Sophos Cloud Optix
The second Tuesday of the month means it’s Microsoft’s formerly-known-as Patch Tuesday, currently-known-as Security Update Tuesday, and this month’s update patches 61 vulnerabilities in all, with 23 rated as Critical and 35 as Important. We always urge that you apply patches as soon as possible, but if that’s not convincing enough, read the details below of what’s out there in the wild.
The monthly advisory covers a number of Microsoft products, including:
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Skype for Business and Lync
- Chakra Core
If you can’t get to everything, or you can’t fight every battle, then what to address first? Right now there are two vulnerabilities in this month’s patch list that deserve some extra attention.
Office zero-day
A vulnerability of special interest in this month’s update is CVE-2017-11826, a remote code execution (RCE) vulnerability affecting Microsoft Office.
If an attacker can get a user to open a specially crafted Office file on a vulnerable version of Microsoft Office—perhaps by attaching it to an alluring phishing email— the attacker can run malicious code on the victim’s machine. If the user being attacked has administrative rights then the attacker has them too, giving them the power to installing applications and rights to change important data.
This vulnerability affects many versions of Microsoft Word going all the way back to the 2007 version, as well as various iterations of Office Web Apps Server, Office Word Viewer, SharePoint Enterprise Server and Word Automation Services (check out the advisory for a full list of affected products).
Microsoft says this kind of attack isn’t an if, but a when, as its exploitability assessment for this vulnerability indicates that older versions of Word and Office are already being exploited in the wild.
That said, Microsoft only rates this vulnerability as Important and not Critical because the latest versions of Word and Office are only deemed more likely to be exploited, but aren’t actually being exploited. Don’t take false comfort in that though, Microsoft’s Exploitability Index describes “Exploitation More Likely” as follows:
…exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created.
The CVE-2017-11826 exploit is stopped by Sophos Intercept X and the payloads seen in the wild were detected proactively by Sophos as Troj/DocDrop-JK and Mal/Generic-S.
Malicious DNS
Another RCE getting some attention in this update is CVE-2017-11779, a Critical-rated vulnerability that affects the Windows DNS client (DNSAPI.dll). It can be exploited by a malicious DNS server sending specially crafted responses that can trigger the execution of arbitrary code.
This vulnerability requires an attacker to have a foothold in your DNS hierarchy. If it’s successfully exploited it could potentially hand over full system control as it allows RCE at a variety of privilege levels, including admin.
This vulnerability affects versions of Windows 8 and 10, as well as various versions of Windows Server 2012 and 2016.
Every environment is different so we’d like to know – are there other vulnerabilities in this month’s Microsoft Security Update that you’re focusing on? We’re listening, let us know in the comments.
For CVE-2017-11779, it would be good to know whether this can be exploited only by the DNS server that the client is resolving from or if an attacker could load a DNS response with the payload and have it delivered down the recursive chain of DNS forwarders. The former scenario makes this a “not a big deal” vulnerability for non-mobile workstations behind a corporate firewall. The latter scenario is a whole different ballgame.
My understanding is that the response is a malformed NSEC3 record and, because it’s malformed, it shouldn’t survive the DNS chain. That said it shouldn’t trigger RCE in DNSAPI.dll either.
That RTF file sure took a long time to load. Will Sophos Intercept-X slow my computer down that much?
As far as I know, the time taken before Intercept X triggers is the attack unfolding itself to get to the point that the exploit can try to “escape”, followed by Intercept X blocking it at the point of detonation.
In other words, if you run the attack without Intercept X it still takes that much time before the attack succeeds.
Exploits involving in-memory trickery often take a long time to run as they get their ducks in a row, so to speak.