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11873 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2017-11770 | .NET CORE Denial Of Service Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-11879 | ASP.NET Core Elevation Of Privilege Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-11830 | Device Guard Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-11803 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 1 | N/A |
| CVE-2017-11833 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 2 | N/A |
| CVE-2017-11844 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 1 | N/A |
| CVE-2017-11863 | Microsoft Edge Security Feature Bypass Vulnerability | Important | No | No | 2 | N/A |
| CVE-2017-11872 | Microsoft Edge Security Feature Bypass Vulnerability | Important | No | No | 2 | N/A |
| CVE-2017-11874 | Microsoft Edge Security Feature Bypass Vulnerability | Important | No | No | 2 | N/A |
| CVE-2017-11878 | Microsoft Excel Memory Corruption Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-11877 | Microsoft Excel Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-11850 | Microsoft Graphics Component Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11884 | Microsoft Office Memory Corruption Vulnerability | Important | No | No | 2 | N/A |
| CVE-2017-11882 | Microsoft Office Memory Corruption Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-11854 | Microsoft Word Memory Corruption Vulnerability | Important | No | No | N/A | 2 |
| CVE-2017-11791 | Scripting Engine Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11834 | Scripting Engine Information Disclosure Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-11832 | Windows EOT Font Engine Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11835 | Windows EOT Font Engine Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11852 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11831 | Windows Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11880 | Windows Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-11847 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11851 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11842 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11849 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11853 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2017-11768 | Windows Media Player Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2017-11788 | Windows Search Denial of Service Vulnerability | Important | No | No | 3 | 3 |
| CVE-2017-11876 | Microsoft Project Server Elevation of Privilege Vulnerability | Moderate | No | No | 3 | 3 |
Beyond what we’ve already discussed, the updates for Edge, IE, and Chakra Core should lead deployment lists. Most of these are listed as Critical-rated Memory Corruption bugs, which can be confusing since “memory corruption” encompasses so many different types of bugs. Regardless of the specific type, these bugs lead to remote code execution if a vulnerable system browses to a malicious website. There are a couple of Office memory corruption bugs being fixed this month as well, which brings the total memory corruption issues being fixed to 25 for the month (47% of the release).
There’s also plenty of Information Disclosure bugs in Windows and Office being addressed this month – 18 in total. While these don’t rate very high on the CVSS scale, they represent a crucial part of sandbox escapes and other exploits that require a memory leak. The ASP.NET bugs should also warrant extra attention since there’s some public knowledge and a threat of stealing credentials. Five patches fixing security feature bypasses were released, including the previously mentioned Device Guard issue.
Finally, Microsoft released their version of the aforementioned Adobe patch for Flash in Internet Explorer.
Looking Ahead
The next patch Tuesday falls on December 12, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!