Microsoft Security Bulletin MS17-012 - Critical

Security Update for Microsoft Windows (4013078)

Published: March 14, 2017

Version: 1.0

Executive Summary

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker runs a specially crafted application that connects to an iSNS Server and then issues malicious requests to the server.

This security update is rated Critical for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 10 Version 1607 and Windows Server 2016, and Important for Windows Vista, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, and Windows 10 Version 1511. For more information, see the Affected Software and Vulnerability Severity Ratings section.

The security update addresses the vulnerabilities by:

• Correcting how Device Guard validates certain elements of signed PowerShell scripts.
• Correcting how the Microsoft SMBv2/SMBv3 Client handles specially crafted requests.
• Correcting how Windows validates input before loading DLL files.
• Modifying how Windows dnsclient handles requests.
• Correcting how Helppane.exe authenticates the client.
• Modifying how the iSNS Server service parses requests.

For more information about the vulnerabilities, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 4013078.

Affected Software and Vulnerability Severity Ratings

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the March bulletin summary.

Note Please see the Security Update Guide for a new approach to consuming the security update information. You can customize your views and create affected software spreadsheets, as well as download data via a restful API. For more information, please see the Security Updates Guide FAQ. As a reminder, the Security Updates Guide will be replacing security bulletins. Please see our blog post, Furthering our commitment to security updates, for more details.

^[1]Beginning with the October 2016 release, Microsoft has changed the update servicing model for Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. For more information, please see this Microsoft TechNet article.

^[2]This update is only available via Windows Update.

^[3]Windows 10 and Windows Server 2016 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog. Please note that effective December 13, 2016, Windows 10 and Windows Server 2016 details for the Cumulative Updates will be documented in Release Notes. Please refer to the Release Notes for OS Build numbers, Known Issues, and affected file list information.

*The Updates Replaced column shows only the latest update in any chain of superseded updates. For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).

Update FAQ

Does this update contain any additional security-related changes to functionality?
Yes. In addition to the changes that are listed for the vulnerabilities described in this bulletin, this update includes defense-in-depth updates to help improve security-related features.

Vulnerability Information

Device Guard Security Feature Bypass Vulnerability - CVE-2017-0007

A security feature bypass exists when Device Guard does not properly validate certain elements of a signed PowerShell script. An attacker who successfully exploited this vulnerability could modify the contents of a PowerShell script without invalidating the signature associated with the file. Because Device Guard relies on the signature to determine the script is non-malicious, Device Guard could then allow a malicious script to execute.

In an attack scenario, an attacker could modify the contents of a PowerShell script without invalidating the signature associated with the file.

The update addresses the vulnerability by correcting how Device Guard validates certain elements of signed PowerShell scripts.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability - CVE-2017-0016

A denial of service vulnerability exists in implementations of the Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client. The vulnerability is due to improper handling of certain requests sent by a malicious SMB server to the client. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding until it is manually restarted.

To exploit the vulnerability, an attacker could use various methods such as redirectors, injected HTML header links, etc., which could cause the SMB client to connect to a malicious SMB server.

The security update addresses the vulnerability by correcting how the Microsoft SMBv2/SMBv3 Client handles specially crafted requests.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Windows DLL Loading Remote Code Execution Vulnerability - CVE-2017-0039

A remote code execution vulnerability exists when Microsoft Windows fails to properly validate input before loading certain dynamic link library (DLL) files. An attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To exploit the vulnerability, an attacker must first gain access to the local system and have the ability to execute a malicious application.

The security update addresses the vulnerability by correcting how Windows validates input before loading DLL files.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

The following workarounds may be helpful in your situation:

• Use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  For Office 2007

  1. Run regedit.exe as Administrator and navigate to the following subkey:

     [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock]
  

  2. Set the RtfFiles DWORD value to 1.
     Note To use 'FileOpenBlock' with Office 2007, all of the latest Office 2007 security updates as of May 2007 must be applied.

  For Office 2010

  1. Run regedit.exe as Administrator and navigate to the following subkey:

      [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock]
  

  2. Set the RtfFiles DWORD value to 2.
  3. Set the OpenInProtectedView DWORD value to 0.

  For Office 2013

  1. Run regedit.exe as Administrator and navigate to the following subkey:

       [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock]
  

  2. Set the RtfFiles DWORD value to 2.
  3. Set the OpenInProtectedView DWORD value to 0.

  Impact of Workaround. Users who have configured the File Block policy and have not configured a special “exempt directory” as discussed in Microsoft Knowledge Base Article 922849 will be unable to open documents saved in the RTF format.

  How to undo the workaround

  For Office 2007

  1. Run regedit.exe as Administrator and navigate to the following subkey:

      HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock]
  

  2. Set the RtfFiles DWORD value to 0.

  For Office 2010

  1. Run regedit.exe as Administrator and navigate to the following subkey:

      [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock] 
  

  2. Set the RtfFiles DWORD value to 0.
  3. Leave the OpenInProtectedView DWORD value set to 0.

  For Office 2013

  1. Run regedit.exe as Administrator and navigate to the following subkey:

      [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock]
  

  2. Set the RtfFiles DWORD value to 0.
  3. Leave the OpenInProtectedView DWORD value set to 0.

• Set the killbit for IMJPTIP
  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.

  To set the kill bit for a CLSID with a value of {03B5835F-F03C-411B-9CE2-AA23E1171E36}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03B5835F-F03C-411B-9CE2-AA23E1171E36}]   
      "Compatibility Flags"=dword:00000400 
  

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy collection
  • What is Group Policy Object Editor?
  • Core Group Policy tools and settings

  Note You must restart Internet Explorer for your changes to take effect.

  Impact of Workaround Users will be unable to open documents saved in the RTF format.

  How to undo the workaround Microsoft does not recommend unkilling (undoing the kill action on) an ActiveX control. If you do so, you may create security vulnerabilities. The kill bit is typically set for a reason that may be critical, and because of this, extreme care must be used when you unkill an ActiveX control. Also, because the procedure is highly technical, do not continue unless you are very comfortable with the procedure. It is a good idea to read the whole procedure before you start.

Windows DNS Query Information Disclosure Vulnerability - CVE-2017-0057

An information disclosure vulnerability exists when Windows dnsclient fails to properly handle requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability:

If the target is a workstation, the attacker could convince a user to visit an untrusted webpage. If the target is a server, the attacker would have to trick the server into sending a DNS query to a malicious DNS server.

The security update addresses the vulnerability by modifying how Windows dnsclient handles requests.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Windows HelpPane Elevation of Privilege Vulnerability - CVE-2017-0100

An elevation of privilege exists in Windows when a DCOM object in Helppane.exe configured to run as the interactive user fails to properly authenticate the client. An attacker who successfully exploited the vulnerability could run arbitrary code in another user's session.

To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability once another user logged in to the same system via Terminal Services or Fast User Switching.

The update addresses the vulnerability by correcting how Helppane.exe authenticates the client.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

iSNS Server Memory Corruption Vulnerability - CVE-2017-0104

A remote code execution vulnerability exists in Windows when the iSNS Server service fails to properly validate input from the client, leading to an integer overflow. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SYSTEM account.

An attacker could exploit the vulnerability by creating a specially crafted application to connect to the iSNS Server and then issue malicious requests to it.

The update addresses the vulnerability by modifying how the iSNS Server service parses requests.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Security Update Deployment

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced in the Executive Summary.

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

• V1.0 (March 14, 2017): Bulletin published.

Page generated 2017-03-13 16:33-07:00.