Due to its highly critical nature, a zero-day vulnerability (CVE-2017-0290) that exploits Microsoft Malware Protection Engine (MsMpEng) was addressed by the company in an out-of-band security update just before May’s patch Tuesday.
Discovered and disclosed to Microsoft by Google Project Zero’s Natalie Silvanovich and Tavis Ormandy, this vulnerability allows attackers full access to a user’s system by using crafted files containing malicious code designed to exploit Microsoft Malware Protection Engine’s NScript component, which is responsible for analyzing file systems and network activity that might resemble Javascript. A number of Microsoft security products use MsMpEng, including Microsoft Defender, Microsoft Endpoint Protection, and Microsoft Security Essentials, which means a large number of potentially vulnerable systems.
The following MainlineDV filter protects TippingPoint customers from attacks exploiting this vulnerability:
- 28221: HTTP: Microsoft Malware Protection Engine mpengine Type Confusion Vulnerability
Trend Micro Deep Security and Vulnerability Protection protect user systems from any threats that target this specific vulnerability via the following DPI rule:
- 1008370-Microsoft Malware Protection Engine Remote Code Execution Vulnerability (CVE-2017-0290)
In addition to CVE-2017-0290, May’s Patch Tuesday also addresses a couple of remote code execution vulnerabilites (CVE-2017-0261 and CVE-2017-0262) that target Encapsulated PostScript (EPS) documents in Microsoft Office. This vulnerability can be exploited when a user either opens a file containing a malformed graphics image or inserts a malformed graphics image into a Microsoft Office file. This results in a successful attacker potentially taking control of the target’s system.
Cumulative updates for Internet Explorer address the following vulnerabilities:
- CVE-2017-0064: A security feature bypass vulnerability in Internet Explorer that provides exploiters a method for bypassing Mixed Content warnings. This can potentially allow loading of unsecure content (HTTP) from secure locations (HTTPS).
- CVE-2017-0222: A remote code execution vulnerability that exists when Internet Explorer improperly accesses objects in memory. An attacker who successfully exploits this vulnerability could gain the same user rights as the current user, allowing them to take complete control of the affected system.
- CVE-2017-0226: A remote code execution vulnerability that exists when Internet Explorer improperly accesses objects in memory. Attackers who exploit this vulnerability can use web-based phishing attacks that could contain specially crafted content designed to exploit this vulnerability, allowing them to corrupt the memory of the target system.
- CVE-2017-0228: A remote code execution vulnerability that exists in the way JavaScript engines render when handling objects in memory in Microsoft browsers. This vulnerability can allow an attacker to gain the same rights as the current user. A phishing attack could be used to lure an unsuspecting victim who is using a Microsoft browser to a website designed to exploit the vulnerability.
- CVE-2017-0231: A spoofing vulnerability that exists when Microsoft browsers render the SmartScreen Filter. Attackers can exploit this vulnerability by redirecting the target user to a website that can either spoof content or chain an attack with other vulnerabilities.
- CVE-2017-0238: A remote code execution vulnerability that exists in the way JavaScript scripting engines handle objects in memory in Microsoft browsers. Similar to CVE-2017-0228, this vulnerability can also allow attackers to gain the same rights as the current user.
Adobe also released their round of security updates, the most important being APSB17-15, which addresses critical vulnerabilities in Flash Player that could give attackers the opportunity to take control of the affected system.
The following vulnerabilities were disclosed via Trend Micro’s Zero Day Initiative (ZDI):
- CVE-2017-0226
- CVE-2017-0233
- CVE-2017-0238
- CVE-2017-0240
The list of Trend Micro Deep Security and Vulnerability Protection DPI rules for this month’s Patch Tuesday are listed below:
- 1008106-Oracle Java MethodHandle Remote Code Execution Vulnerability (CVE-2016-3587)
- 1008319-Microsoft Windows Information Disclosure Vulnerability (CVE-2017-0058)
- 1008331-Microsoft Edge Remote Code Execution Vulnerability (CVE-2017-0266)
- 1008332-Microsoft DNS Server Denial Of Service Vulnerability (CVE-2017-0171)
- 1008333-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-0221)
- 1008334-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-0227)
- 1008335-Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2017-0228)
- 1008336-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0234)
- 1008337-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0236)
- 1008338-Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0238)
- 1008339-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-0240)
- 1008341-Microsoft Windows Multiple Security Vulnerabilities (CVE-2017-0077, CVE-2017-0175, CVE-2017-0213, CVE-2017-0214, CVE-2017-0220, CVE-2017-0245, CVE-2017-0246, CVE-2017-0258, CVE-2017-0259, CVE-2017-0263)
- 1008367-Microsoft Internet Explorer Security Feature Bypass Vulnerability (CVE-2017-0064)
- 1008370-Microsoft Malware Protection Engine Remote Code Execution Vulnerability (CVE-2017-0290)
In addition, TippingPoint customers are protected via these MainlineDV filters:
- 28111: HTTP: Microsoft Windows GDI Privilege Escalation Vulnerability
- 28112: HTTP: Microsoft Windows GDI Information Disclosure Vulnerability
- 28114: HTTP: Microsoft Edge datalist Out-of-Bounds Write Vulnerability
- 28221: HTTP: Microsoft Malware Protection Engine mpengine Type Confusion Vulnerability
- 28130: HTTP: Microsoft Edge StyleSheetList Type Confusion Vulnerability
- 28183: HTTP: Microsoft Windows Privilege Escalation Vulnerability
- 28184: HTTP: Microsoft Windows advapi32 Type Confusion Vulnerability
- 28185: HTTP: Microsoft Windows Win32k ASLR Information Disclosure Vulnerability
- 28186: HTTP: Microsoft Windows IsMenu Privilege Escalation Vulnerability
- 28189: HTTP: Microsoft Windows COM Privilege Escalation Vulnerability
- 28192: HTTP: Microsoft Word Memory Corruption Vulnerability
- 28193: HTTP: Microsoft Edge Chakra DataView Type Confusion Vulnerability
- 28198: HTTP: Microsoft Windows Kernel Privilege Escalation Vulnerability
- 28199: HTTP: Microsoft Windows Kernel Information Disclosure Vulnerability
- 28200: HTTP: Microsoft Windows Kernel Information Disclosure Vulnerability