GovCERT.HK - Security Alert (A17-12-07): Multiple Vulnerabilities in Microsoft Products (December 2017)

Description:

Microsoft has released 23 security updates addressing multiple vulnerabilities which affect several Microsoft products or components and 7 of them enhancing the security as a defense in depth measure.

As a proof-of-concept exploit code against the Windows vulnerabilities was reported to be publicly released soon, the risk of cyber attacks on the vulnerable systems will be elevated. Users are advised to take immediate action to patch the Windows operating systems following the recommendations in the security alerts A17-12-07 and A17-10-03.

The Google researchers reported the details about exploiting the Windows vulnerabilities in the local network environment, involving Web Proxy Auto Discovery Protocol (WPAD), Proxy Auto-Config (PAC) and JScript.
A successful attack could lead to remote code execution and elevation of privilege on an affected system. In particular, the exploitation makes use of the following 7 vulnerabilities:
CVE-2017-11793
CVE-2017-11810
CVE-2017-11855
CVE-2017-11890
CVE-2017-11903
CVE-2017-11906
CVE-2017-11907

Affected Systems:

Microsoft Internet Explorer 9, 10, 11
Microsoft Edge
Microsoft Windows 7, 8.1, RT 8.1, 10
Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016
Microsoft Windows Server, version 1709
Microsoft Office 2010, 2013, 2013 RT, 2016, 2016 for Mac, 2016 Click-to-Run
Microsoft Word 2007, 2010, 2013, 2013 RT, 2016
Microsoft SharePoint Enterprise Server 2016
Microsoft Exchange Server 2013, 2016
ChakraCore

A complete list of the affected products can be found at:

https://portal.msrc.microsoft.com/en-us/security-guidance

Impact:

Depending on the vulnerability exploited, a successful attack could lead to remote code execution, elevation of privilege, information disclosure, security feature bypass or spoofing.

Recommendation:

Patches for affected products are available from the Windows Update/Microsoft Update Catalog. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

More Information:

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/c383fa60-b852-e711-80dd-000d3a32f9b6
https://support.microsoft.com/en-us/help/20171212/security-update-deployment-information
https://www.hkcert.org/my_url/en/alert/17121301
https://www.us-cert.gov/ncas/current-activity/2017/12/12/Microsoft-Releases-December-2017-Security-Updates
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170021
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170022
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170023
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11885 (to CVE-2017-11890)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11893 (to CVE-2017-11895)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11901
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11903
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11905 (to CVE-2017-11914)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11916
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11918 (to CVE-2017-11919)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11927
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11930
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11932
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11934 (to CVE-2017-11936)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11939
https://googleprojectzero.blogspot.hk/2017/12/apacolypse-now-exploiting-windows-10-in_18.html
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11793
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11810
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11855
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11890
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11903
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11906
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11855
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11890
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11903
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11907

Tag: Microsoft Office , ChakraCore , Microsoft Internet Explorer , Microsoft Edge , Microsoft Windows , Microsoft Windows Server , Microsoft Windows Server version 1709 , Microsoft Office Click-to-Run , Microsoft Word , Microsoft SharePoint Enterprise Server , Microsoft Exchange Server , Web Proxy Auto Discovery Protocol , Proxy Auto-Config , JScript.