The November 2017 Security Update Review

November 14, 2017 | Dustin Childs

This month has brought a bevy of new security patches from Adobe and Microsoft. Take a break from catching up on the latest Mobile Pwn2Own results as we review the details of the main security patches for November. For those curious, none of the bugs submitted through Mobile Pwn2Own have been patched yet. Let’s instead focus on the fixes we do have.

Adobe Patches for November 2017

Adobe released a total of nine bulletins for November addressing 86 CVEs in Flash Player (APSB17-33), Photoshop (APSB17-34), Connect (APSB17-35), Acrobat and Reader (APSB17-36), DNG Converter (APSB17-37), InDesign (APSB17-38), Digital Editions (APSB17-39), Shockwave Player (APSB17-40) and Experience Manager (APSB17-41). All of the bulletins have at least one Critical-rated CVE with the exception of the update for Experience Manager. In total, there are 70 Critical-, 15 Important-, and one Moderate-rated CVE. Adobe does not list any of these vulnerabilities as being under active attack or publicly known at the time of release.

The most pressing issues for deployment are the updates for Flash Player and Acrobat. The patch for Flash corrects three out-of-bounds (OOB) read and two UAF issues. As we’ve seen in the recent months since Adobe announced Flash end-of-life, the Flash updates continue to be small. It seems the days of dozens of Flash bugs being fixed at once are gone. That’s not the case for Reader and Acrobat, which have 62 bugs contained in the update. The most common bug type being addressed is OOB Read, but there are also UAFs, OOB Write, buffer overflows, type confusion, and untrusted pointer derefs being fixed by this patch.

Adobe lists the Flash, Reader, and Shockwave updates as Priority 2, but we recommend treating the Flash and Reader updates as Priority 1. Flash is a widely deployed target, and phishing campaigns often use malicious PDF documents. All of the other updates are listed as Priority 3. For those keeping score at home (who doesn’t?), roughly 20% of these bugs (17 of the 86) came through the ZDI program.

Microsoft Patches for November 2017

Microsoft released 54 security patches for November covering Internet Explorer (IE), Microsoft Edge, Microsoft Windows, Microsoft Office, ASP.NET Core and .NET Core, and Chakra Core. Of these 53 CVEs, 20 are listed as Critical, 31 are rated Important, and 3 are rated as Moderate in severity. A total of six of these CVEs came through the ZDI program. Four of these vulnerabilities are listed as publicly known. None of the CVEs are listed as being under active attack, but one of the advisories certainly looks as though it may be even though it's not stated.

There’s definitely a malware vibe to this month’s release, as many of the updates directly relate to techniques used to spread the unwanted software. Let’s take a closer look at some of these issues beginning with that odd-looking advisory.

-       ADV170020 - Microsoft Office Defense in Depth Update
Microsoft hasn’t provided a wealth of information about this update other than saying it provides a defense-in-depth issue. I say “issue” here because they didn’t assign a CVE to the bug. If one were to guess, it’s likely this advisory is related to the recent spate of malware abusing the Dynamic Data Exchange (DDE) protocol. DDE provides data exchanges between Office and other Windows applications, however attackers leverage DDE fields to create documents that load malicious resources from an external server. Microsoft claims attackers may be abusing the feature, but it’s not a vulnerability per se. Hopefully, the update provided by this advisory restricts the abuse of this “feature” in some manner. If you’re concerned about attacks abusing DDE features, Microsoft has provided some guidance on how to disable DDE from the registry.

-       CVE-2017-11830 - Device Guard Security Feature Bypass Vulnerability
Speaking of malware, this patch fixes a CVE that allows Device Guard to incorrectly validates an untrusted file. This means attackers could make an unsigned file appear to be signed. Since Device Guard relies on a valid signature to determine trustworthiness, malicious files could be executed by making untrusted files seem trusted. This is exactly the sort of bug malware authors seek, as it allows them to have their exploit appear as a trusted file to the target.

-       CVE-2017-11877 - Microsoft Excel Security Feature Bypass Vulnerability
Continuing the malware theme, this patch corrects a vulnerability that fails to enforce macro settings within an Excel document. Macros have long been used by malware to spread since we too often view spreadsheets and other documents as relatively harmless. You may think we’ve educated users enough to stop them from opening unknown documents they didn’t expect, but the lure of “executive_compesantion.xlsx” is hard to deny. Fortunately, this one hasn’t been exploited yet, but expect malware authors to take the exploit index rating of “Exploitation Less Likely” as a challenge.

Here’s the full list of CVEs released by Microsoft for November 2017.

CVE Title Severity Public Exploited XI - Latest XI - Older
CVE-2017-11827 Microsoft Browser Memory Corruption Vulnerability Important Yes No 1 1
CVE-2017-11883 ASP.NET Core Denial Of Service Vulnerability Important Yes No 2 2
CVE-2017-8700 ASP.NET Core Information Disclosure Vulnerability Moderate Yes No 2 2
CVE-2017-11848 Internet Explorer Information Disclosure Vulnerability Moderate Yes No 2 2
CVE-2017-11856 Internet Explorer Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-11855 Internet Explorer Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-11845 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11837 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-11839 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11841 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11861 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11862 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11870 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11836 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11838 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11840 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11843 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-11846 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-11859 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11866 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11858 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-11869 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2017-11871 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11873 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2017-11770 .NET CORE Denial Of Service Vulnerability Important No No 3 3
CVE-2017-11879 ASP.NET Core Elevation Of Privilege Vulnerability Important No No 2 2
CVE-2017-11830 Device Guard Security Feature Bypass Vulnerability Important No No 2 2
CVE-2017-11803 Microsoft Edge Information Disclosure Vulnerability Important No No 1 N/A
CVE-2017-11833 Microsoft Edge Information Disclosure Vulnerability Important No No 2 N/A
CVE-2017-11844 Microsoft Edge Information Disclosure Vulnerability Important No No 1 N/A
CVE-2017-11863 Microsoft Edge Security Feature Bypass Vulnerability Important No No 2 N/A
CVE-2017-11872 Microsoft Edge Security Feature Bypass Vulnerability Important No No 2 N/A
CVE-2017-11874 Microsoft Edge Security Feature Bypass Vulnerability Important No No 2 N/A
CVE-2017-11878 Microsoft Excel Memory Corruption Vulnerability Important No No 2 2
CVE-2017-11877 Microsoft Excel Security Feature Bypass Vulnerability Important No No 2 2
CVE-2017-11850 Microsoft Graphics Component Information Disclosure Vulnerability Important No No 1 1
CVE-2017-11884 Microsoft Office Memory Corruption Vulnerability Important No No 2 N/A
CVE-2017-11882 Microsoft Office Memory Corruption Vulnerability Important No No 2 2
CVE-2017-11854 Microsoft Word Memory Corruption Vulnerability Important No No N/A 2
CVE-2017-11791 Scripting Engine Information Disclosure Vulnerability Important No No 1 1
CVE-2017-11834 Scripting Engine Information Disclosure Vulnerability Important No No 3 3
CVE-2017-11832 Windows EOT Font Engine Information Disclosure Vulnerability Important No No 1 1
CVE-2017-11835 Windows EOT Font Engine Information Disclosure Vulnerability Important No No 1 1
CVE-2017-11852 Windows GDI Information Disclosure Vulnerability Important No No 1 1
CVE-2017-11831 Windows Information Disclosure Vulnerability Important No No 1 1
CVE-2017-11880 Windows Information Disclosure Vulnerability Important No No 2 2
CVE-2017-11847 Windows Kernel Elevation of Privilege Vulnerability Important No No 1 1
CVE-2017-11851 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2017-11842 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2017-11849 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2017-11853 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2017-11768 Windows Media Player Information Disclosure Vulnerability Important No No 2 2
CVE-2017-11788 Windows Search Denial of Service Vulnerability Important No No 3 3
CVE-2017-11876 Microsoft Project Server Elevation of Privilege Vulnerability Moderate No No 3 3

Beyond what we’ve already discussed, the updates for Edge, IE, and Chakra Core should lead deployment lists. Most of these are listed as Critical-rated Memory Corruption bugs, which can be confusing since “memory corruption” encompasses so many different types of bugs. Regardless of the specific type, these bugs lead to remote code execution if a vulnerable system browses to a malicious website. There are a couple of Office memory corruption bugs being fixed this month as well, which brings the total memory corruption issues being fixed to 25 for the month (47% of the release).

There’s also plenty of Information Disclosure bugs in Windows and Office being addressed this month – 18 in total. While these don’t rate very high on the CVSS scale, they represent a crucial part of sandbox escapes and other exploits that require a memory leak. The ASP.NET bugs should also warrant extra attention since there’s some public knowledge and a threat of stealing credentials. Five patches fixing security feature bypasses were released, including the previously mentioned Device Guard issue.

Finally, Microsoft released their version of the aforementioned Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on December 12, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!