Microsoft security alert.

October 10, 2017

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 62 vulnerabilities that were fixed in 5 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 5 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Office and Microsoft Office Services and Web Apps Security Update October 2017

    Severity
    Critical 4
    Qualys ID
    110306
    Vendor Reference
    KB2553338, KB2837599, KB2920723, KB3172524, KB3172531, KB3213623, KB3213627, KB3213630, KB3213647, KB3213648, KB3213659, KB4011068, KB4011162, KB4011170, KB4011178, KB4011180, KB4011185, KB4011194, KB4011196, KB4011217, KB4011222, KB4011231, KB4011232, KB4011236
    CVE Reference
    CVE-2017-11774, CVE-2017-11775, CVE-2017-11776, CVE-2017-11777, CVE-2017-11786, CVE-2017-11820, CVE-2017-11825, CVE-2017-11826
    CVSS Scores
    Base 9.3 / Temporal 8.1
    Description
    Microsoft releases security updates on October 2017 to fix following vulnerabilities:

    - Microsoft Outlook Security Feature Bypass Vulnerability (CVE-2017-11774). - Microsoft Office SharePoint XSS Vulnerability (CVE-2017-11775). - Microsoft Outlook Information Disclosure Vulnerability (CVE-2017-11776). - Microsoft Office SharePoint XSS Vulnerability (CVE-2017-11777). - Skype for Business Elevation of Privilege Vulnerability (CVE-2017-11786) - Microsoft Office SharePoint XSS Vulnerability (CVE-2017-11820) - Microsoft Office Remote Code Execution Vulnerability (CVE-2017-11825) - Microsoft Office Memory Corruption Vulnerability (CVE-2017-11826)

    This security updates contain following KBs:
    KB2553338 KB2837599 KB2920723 KB3172524 KB3172531 KB3213623 KB3213627 KB3213630 KB3213647 KB3213648 KB3213659 KB4011068 KB4011162 KB4011170 KB4011178 KB4011180 KB4011185 KB4011194 KB4011196 KB4011217 KB4011222 KB4011231 KB4011232 KB4011236

    Consequence
    An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.
    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update October 2017

  • Microsoft Edge Security Update for October 2017

    Severity
    Urgent 5
    Qualys ID
    91412
    Vendor Reference
    4041676, 4041689, 4041691
    CVE Reference
    CVE-2017-8726, CVE-2017-11792, CVE-2017-11794, CVE-2017-11796, CVE-2017-11798, CVE-2017-11799, CVE-2017-11800, CVE-2017-11802, CVE-2017-11804, CVE-2017-11805, CVE-2017-11806, CVE-2017-11807, CVE-2017-11808, CVE-2017-11809, CVE-2017-11811, CVE-2017-11812, CVE-2017-11821
    CVSS Scores
    Base 9.3 / Temporal 7.3
    Description
    Microsoft Edge is a web browser developed by Microsoft that replaces Internet Explorer as the default web browser.
    Microsoft Edge suffers multiple security vulnerabilities. The most severe of the vulnerabilities could allow remote code execution.

    KB Articles associated with the update:
    1) KB4041676
    2) KB4041689
    3) KB4041691

    Affected version are Microsoft Edge on all Windows 10 versions and Windows Server 2016.

    QID Detection Logic (Authenticated):
    Operating Systems: All versions of Windows 10 and Windows Server 2016
    This QID checks for the file version of %windir%\System32\edgehtml.dll
    The following KBs are checked:
    The patch version is 11.0.10240.17643 (KB4042895)
    The patch version is 11.0.10586.1176 (KB4041689)
    The patch version is 11.0.14393.1770 (KB4041691)
    The patch version is 11.0.15063.674 (KB4041676)

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code and take control of an affected system.

    Solution
    For more information, customers are advised to refer the Security Update Guide.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Lync and Skype for Business Security Update for October 2017

    Severity
    Critical 4
    Qualys ID
    110305
    Vendor Reference
    KB4011159, KB4011179
    CVE Reference
    CVE-2017-11786
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.

    An elevation of privilege vulnerability exists when Skype for Business fails to properly handle specific authentication requests. An authenticated attacker who successfully exploited this vulnerability could steal an authentication hash that can be reused elsewhere. The attacker could then take any action that the user had permissions for, causing possible outcomes that could vary between users.

    Affected Products:
    Microsoft Lync 2013 Service Pack 1
    Skype for Business 2016

    KB Articles associated with this update: 4011159, 4011179

    QID Detection Logic:
    This authenticated QID detects file versions of Microsoft Lync and Skype for Business (lync.exe) lesser than 16.0.4600.1000 (KB4011159) and 15.0.4971.1000 (KB4011179)

    Consequence
    Successful exploitation allows an authenticated, remote attacker to execute arbitrary code with elevated privileges.

    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4011159 Windows
    KB4011179 Windows

  • Microsoft Internet Explorer Security Update for October 2017

    Severity
    Urgent 5
    Qualys ID
    100320
    Vendor Reference
    KB4040685, KB4041676, KB4041681, KB4041689, KB4041690, KB4041691, KB4041693, KB4042895
    CVE Reference
    CVE-2017-11790, CVE-2017-11793, CVE-2017-11810, CVE-2017-11813, CVE-2017-11822
    CVSS Scores
    Base 7.6 / Temporal 6.3
    Description
    Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.

    Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The security updated is rated Moderate for for Internet Explorer 9 (IE 9) and Internet Explorer 10 (IE 10) and Critical for Internet Explorer 11 (IE 11).

    The Security Update addresses the vulnerabilities by fixing:

    1) The update addresses the vulnerability by modifying how Internet Explorer handles objects in memory. (CVE-2017-11790)
    2) The update addresses the vulnerability by modifying how the scripting engines objects in memory. (CVE-2017-11793)
    3) The update addresses the vulnerability by modifying how the scripting engines objects in memory. (CVE-2017-11810)
    4) The update addresses the vulnerability by modifying how Internet Explorer handles objects in memory. (CVE-2017-11813)
    5) The update addresses the vulnerability by modifying how Internet Explorer handles objects in memory. (CVE-2017-11813)

    KB Articles associated with the Update:
    1) 4041681
    2) 4040685
    3) 4041689
    4) 4041693
    5) 4041691
    6) 4042895
    7) 4041676
    8) 4041690

    QID Detection Logic (Authenticated):
    Operating Systems: Windows XP Embedded, Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
    This QID checks for the file version of %windir%\System32\mshtml.dll
    The following KBs are checked:
    The patch version is 8.0.6001.23992(KB4040685)
    The patch version is 9.0.8112.21061 (KB4040685)
    The patch version is 10.0.9200.22277 (KB4040685 or KB4041690)
    The patch version is 11.0.9600.18817 (KB4041681 or KB4040685 or KB4041693)
    The patch version is 11.0.10240.17643 (KB4042895)
    The patch version is 11.0.10586.1176 (KB4041689)
    The patch version is 11.0.14393.1770 (KB4041691)
    The patch version is 11.0.15063.674 (KB4041676)

    Consequence
    Successful exploitation of the vulnerability allows:

    1) Remote Code Execution
    3) Information Disclosure

    Solution
    For more information, Customers are advised to refer the Security Update Guide.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Windows Security Update October 2017 (KRACK Attack) (ROCA)

    Severity
    Critical 4
    Qualys ID
    91411
    Vendor Reference
    KB4038786, KB4038793, KB4041671, KB4041676, KB4041678, KB4041679, KB4041681, KB4041687, KB4041689, KB4041690, KB4041691, KB4041693, KB4041944, KB4041995, KB4042007, KB4042067, KB4042120, KB4042121, KB4042122, KB4042123, KB4042723, KB4042895
    CVE Reference
    CVE-2017-8689, CVE-2017-8693, CVE-2017-8694, CVE-2017-8703, CVE-2017-8715, CVE-2017-8717, CVE-2017-8718, CVE-2017-8727, CVE-2017-11762, CVE-2017-11763, CVE-2017-11765, CVE-2017-11769, CVE-2017-11771, CVE-2017-11772, CVE-2017-11779, CVE-2017-11780, CVE-2017-11781, CVE-2017-11782, CVE-2017-11783, CVE-2017-11784, CVE-2017-11785, CVE-2017-11814, CVE-2017-11815, CVE-2017-11816, CVE-2017-11817, CVE-2017-11818, CVE-2017-11819, CVE-2017-11823, CVE-2017-11824, CVE-2017-11829, CVE-2017-13080, CVE-2017-15361
    CVSS Scores
    Base 10 / Temporal 8.3
    Description
    Microsoft has released Cumulative Security Updates for Windows which addresses the following vulnerabilities:

    A denial of service vulnerability exists in the Microsoft SMB
    when an attacker sends specially crafted requests to the server. (CVE-2017-11781)
    An elevation of privilege vulnerability exists in the default Windows SMB Server configuration which allows anonymous users to remotely access certain named pipes that are also configured to allow anonymous access to users who are logged on locally. (CVE-2017-11782)
    An elevation of privilege vulnerability exists when Windows improperly handles calls to ALPC
    . (CVE-2017-11783)
    A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. (CVE-2017-11762)
    A remote code execution vulnerability exists in the way that the Microsoft SMBv1
    server handles certain requests. (CVE-2017-11780)
    A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. (CVE-2017-11763)
    An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. (CVE-2017-11765)
    A remote code execution vulnerability exists in the way that certain Windows components handle the loading of DLL files. (CVE-2017-11769)
    A remote code execution vulnerability exists when Windows Search handles objects in memory. (CVE-2017-11771)
    An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel ASLR bypass. (CVE-2017-11785)
    An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. (CVE-2017-11814, CVE-2017-11817)
    An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. (CVE-2017-11815)
    An information disclosure vulnerability exists in the way that the GDI
    handles objects in memory, allowing an attacker to retrieve information from a targeted system. (CVE-2017-11816)
    An Security Feature bypass vulnerability exists in Microsoft Windows storage when it fails to validate an integrity-level check. (CVE-2017-11818)
    A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. (CVE-2017-11819)
    A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. (CVE-2017-11823)
    An elevation of privilege vulnerability exists when the Windows Update Delivery Optimization does not properly enforce file share permissions. (CVE-2017-11829)
    An elevation of privilege vulnerability exists when the Windows kernel-mode driver fails to properly handle objects in memory. (CVE-2017-8689)
    A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. (CVE-2017-8717, CVE-2017-8718)
    A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory via the Microsoft Windows Text Services Framework. (CVE-2017-8727)
    Vulnerability in TPM could allow Security Feature Bypass. (CVE-2017-15361)
    KRACK Attack man in the middle vulnerability. (CVE-2017-13080)

    KB Articles associated with the Update:
    KB4041689
    KB4041693
    KB4038793
    KB4041687
    KB4041690
    KB4041679
    KB4038786
    KB4041691
    KB4042895
    KB4041676
    KB4042723
    KB4042122
    KB4041681
    KB4041678
    KB4042120
    KB4042067
    KB4041995
    KB4041671
    KB4042121
    KB4041944
    KB4042007
    KB4042123

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code and take control of an affected system.
    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4038792

These new vulnerability checks are included in Qualys vulnerability signature 2.4.159-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 110306
    • 91412
    • 110305
    • 100320
    • 91411
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.