Friday, 13. October 2017

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of October 9, 2017

Even though “Patch Tuesday” isn’t supposed to exist anymore, here I am blogging about it. As I looked at the October updates from Microsoft, the usual suspects were there. But this month was a little different. We usually see critical vulnerabilities on the browser side, but Microsoft Office is in the spotlight with CVE-2017-11826 under active attack.

The scenario involves a specially crafted file with an affected version of Microsoft Office software. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. So, just imagine if a user is logged on with administrative user rights – an attacker could take over the system and install programs; view, change, or delete data; or create new accounts with full user rights. The table below highlights the Digital Vaccine® filters available for the Microsoft October updates.

Microsoft Update

This week’s Digital Vaccine® (DV) package includes coverage for Microsoft updates released on or before October 10, 2017. Microsoft had another big month with 62 security patches for September covering Windows, Internet Explorer (IE), Edge, Office, and Skype for Business. 27 of the patches are listed as Critical and 35 are rated Important. Eight of the Microsoft CVEs came through the Zero Day Initiative program. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an asterisk (*) shipped prior to this DV package, providing preemptive zero-day protection for customers. You can get more detailed information on this month’s security updates from Dustin Childs’ October 2017 Security Update Review from the Zero Day Initiative:

CVE # Digital Vaccine Filter # Status CVE-2017-11762 *29152 CVE-2017-11763 29698 CVE-2017-11765 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11769 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11771 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11772 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11774 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11775 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11776 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11777 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11779 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11780 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11781 *29694 CVE-2017-11782 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11783 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11784 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11785 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11786 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11790 *29151 CVE-2017-11792 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11793 29705 CVE-2017-11794 *29687 CVE-2017-11796 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11797 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11798 29706 CVE-2017-11799 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11800 28925 CVE-2017-11801 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11802 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11804 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11805 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11806 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11807 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11808 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11809 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11810 29707 CVE-2017-11811 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11812 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11813 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11814 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11815 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11816 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11817 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11818 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11819 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11820 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11821 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11822 29704 CVE-2017-11823 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11824 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11825 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11826 Insufficient information currently available CVE-2017-11829 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8689 29692 CVE-2017-8693 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8694 29693 CVE-2017-8703 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8715 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8717 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8718 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8726 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8727 29699  

Zero-Day Filters

There are four new zero-day filters covering two vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website. You can also follow the Zero Day Initiative on Twitter @thezdi and on their blog.

Microsoft (2)


•  29695: ZDI-CAN-5067: Zero Day Initiative Vulnerability (Microsoft Chakra)
•  29741: HTTP: Microsoft Windows WAV File Denial-of-Service Vulnerability (ZDI-17-838)


Trend Micro (2)


•  29701: HTTPS: Trend Micro Mobile Security Enterprise slink_id SQL Injection (ZDI-17-803)
•  29710: HTTPS:Trend Micro InterScan Messaging Security Proxy Command Injection Vulnerability (ZDI-17-502,504)


Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.