Ohio.gov  |   State Agencies   |   Online Services
Stop. Think. Connect.

Protect Yourself Online

The Stop. Think. Connect.™ web site contains resources and hints to help you protect yourself and your family against many online risks.

Arm yourself with the hints, tips, and techniques provided by contributors at www.stopthinkconnect.org/ and the Department of Homeland Security, and experience a safer web!

Kids safe online.

Click here for more information

 

 

 

 

Last Updated:09/26/2016 12:34 PM

 



Latest Vulnerability Information

Multiple Vulnerabilities in Mozilla Thunderbird Could Allow for Arbitrary...

Multiple Vulnerabilities in Mozilla Thunderbird Could Allow for Arbitrary Code Execution



Multiple Vulnerabilities in Mozilla Thunderbird Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:


2017-075

DATE(S) ISSUED:


08/21/2017

OVERVIEW:


Multiple vulnerabilities have been identified in Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution. Mozilla Thunderbird is an email client. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:



There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:


  • • Mozilla Thunderbird versions prior to 52.3

RISK:



Government:


  • Large and medium government entities: HIGH

  • Small government entities: MEDIUM

Businesses:


  • Large and medium business entities: HIGH

  • Small business entities: MEDIUM

Home Users:
LOW


TECHNICAL SUMMARY:



Mozilla has confirmed the following vulnerabilities in Thunderbird versions prior to 52.3

  • A use-after-free vulnerability can occur in WebSockets when the object holding the connection is freed before the disconnection operation is finished. This results in an exploitable crash. (CVE-2017-7800)
  • A use-after-free vulnerability can occur while re-computing layout for a marquee element during window resizing where the updated style object is freed while still in use. This results in a potentially exploitable crash. CVE-2017-7801)
  • A use-after-free vulnerability can occur when an editor DOM node is deleted prematurely during tree traversal while still bound to the document. This results in a potentially exploitable crash. (CVE-2017-7809)
  • A use-after-free vulnerability can occur when reading an image observer during frame reconstruction after the observer has been freed. This results in a potentially exploitable crash. (CVE-2017-7784)
  • A use-after-free vulnerability can occur when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed. CVE-2017-7802)
  • A buffer overflow can occur when manipulating Accessible Rich Internet Applications (ARIA) attributes within the DOM. This results in a potentially exploitable crash. (CVE-2017-7785)
  • A buffer overflow can occur when the image renderer attempts to paint non-displayable SVG elements. This results in a potentially exploitable crash. (CVE-2017-7786)
  • An out-of-bounds read occurs when applying style rules to pseudo-elements, such as ::first-line, using cached style data. (CVE-2017-7753)
  • Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure. (CVE-2017-7787)
  • A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory. (CVE-2017-7807)
  • A buffer overflow will occur when viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID). This results in a potentially exploitable crash. (CVE-2017-7792)
  • The destructor function for the WindowsDllDetourPatcher class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation. (CVE-2017-7804)
  • On pages containing an iframe, the data: protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. (CVE-2017-7791)
  • An error in the WindowsDllDetourPatcher where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections. (CVE-2017-7782)
  • When a page’s content security policy (CSP) header contains a sandbox directive, other directives are ignored. This results in the incorrect enforcement of CSP. (CVE-2017-7803)
  • Memory safety bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2017-7779)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMENDATIONS:



We recommend the following actions be taken:



  • Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:



Multiple Vulnerabilities in Mozilla Firefox Could Allow for Arbitrary...

Multiple Vulnerabilities in Mozilla Firefox Could Allow for Arbitrary Code Execution



Multiple Vulnerabilities in Mozilla Firefox Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:


2017-074

DATE(S) ISSUED:


08/08/2017

OVERVIEW:


Multiple vulnerabilities have been identified in Mozilla Firefox and Firefox Extended Support Release (ESR), the most severe of which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:



There is no evidence of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:


  • Mozilla Firefox versions prior to 55

  • Mozilla Firefox ESR versions prior to 52.3

RISK:



Government:


  • Large and medium government entities: N/A

  • Small government entities: MEDIUM

Businesses:


  • Large and medium business entities: HIGH

  • Small business entities: MEDIUM

Home Users:
LOW


TECHNICAL SUMMARY:



Mozilla has confirmed the following vulnerabilities in Firefox and Firefox Extended Support Release (ESR).

  • A XUL injection vulnerability with the Developer Tools feature due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool. (CVE-2017-7798)
  • A use-after-free vulnerability can occur in WebSockets when the object holding the connection is freed before the disconnection operation is finished. This results in an exploitable crash. (CVE-2017-7800)
  • A use-after-free vulnerability can occur while re-computing layout for a marquee element during window resizing where the updated style object is freed while still in use. This results in a potentially exploitable crash. (CVE-2017-7801)
  • A use-after-free vulnerability can occur when reading an image observer during frame reconstruction after the observer has been freed. This results in a potentially exploitable crash. (CVE-2017-7784)
  • A use-after-free vulnerability can occur when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed. (CVE-2017-7802)
  • A buffer overflow can occur when manipulating Accessible Rich Internet Applications (ARIA) attributes within the DOM. This results in a potentially exploitable crash. (CVE-2017-7785)
  • A buffer overflow can occur when the image renderer attempts to paint non-displayable SVG elements. This results in a potentially exploitable crash. (CVE-2017-7786)
  • A use-after-free vulnerability can occur when the layer manager is freed too early when rendering specific SVG content, resulting in a potentially exploitable crash. (CVE-2017-7806)
  • An out-of-bounds read occurs when applying style rules to pseudo-elements, such as ::first-line, using cached style data. (CVE-2017-7753)
  • Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure. (CVE-2017-7787)
  • A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory. (CVE-2017-7807)
  • A buffer overflow will occur when viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID). This results in a potentially exploitable crash. (CVE-2017-7792)
  • The destructor function for the WindowsDllDetourPatcher class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation. (CVE-2017-7804)
  • On pages containing an iframe, the data: protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. (CVE-2017-7791)
  • A content security policy (CSP) frame-ancestors directive containing origins with paths allows for comparisons against those paths instead of the origin. This results in a cross-origin information leak of this path information. (CVE-2017-7808)
  • An error in the WindowsDllDetourPatcher where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections. (CVE-2017-7782)
  • An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result POINT_AT_INFINITY when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. (CVE-2017-7781)
  • On Linux systems, if the content process is compromised, the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions. Note: This attack only affects the Linux operating system. Other operating systems are not affected. (CVE-2017-7794)
  • When a page’s content security policy (CSP) header contains a sandbox directive, other directives are ignored. This results in the incorrect enforcement of CSP. (CVE-2017-7803)
  • JavaScript in the about:webrtc page is not sanitized properly being being assigned to innerHTML. Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could possibly be used for a cross-site scripting (XSS) attack. (CVE-2017-7799)
  • If a long user name is used in a username/password combination in a site URL (such as http://UserName:Password@example.com), the resulting modal prompt will hang in a non-responsive state or crash, causing a denial of service. (CVE-2017-7783)
  • When an iframe has a sandbox attribute and its content is specified using srcdoc, that content does not inherit the containing page’s Content Security Policy (CSP) as it should unless the sandbox attribute included allow-same-origin. (CVE-2017-7788)
  • If a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connection. (CVE-2017-7789)
  • On Windows systems, if non-null-terminated strings are copied into the crash reporter for some specific registry keys, stack memory data can be copied until a null is found. This can potentially contain private data from the local system. Note: This attack only affects Windows operating systems. Other operating systems are not affected. (CVE-2017-7790)
  • On Windows systems, the logger run by the Windows updater deletes the file "update.log" before it runs in order to write a new log of that name. The path to this file is supplied at the command line to the updater and could be used in concert with another local exploit to delete a different file named "update.log" instead of the one intended. Note: This attack only affects Windows operating systems. Other operating systems are not affected. (CVE-2017-7796)
  • Response header name interning does not have same-origin protections and these headers are stored in a global registry. This allows stored header names to be available cross-origin. (CVE-2017-7797)
  • Multiple arbitrary code vulnerabilities exist due to various memory corruption bugs. (CVE-2017-7779, CVE-2017-7780)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMENDATIONS:



We recommend the following actions be taken:



  • Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:



CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7779
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7780
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7781
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7782
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7783
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7787
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7789
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7790
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7791
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7792
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7796
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7797
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7798
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7799
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7800
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7801
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7804
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7808


Critical Patches Issued for Microsoft Products, August 8, 2017

Critical Patches Issued for Microsoft Products, August 8, 2017



Critical Patches Issued for Microsoft Products, August 8, 2017

MS-ISAC ADVISORY NUMBER:


2017-073

DATE(S) ISSUED:


08/08/2017

OVERVIEW:


Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for code execution. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:



There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:


  • • Internet Explorer 9, 10, 11

  • • Microsoft Edge

  • • Microsoft Windows 7, 8.1, RT 8.1

  • • Microsoft Windows 10

  • • Microsoft Windows Server 2008, 2012, 2016

  • • Microsoft SharePoint Server 2010

  • • Microsoft SQL Server 2012, 2014, 2016

RISK:



Government:


  • Large and medium government entities: HIGH

  • Small government entities: MEDIUM

Businesses:


  • Large and medium business entities: HIGH

  • Small business entities: MEDIUM

Home Users:
LOW


TECHNICAL SUMMARY:



Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for code execution.

A full list of all vulnerabilities can be found at the link below.
https://portal.msrc.microsoft.com/en-us/security-guidance

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMENDATIONS:



We recommend the following actions be taken:



  • Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing

  • Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.

  • Remind all users not to visit untrusted websites or follow links provided by unknown or untrusted sources.

  • Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from untrusted sources

  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:


Multiple Vulnerabilities in Adobe Flash Player Could Allow for...

Multiple Vulnerabilities in Adobe Flash Player Could Allow for Remote Code Execution (APSB17-23)



Multiple Vulnerabilities in Adobe Flash Player Could Allow for Remote Code Execution (APSB17-23)

MS-ISAC ADVISORY NUMBER:


2017-072

DATE(S) ISSUED:


08/08/2017

OVERVIEW:


Multiple vulnerabilities have been discovered in Adobe Flash Player, the most severe of which could allow for remote code execution. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages. Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:



There are no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:


  • • Adobe Flash Player Desktop Runtime versions 26.0.0.137 and earlier

  • • Adobe Flash Player for Google Chrome versions 26.0.0.137 and earlier

  • • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 versions 26.0.0.137 and earlier

RISK:



Government:


  • Large and medium government entities: HIGH

  • Small government entities: MEDIUM

Businesses:


  • Large and medium business entities: HIGH

  • Small business entities: MEDIUM

Home Users:
LOW


TECHNICAL SUMMARY:



Adobe Flash Player is prone to multiple vulnerabilities, the most severe of which could allow for remote code execution.

  • A security bypass vulnerability that could lead to information disclosure (CVE-2017-3085).
  • A type confusion vulnerability that could lead to code execution (CVE-2017-3106).

Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMENDATIONS:



We recommend the following actions be taken:



  • Install the updates provided by Adobe immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:



Multiple Vulnerabilities in Adobe Acrobat and Adobe Reader Could...

Multiple Vulnerabilities in Adobe Acrobat and Adobe Reader Could Allow for Remote Code Execution (APSB17-24)



Multiple Vulnerabilities in Adobe Acrobat and Adobe Reader Could Allow for Remote Code Execution (APSB17-24)

MS-ISAC ADVISORY NUMBER:


2017-071

DATE(S) ISSUED:


08/08/2017

OVERVIEW:


Multiple vulnerabilities have been discovered in Adobe Acrobat and Adobe Reader, the most severe of which could allow for remote code execution. Adobe Acrobat and Reader allow a user to view, create, manipulate, print and manage files in Portable Document Format (PDF). Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:



There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:


  • Continuous Track • Adobe Acrobat DC versions 2017.009.20058 and prior for Windows and Macintosh

  • Continuous Track • Adobe Acrobat Reader DC versions 2017.009.20058 and prior for Windows and Macintosh

  • Acrobat 2017 • Acrobat 2017 versions 2017.008.30051 and prior for Windows and Macintosh

  • Acrobat 2017 • Acrobat Reader 2017 versions 2017.008.30051 and prior for Windows and Macintosh

  • Classic Track • Adobe Acrobat DC versions 2015.006.30306 and prior for Windows and Macintosh

  • Classic Track • Adobe Acrobat Reader DC versions 2015.006.30306 and prior for Windows and Macintosh

  • Desktop Track • Adobe Acrobat XI versions 11.0.20 and prior for Windows and Macintosh

  • Desktop Track • Adobe Reader XI versions 11.0.20 and prior for Windows and Macintosh

RISK:



Government:


  • Large and medium government entities: HIGH

  • Small government entities: MEDIUM

Businesses:


  • Large and medium business entities: HIGH

  • Small business entities: MEDIUM

Home Users:
LOW


TECHNICAL SUMMARY:



Multiple vulnerabilities have been discovered in Adobe Acrobat and Adobe Reader, the most severe of which could allow for remote code execution. The vulnerabilities are as follows:

  • Eleven use-after-free vulnerabilities that could lead to remote code execution (CVE-2017-3113, CVE-2017-3120, CVE-2017-11218, CVE-2017-11219, CVE-2017-11223, CVE-2017-11224, CVE-2017-11231, CVE-2017-11232, CVE-2017-11235, CVE-2017-11254, CVE-2017-11256).
  • Five heap buffer overflow vulnerabilities that could lead to remote code execution (CVE-2017-3117, CVE-2017-3121, CVE-2017-11211, CVE-2017-11220, CVE-2017-11241).
  • Forty six memory corruption vulnerabilities that could lead to remote code execution (CVE-2017-3016, CVE-2017-3038, CVE-2017-3116, CVE-2017-3119, CVE-2017-3122, CVE-2017-3123, CVE-2017-3124, CVE-2017-11209, CVE-2017-11210, CVE-2017-11212, CVE-2017-11214, CVE-2017-11216, CVE-2017-11217, CVE-2017-11222, CVE-2017-11226, CVE-2017-11227, CVE-2017-11228, CVE-2017-11230, CVE-2017-11233, CVE-2017-11234, CVE-2017-11236, CVE-2017-11237, CVE-2017-11238, CVE-2017-11239, CVE-2017-11242, CVE-2017-11243, CVE-2017-11244, CVE-2017-11245, CVE-2017-11246, CVE-2017-11248, CVE-2017-11249, CVE-2017-11251, CVE-2017-11252, CVE-2017-11255, CVE-2017-11258, CVE-2017-11259, CVE-2017-11260, CVE-2017-11261, CVE-2017-11262, CVE-2017-11263, CVE-2017-11265, CVE-2017-11267, CVE-2017-11268, CVE-2017-11269, CVE-2017-11270, CVE-2017-11271).
  • Two type confusion vulnerabilities that could lead to remote code execution (CVE-2017-11221, CVE-2017-11257).
  • Two security bypass vulnerabilities that could lead to remote code execution (CVE-2017-3118, CVE-2017-11229).
  • One insufficient verification of data authenticity that could lead to information disclosure (CVE-2017-3115).

Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMENDATIONS:



We recommend the following actions be taken:



  • Install the updates provided by Adobe immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:



CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3016
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3038
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3113
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3116
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3118
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3119
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3124
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11210
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11214
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11216
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11218
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11220
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11223
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11226
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11227
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11229
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11230
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11231
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11233
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11235
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11236
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11237
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11238
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11239
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11241
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11242
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11243
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11244
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11245
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11246
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11248
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11249
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11251
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11252
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11254
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11255
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11256
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11257
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11258
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11259
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11260
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11261
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11262
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11265
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11267
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11268
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11269
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11270
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11271


Multiple Vulnerabilities in Google Android OS Could Allow for...

Multiple Vulnerabilities in Google Android OS Could Allow for Arbitrary Code Execution



Multiple Vulnerabilities in Google Android OS Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:


2017-070

DATE(S) ISSUED:


08/08/2017

OVERVIEW:


Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for arbitrary code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:



There are currently no reports of these vulnerabilities being exploited in the wild.

RISK:



Government:


  • Large and medium government entities: HIGH

  • Small government entities: HIGH

Businesses:


  • Large and medium business entities: HIGH

  • Small business entities: HIGH

Home Users:
HIGH


TECHNICAL SUMMARY:



Google Android OS is prone to multiple vulnerabilities, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • An arbitrary code execution vulnerability exist in Framework. (CVE-2017-0712)
  • An arbitrary code execution vulnerability exist in Libraries. (CVE-2017-0713)
  • Multiple arbitrary code execution vulnerabilities exist in Media framework (CVE-2017-0714, CVE-2017-0715, CVE-2017-0716, CVE-2017-0718, CVE-2017-0719, CVE-2017-0720, CVE-2017-0721, CVE-2017-0722, CVE-2017-0723, CVE-2017-0745, CVE-2017-0724, CVE-2017-0725, CVE-2017-0726, CVE-2017-0727, CVE-2017-0728, CVE-2017-0729, CVE-2017-0730, CVE-2017-0731, CVE-2017-0732, CVE-2017-0733, CVE-2017-0734, CVE-2017-0735, CVE-2017-0736, CVE-2017-0737, CVE-2017-0738, CVE-2017-0739)
  • An arbitrary code execution vulnerability in Broadcom components. (CVE-2017-0740)
  • Multiple arbitrary code execution vulnerabilities exist in Kernel components. (CVE-2017-10661, CVE-2017-0750, CVE-2017-10662, CVE-2017-10663, CVE-2017-0749)
  • Multiple arbitrary code execution vulnerabilities exist in MediaTek components. (CVE-2017-0741, CVE-2017-0742)
  • Multiple arbitrary code execution vulnerabilities exist in Qualcomm components. (CVE-2017-0746, CVE-2017-0747, CVE-2017-9678, CVE-2017-9691, CVE-2017-9684, CVE-2017-9682)
  • Multiple unspecified vulnerabilities exist in Google device updates. (CVE-2017-0744, CVE-2017-9679, CVE-2017-9680, CVE-2017-0748, CVE-2017-9681, CVE-2017-9693, CVE-2017-9694, CVE-2017-0751, CVE-2017-9692)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMENDATIONS:



We recommend the following actions be taken:



  • Apply appropriate updates provided by Google Android or mobile carriers to vulnerable systems, immediately after appropriate testing.

  • Remind users to only download apps only from trusted vendors in the Play Store.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from un-trusted sources.

REFERENCES:



CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0712
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0713
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0714
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0715
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0716
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0718
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0719
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0720
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0721
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0722
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0723
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0724
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0725
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0726
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0727
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0728
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0730
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0731
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0736
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-07317
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0738
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0741
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0747
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0748
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0750
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0751
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9678
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9679
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9680
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9681
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9682
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9684
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9691
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9692
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9694
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10663


Multiple Vulnerabilities in Microsoft Office and Outlook Could Allow...

Multiple Vulnerabilities in Microsoft Office and Outlook Could Allow for Remote Code Execution



Multiple Vulnerabilities in Microsoft Office and Outlook Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:


2017-069

DATE(S) ISSUED:


07/28/2017

OVERVIEW:


Multiple vulnerabilities have been discovered in Microsoft Office and Outlook, the most severe of which could allow for remote code execution. Microsoft Office is a suite of applications and services, most notably packaged with Microsoft Word, Excel and Power Point. Microsoft Outlook is a personal information manager mainly used for email services. Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:



There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:


  • • Microsoft Office 2010 Click-to-Run (C2R) for 32 & 64 bit editions

  • • Microsoft Office 2013 Click-to-Run (C2R) for 32 & 64 bit editions

  • • Microsoft Office 2016 Click-to-Run (C2R) for 32 & 64 bit editions

  • • Microsoft Outlook 2007 Service Pack 3

  • • Microsoft Outlook 2010 Service Pack 2 for 32 & 64 bit editions

  • • Microsoft Outlook 2013 RT Service Pack 1

  • • Microsoft Outlook 2013 Service Pack 1 for 32 & 64 bit editions

  • • Microsoft Outlook 2016 for 32 & 64 bit editions

RISK:



Government:


  • Large and medium government entities: HIGH

  • Small government entities: HIGH

Businesses:


  • Large and medium business entities: HIGH

  • Small business entities: HIGH

Home Users:
HIGH


TECHNICAL SUMMARY:



Multiple vulnerabilities have been discovered in Microsoft Office and Outlook, the most severe of which could allow for remote code execution. These vulnerabilities can be exploited if a user open a specially crafted file with an affected version of Microsoft Outlook. An attacker could also provide a specially crafted document file designed to exploit the vulnerability, and then convinces a user to open the document file and interact with the document by clicking a specific cell. Details of the vulnerabilities are as follows:

  • A security feature bypass vulnerability exists when Microsoft Office Outlook improperly handles input (CVE-2017-8571).
  • An information disclosure vulnerability exists when Microsoft Office improperly discloses the contents of its memory (CVE-2017-8572).
  • A remote code execution vulnerability exists in the way that Microsoft Outlook parses specially crafted email messages (CVE-2017-8663).

Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMENDATIONS:



We recommend the following actions be taken:



  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit un-trusted websites or open attachments provided by unknown or un-trusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:



Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary...

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution



Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:


2017-068

DATE(S) ISSUED:


07/26/2017

OVERVIEW:


Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.

THREAT INTELLIGENCE:



There are currently no reports of these vulnerabilities being exploited in the wild.


**AUGUST 17 – UPDATED THREAT INTELLIGENCE:

An additional vulnerability has been discovered in Google Chrome, which could allow for remote code execution. Proof of Concept code is available that reproduces the vulnerability. Affected versions of Google Chrome are 59 and earlier. Google announced no patches will be provided for this vulnerability and the only mitigation is to upgrade to the current and latest version, version 60.

SYSTEMS AFFECTED:


  • Google Chrome prior to 60.0.3112.78

RISK:



Government:


  • Large and medium government entities: HIGH

  • Small government entities: MEDIUM

Businesses:


  • Large and medium business entities: HIGH

  • Small business entities: MEDIUM

Home Users:
LOW


TECHNICAL SUMMARY:



Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Details of the vulnerabilities are as follows:

  • Use after free in IndexedDB (CVE-2017-5091).
  • Use after free in PPAPI (CVE-2017-5092).
  • UI spoofing in Blink (CVE-2017-5093).
  • Type confusion in extensions (CVE-2017-5094).
  • Out-of-bounds write in PDFium. (CVE-2017-5095).
  • User information leak via Android intents (CVE-2017-5096).
  • Out-of-bounds read in Skia (CVE-2017-5097).
  • Use after free in V8. (CVE-2017-5098)
  • Out-of-bounds write in PPAPI. (CVE-2017-5099)
  • Use after free in Chrome Apps. (CVE-2017-5100)
  • URL spoofing in OmniBox. (CVE-2017-5101)
  • Uninitialized use in Skia. (CVE-2017-5102)
  • Uninitialized use in Skia. (CVE-2017-5103)
  • UI spoofing in browser. (CVE-2017-5104)
  • Pointer disclosure in SQLite. (CVE-2017-7000)
  • URL spoofing in OmniBox. (CVE-2017-5105)
  • URL spoofing in OmniBox. (CVE-2017-5106)
  • User information leak via SVG. (CVE-2017-5107)
  • Type confusion in PDFium. (CVE-2017-5108)
  • UI spoofing in browser. (CVE-2017-5109)
  • UI spoofing in payments dialog. (CVE-2017-5110)

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.

RECOMENDATIONS:



We recommend the following actions be taken:



  • Apply appropriate patches provided by Google to vulnerable systems immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES: