Microsoft today released patches for 19 critical vulnerabilities, one of which was publicly known prior to the update.
In all, 54 vulnerabilities were patched in Windows, Edge, Internet Explorer, Office and Exchange as part of Microsoft’s monthly Patch Tuesday release; 32 flaws were rated important and three moderate in severity.
Security issues varied from remote code execution (RCE), cross-site scripting to elevation of privilege vulnerabilities. Six of the critical bugs were remote code execution vulnerabilities, one of which was publicly known and tied to Microsoft’s augmented reality device, HoloLens (CVE-2017-8584).
“This patch covers an RCE that occurs when HoloLens improperly handles objects in memory due to specially crafted WiFi packets,” according to the Zero Day Initiative (ZDI). “The device can be compromised by merely receiving WiFi packets, apparently without any form of authentication at all.”
Another critical RCE vulnerability has to do with the Windows Search Remote feature that allows users to search across multiple PCs at the same time. The vulnerability can be triggered by a remote, unauthenticated attacker over the Server Message Block (SMB) protocol.
“A remote code execution vulnerability (CVE-2017-8589) exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” according to Microsoft.
The issue affects Windows Server 2016, 2012, 2008 R2, 2008 as well as desktop systems such as Windows 10, 7 and 8.1.“While this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya,” said Jimmy Graham, director of product management at Qualys, in a post.
Thirteen critical scripting engine memory corruption vulnerabilities tied to Microsoft Edge were patched. One flaw (CVE-2017-8595) exists because of the way Microsoft Edge handles objects in memory and could ultimately allow an adversary to gain the same user rights as the current user, according to the bulletin.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. In addition, an attacker could embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the browser rendering engine,” according to Microsoft.
“Amongst the Edge and IE cases are several quite simply titled ‘Scripting Engine Memory Corruption Vulnerability.’ Some of these cases demonstrate a new class of risk emerging in connection with JavaScript: the danger of vulnerabilities in the execution engine itself,” ZDI wrote.
As part of Patch Tuesday, Microsoft also gave acknowledgments out to researchers such as Google Project Zero, which was behind two Critical vulnerabilities patched and one rated Important. Both Critical bugs (CVE-2017-8594 and CVE-2017-8598) were memory corruption vulnerabilities in Microsoft Edge.
Researchers Yaron Zinar, Eyal Karni and Roman Blachman with Preempt Security were credited for discovering an Important Windows elevation of privilege vulnerability (CVE-2017-8563) that exists in Microsoft Windows when Kerberos falls back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol.
NTLM are a suite of Microsoft security protocols used for authentication and are managed through Group Policy in Active Directory.
Also Tuesday, Adobe fixed six vulnerabilities in two products, one of the company’s smallest security bulletins in recent memory, as part of its regularly scheduled round of updates.