Patch Tuesday returned today as expected after last month’s postponement with a giant release of fixes that includes patches for vulnerabilities disclosed and exploited since the last set of updates in January.
Microsoft, however, was relatively silent on the reasons why the February updates were suddenly yanked at the last-minute. The company pushed out a brief blog post last month that explained there was an issue that could impact customers that could not be resolved in time.
Today, a Microsoft representative sent a less-than-satisfying response to a request for an interview or comments on last month’s postponement: “Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. We extensively test our updates prior to release and are confident that our systems are working as expected and the issue that delayed the February updates is resolved.”
Since the January updates, Google’s Project Zero research team had publicly disclosed details and proof-of-concept exploits for two vulnerabilities, a code execution flaw in its Microsoft Edge and Internet Explorer browsers, and a memory leak issue in the Windows GDI library. Another flaw in the SMB file-sharing protocol was also publicly disclosed after it was discovered the original patch released last year for the bug was incomplete. The Department of Homeland Security released an advisory upon disclosure of the SMB bug, a memory corruption issue which could crash Windows systems.
The worry expressed by a number of experts centered on the time users were exposed and the public availability of proof-of-concept code accelerating in-the-wild attacks.
“While there may not be active campaigns to exploit these issues today, the clock does appear to be ticking,” said Tod Beardsley, senior research director at Rapid7 in a Feb. 23 interview with Threatpost.
Among today’s 18 security bulletins, eight were rated critical, including separate bulletins for Edge and IE that patched the two Google-disclosed bugs. MS17-006 patches 12 vulnerabilities in IE, including CVE-2017-0037—which is also patched in Edge—disclosed by researcher Ivan Fratric, who privately disclosed the flaw to Microsoft last Friday and expressed surprise the company was not able to patch it sooner. The flaw is a type-confusion bug in Edge for Windows 10 and in IE 11 that allows for arbitrary code execution.
Microsoft said four other bugs addressed in the IE bulletin were also publicly disclosed, a privilege escalation flaw (CVE-2017-0154), an information disclosure bug (CVE-2017-0008) and two browser spoofing vulnerabilities (CVE-2017-0012 and CVE-2017-0033).
The Edge bulletin, meanwhile, patched 32 vulnerabilities, with four of the same bugs patched in the IE bulletin. Eighteen memory corruption vulnerabilities were patched in the Edge scripting engine alone, while three browser spoofing issues were publicly disclosed (CVE-2017-0012 and CVE-2017-0033 as in IE, and CVE-2017-0069). The Edge bulletin patches remote code execution, elevation of privilege, information disclosure and security feature bypass vulnerabilities.
The disclosed Windows GDI library vulnerability (CVE-2017-0038) was patched in MS17-013; the bug discloses data through memory and was disclosed by Google engineer Mateusz Jurczyk. Microsoft originally patched this issue in June 2016, but the fix was incomplete. The GDI bulletin patches 20 CVEs overall.
In Jurczyk’s proof-of-concept exploit, multiple bugs related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF (Enhanced Metafile Format) records created conditions where “255 pixels are drawn based on junk heap data, which may include sensitive information, such as private user data or information about the virtual address space,” the researcher said.
The SMB vulnerability, meanwhile, was patched in MS17-012, one of six vulnerabilities addressed in the bulletin. The denial-of-service vulnerability was privately disclosed Feb. 2 by researcher Laurent Gaffie, who found the flaw in SMB 2.0 and 3.0.
“The vulnerability is due to improper handling of certain requests sent by a malicious SMB server to the client,” Microsoft said in the advisory. “An attacker who successfully exploited this vulnerability could cause the affected system to stop responding until it is manually restarted.”
In addition to Gaffie’s original proof-of-concept exploit, other researchers quickly found ways to use it in attacks.
Gaffié’s proof of concept relies on tricking a victim to connect to a malicious SMB server instance, something that could prove challenging for an attacker. Experts with Dell SecureWorks said that it could be more effective for attackers to combine Gaffié’s attack with a redirect to SMB vulnerability from 2015 to crash a victim’s machine.
There are four other bulletins available today rated critical:
MS17-008: Microsoft also patched Hyper-V, the native hypervisor running on Windows that can create virtual machines, addressing 11 vulnerabilities, including four that could allow for code execution, along with a handful of information disclosure and denial-of-service bugs.
MS17-009: Microsoft patched a remote code execution vulnerability in the Windows PDF Library. The memory corruption issue allows an attacker to run arbitrary code on the underlying system; on Windows 10 with Edge as the default browser, an attacker could exploit the flaw by tricking a user into visiting a website hosting attack code.
MS17-010: Microsoft patched a half-dozen flaws in the Windows SMB Server, five of allow for remote code execution because of the way the server handles certain requests. A malicious packet sent to a SMBv1 server could trigger the vulnerability. The bulletin also addresses a separate information disclosure issue.
MS17-011: Microsoft patched 29 vulnerabilities in Uniscribe, a Windows service used to render Unicode. Most of the vulnerabilities are information disclosure issues, but the bulletin also includes patches for eight remote code execution flaws.