Vulnerabilities Weekly Summary Ending March 17

Microsoft Releases Publicly Disclosed and Exploited Security Updates

Microsoft released many security updates for March after postponing its updates for February due to a “last minute issue.” These patches address eighteen critical and important rated vulnerabilities in Windows, Edge, Internet Explorer, Office, Skype, Lync, and Silverlight.  The most severe effects of these vulnerabilities can allow an attacker to execute code remotely.  One of three critical rated and exploited vulnerabilities, CVE-2017-0149, is a memory corruption vulnerability affecting Internet Explorer 9, 10, and 11.  The flaw in Internet Explorer browsers improperly access objects in memory, which can corrupt memory in a way that allows an attacker to execute arbitrary code.  Basically, a user on Internet Explorer would have to be persuaded to visit a maliciously crafted website or open an email attachment, which can then lead to the attacker to gain the rights that the current user holds.  If the user is an administrator, the attacker can take full control of the affected machine and execute tasks such as program installations, manipulate data, and create or delete administrator accounts.  When a browser communicates with a website, the website requires identity information from the web browser in order to process ordinary tasks, such as formatting.  A maliciously crafted website can then run processes on the browser, take advantage of known flaws on the discovered vulnerable web browser, and exploit it.

Two other flaws that have been exploited, CVE-2017-0005 and CVE-2017-0022, are zero-day vulnerabilities, which are vulnerabilities unknown to its vendor.  Microsoft has not released information on the zero-day exploits, however, security firms may release information in the upcoming weeks. To prevent and lessen the severity of possible attacks, it is recommended to run all software as a non-privileged user, to not open or click on links and attachments from distrusted sources, and to implement multiple layers of redundant security such as intrusion detection systems.

To view all of Microsoft’s March Security Updates and Affected Software: Microsoft Security Bulletin Summary for March 2017

Security Updates Released for Adobe Flash Player

Adobe has released Flash Player 25.0.0.127, which addresses critical vulnerabilities found in versions 24.0.0.221 and earlier for Windows, Macintosh, Linux, and Chrome OS.  All reported vulnerabilities can potentially allow an attacker to execute code remotely and include possible buffer overflow, use-after-free, and memory corruption attacks.  Research contributors that Adobe acknowledged are from Palo Alto Networks, Nanyang Technological , Qihoo 360 Vulcan Team working with Chromium Vulnerability Rewards Program, and Trend Micro’s Zero Day Initiative.  How the attack vectors work for the following vulnerabilities have not been disclosed publicly by Adobe or the research contributors.  Adobe stated that there has been no reports on these flaws being exploited.

CVE-2017-2997 – “Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable buffer overflow / underflow vulnerability in the Primetime TVSDK that supports customizing ad information. Successful exploitation could lead to arbitrary code execution”

CVE-2017-3001 – “Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability related to garbage collection in the ActionScript 2 VM. Successful exploitation could lead to arbitrary code execution.”

CVE-2017-3002 – “Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability in the ActionScript2 TextField object related to the variable property. Successful exploitation could lead to arbitrary code execution.”

Sources: