Martijn Lammerts
My own digital place with a little of everything

November’s Patch Tuesday Includes Defense in Depth Update for Attacks Abusing Dynamic Data Exchange

15 November 2017

Microsoft rolled out fixes for over 50 security issues in this month’s Patch Tuesday. The updates cover vulnerabilities and bugs in the Windows operating system, Internet Explorer (IE), Edge, ASP .NET Core, Chakra Core browsing engine, and Microsoft Office. Microsoft also released a security advisory providing defense-in-depth mitigations against attacks abusing the Dynamic Data Exchange (DDE) protocol in light of recent attacks misusing this feature.

Abusing DDE isn’t new, but the method has made a resurgence with reports of cyberespionage and cybercriminal groups such as Pawn Storm, Keyboy, and FIN7 leveraging it to deliver their payloads. Microsoft said that users with the Windows 10 Fall Creators Update are protected from DDE attacks through its Windows Defender Exploit Guard. Trend Micro provides comprehensive protection against threats that abuse DDE via Deep Discovery™ (which includes Deep Discovery™ Email Inspector), and Deep Security, as well as InterScanMessaging Security and InterScanWeb Security, which are part of Trend Micro’s Smart Protection Suites.

Twenty of the vulnerabilities addressed by November’s Patch Tuesday were rated critical in terms of severity, with 31 rated important. Six of these vulnerabilities were disclosed via Trend Micro’s Zero Day Initiative. Many of these are related to memory corruption, information disclosure, validation issues, security feature bypasses, and privilege escalation. This month’s Patch Tuesday also addresses security flaws that have public exploits, including:

  • CVE-2017-11827: a memory corruption issue in IE and Edge that can lead to remote code execution (RCE)
  • CVE-2017-11848: an information disclosure vulnerability that can let attackers track users when they leave a website
  • CVE-2017-11883: a denial-of-service vulnerability in ASP .NET Core
  • CVE-2017-8700: an information disclosure flaw in ASP .NET Core

Also of note are fixes for CVE-2017-11830 and CVE-2017-11877. The former is a vulnerability that enables attackers to bypass Windows Device Guard’s security feature, while CVE-2017-11877 can let an attacker bypass the macro execution protection in Microsoft Excel.

Meanwhile, Adobe released nine security advisories addressing vulnerabilities in their products, including those in Adobe Acrobat and Reader (APSB17-36). The security bulletin for Flash Player (APSB17-33), which affects Windows (10 and 8.1), Mac, Linux, and Chrome OS is also notable. Three of these RCE vulnerabilities (CVE-2017-3112, CVE-2017-3114, and CVE-2017-11213), along with 14 others in other Adobe products, were disclosed to Adobe through Trend Micro’s Zero Day Initiative. Microsoft released its own versions of Adobe’s patches for Flash Player via ADV170019.

Trend Micro™ Deep Security and Vulnerability Protection protect user systems from any threats that may target the aforementioned  vulnerabilities via the following DPI rules:

  • 1008703 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-11869)
  • 1008700 – Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11837)
  • 1008630 – Microsoft Office Memory Corruption Vulnerability (CVE-2017-8631)
  • 1008696-Microsoft Internet Explorer And Edge Scripting Engine Information Disclosure Vulnerability (CVE-2017-11791)
  • 1008708 – Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2017-11847)
  • 1008697 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-11855)
  • 1008701 – Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11861)
  • 1008706 – Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11873)
  • 1008716 – Microsoft Excel Memory Corruption Vulnerability (CVE-2017-11878)
  • 1008698 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-11856)
  • 1008699 – Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11858)
  • 1008705 – Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11841)
  • 1008695 – Microsoft Word Memory Corruption Vulnerability (CVE-2017-11854)
  • 1008683 – Apache HTTP Server Memory Corruption Vulnerability (CVE-2017-9788)
  • 1008707 – Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11843)
  • 1008561 – Kerberos kadmind Policy Null Pointer Dereference Denial Of Service Vulnerability (CVE-2015-8630)
  • 1008710 – Microsoft Edge Memory Corruption Vulnerability (CVE-2017-11845)
  • 1008704 – Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11840)
  • 1008712 – Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11846)

Trend Micro™ TippingPoint™ customers are protected from threats that may exploit the vulnerabilities via these MainlineDV filters:

  • 29918: HTTP: Microsoft Internet Explorer TypeError Memory Corruption Vulnerability
  • 29921: HTTP: Microsoft Edge removeEventListener Information Disclosure Vulnerability
  • 29923: HTTP: Microsoft Edge Array Use-After-Free Vulnerability
  • 29924: HTTP: Microsoft Windows Kernel Privilege Escalation Vulnerability
  • 29925: HTTP: Microsoft Edge Typed Array Memory Corruption Vulnerability
  • 29926: HTTP: Microsoft Edge Array Type Confusion Vulnerability
  • 29927: HTTP: Microsoft Edge Typed Array Type Confusion Vulnerability
  • 29929: HTTP: Microsoft Word RTF Memory Corruption Vulnerability
  • 29930: HTTP: Microsoft Edge transition-property Memory Corruption Vulnerability
  • 29931: HTTP: Microsoft Edge getOwnPropertyDescriptor Use-After-Free Vulnerability
  • 29932: HTTP: Microsoft Chakra textarea Memory Corruption Vulnerability
  • 29933: HTTP: Microsoft Edge Call Memory Corruption Vulnerability
  • 29934: ZDI-CAN-5140: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29935: ZDI-CAN-5141: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29936: ZDI-CAN-5142: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29937: ZDI-CAN-5143: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29938: ZDI-CAN-5144: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29939: ZDI-CAN-5145: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29958: HTTP: MANTISTEK Cloud Driver Reporting Request

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

November’s Patch Tuesday Includes Defense in Depth Update for Attacks Abusing Dynamic Data Exchange

Share

Share

Ads