CVE-2017-0016, CVE-2017-0037, CVE-2017-0038 are three recently uncovered Microsoft vulnerabilities that bring to light once again the employment of Intrusion prevention system protection (IPS), as pointed out by TrendMicro researchers. IPS, also known as Virtual Patching, helps protect against vulnerabilities even in cases where patched have not been released yet. The three Microsoft flaws were located in the following components: Core SMB service, Internet Explorer and Edge browsers, and the Graphics Device Interface.
What Is Virtual Patching (IPS)?
As explained by TechTarget , virtual patching is the quick development and short-term implementation of a security policy meant to prevent an exploit from happening as a consequence of a newly found security bug.
A virtual patch is sometimes dubbed a Web application firewall (WAF). More importantly, a virtual patch guards the mission-critical components that must remain online. This way important operations will not be intercepted as it happens when a conventional patch is applied in an emergency situation.
TrendMicro researchers underline the importance of virtual patching as a way of mitigation against CVE-2017-0016, CVE-2017-0037, CVE-2017-0038 in the absence of patches.
CVE-2017-0016: A Closer Look
The flaw is a memory corruption one and is located in the way Windows handles SMB traffic. For an attack to happen the system should be connected to a malicious SMB server that servers packets causing the computer to crash. Proof-of-concept exploit code has already been done for this one, and it’s publicly available.
Fortunately, the flaw doesn’t allow remote code execution and can only lead to a denial of service attack. In terms of mitigation, TrendMicro researchers advise the following:
– Limit outgoing access on ports 139 and 445.
– Deploy IPS protection.
CVE-2017-0037: In Detail
This flaw is a type confusion flaw in Internet Explorer and Edge browsers. For the flaw to be exploited, the attacker would need to make the user go to a malicious web link typically sent via email or chat, or embedded in documents.
The outcome of an CVE-2017-0037 exploit is arbitrary code execution with the same privileges as the logged-in user.
Researchers advise the following for mitigation purposes:
– Deploy IPS protection
– Email filtering for phishing attacks
– Web Reputation to block hosted scripts
– Reduce accounts with administrator rights to reduce risk
CVE-2017-0038: In Detail
This is a flaw in the Graphics Device Interface component of Windows OS. An attacker would need to lure the user to render a font or an image which could be embedded in a document. This could happen via email where a malicious attachment is served, or through file-sharing services.
The outcome of a successful exploit here is disclosure of memory usually ending with leak of sensitive information. Available mitigations include:
– Deploy IPS protection.
– Educate employees to not open attachments, and to open links only from trusted sources.