The final Microsoft’s Patch Tuesday for 2017 has just rolled. Even though this is not the worst batch of updates released throughout the year, there are still several notable vulnerabilities that were addressed and that need our attention. Such flaws are CVE-2017-11937 and CVE-2017-11940 – remote code execution vulnerabilities found in the MMPE, MS Malware Protection Engine.
The flaws can lead to memory corruption as the engine would fail to scan certain files correctly. These flaws can be exploited by malicious actors if crafted files are deployed to leverage the bugs, which could inevitably lead to the system being compromised. A clarification has to be made. The patches for these flaws were available as separate updates and were included in the Patch Tuesday batch afterwards.
CVE-2017-11937 Official Description
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, 1709 and Windows Server 2016, Windows Server, version 1709, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially crafted file leading to remote code execution. aka “Microsoft Malware Protection Engine Remote Code Execution Vulnerability”.
CVE-2017-11940 Official Description
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, 1709 and Windows Server 2016, Windows Server, version 1709, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially crafted file leading to remote code execution. aka “Microsoft Malware Protection Engine Remote Code Execution Vulnerability”. This is different than CVE-2017-11937.
December 2017 Patch Tuesday
The last batch of updates for this year addressed a total of 12 critical vulnerabilities, and 10 important. Here is a short resume of some of the more notable of these flaws, in addition to the MMPE bugs. The definitions are taken from MITRE’s database:
CVE-2017-11899
Device Guard in Windows 10 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows a security feature bypass vulnerability due to the way untrusted files are handled, aka “Microsoft Windows Security Feature Bypass Vulnerability”.
CVE-2017-11927
Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allow an information vulnerability due to the way the Windows its:// protocol handler determines the zone of a request, aka “Microsoft Windows Information Disclosure Vulnerability”.
CVE-2017-11885
Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allow a remote code execution vulnerability due to the way the Routing and Remote Access service handles requests, aka “Windows RRAS Service Remote Code Execution Vulnerability”.
A Flaw in Microsoft Office 365 Also Just Found
One more vulnerability was also just disclosed by Preempt researchers who came across a flaw in Microsoft Office 365 when integrated with on-premises Active Directory Domain Services via the Azure AD Connect software. The flaw would needlessly grant users elevated admin privileges turning them into admins in stealth mode.
“Most Active Directory audit systems easily alert on excessive privileges, but will often miss users who have elevated domain privileges indirectly through domain discretionary access control list (DACL) configuration,” Preemt researchers explained.