KB4022714: Windows 10 Version 1511 June 2017 Cumulative Update

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Windows host is affected by multiple vulnerabilities.

Description :

The remote Windows 10 version 1511 host is missing security update
KB4022714. It is, therefore, affected by multiple vulnerabilities :

- An elevation of privilege vulnerability exists in
Windows Hyper-V instruction emulation due to a failure
to properly enforce privilege levels. An attacker on a
guest operating system can exploit this to gain elevated
privileges on the guest. Note that the host operating
system is not vulnerable. (CVE-2017-0193)

- Multiple security bypass vulnerabilities exist in
Device Guard. A local attacker can exploit these, via a
specially crafted script, to bypass the Device Guard
Code Integrity policy and inject arbitrary code into a
trusted PowerShell process. (CVE-2017-0216,
CVE-2017-0218, CVE-2017-0219)

- Multiple information disclosure vulnerabilities exist in
Windows Uniscribe due to improper handling of objects in
memory. An unauthenticated, remote attacker can exploit
these, by convincing a user to visit a specially crafted
website or to open a specially crafted document, to
disclose the contents of memory. (CVE-2017-0282,
CVE-2017-0284, CVE-2017-0285)

- A remote code execution vulnerability exists in
Windows Uniscribe software due to improper handling of
objects in memory. An unauthenticated, remote attacker
can exploit this, by convincing a user to visit a
specially crafted website or to open a specially crafted
document, to execute arbitrary code in the context
of the current user. (CVE-2017-0283)

- Multiple information disclosure vulnerabilities exist in
the Windows GDI component due to improper handling of
objects in memory. An unauthenticated, remote attacker
can exploit these, by convincing a user to visit a
specially crafted website or open a specially crafted
document, to disclose the contents of memory.
(CVE-2017-0287, CVE-2017-0288, CVE-2017-0289,
CVE-2017-8531, CVE-2017-8532, CVE-2017-8533)

- Multiple remote code execution vulnerabilities exist in
Microsoft Windows due to improper parsing of PDF files.
An unauthenticated, remote attacker can exploit these,
by convincing a user to open a specially crafted PDF
file, to execute arbitrary code in the context of the
current user. (CVE-2017-0291, CVE-2017-0292)

- A remote code execution vulnerability exists in
Microsoft Windows due to improper handling of cabinet
files. An unauthenticated, remote attacker can exploit
this, by convincing a user to open a specially crafted
cabinet file, to execute arbitrary code in the context
of the current user. (CVE-2017-0294)

- An elevation of privilege vulnerability exists in
tdx.sys due to a failure to check the length of a buffer
prior to copying memory to it. A local attacker can
exploit this, via a specially crafted application, to
execute arbitrary code in an elevated context.
(CVE-2017-0296)

- An elevation of privilege vulnerability exists in the
Windows kernel due to improper handling of objects in
memory. A local attacker can exploit this, via a
specially crafted application, to execute arbitrary code
with elevated permissions. (CVE-2017-0297)

- An elevation of privilege vulnerability exists in the
DCOM object in Helppane.exe, when configured to run as
the interactive user, due to a failure to properly
authenticate the client. An authenticated, remote
attacker can exploit this, via a specially crafted
application, to run arbitrary code in another user's
session after that user has logged on to the same system
using Terminal Services or Fast User Switching.
(CVE-2017-0298)

- Multiple information disclosure vulnerabilities exist in
the Windows kernel due to improper initialization of
objects in memory. An authenticated, remote attacker can
exploit these, via a specially crafted application, to
disclose the base address of the kernel driver.
(CVE-2017-0299, CVE-2017-0300, CVE-2017-8462,
CVE-2017-8485)

- An information disclosure vulnerability exists in
Microsoft Windows due to improper parsing of PDF files.
An unauthenticated, remote attacker can exploit this, by
convincing a user to open a specially crafted PDF file,
to disclose the contents of memory. (CVE-2017-8460)

- A remote code execution vulnerability exists in Windows
due to improper handling of shortcuts. An
unauthenticated, remote attacker can exploit this, by
convincing a user to insert a removable drive containing
a malicious shortcut and binary, to automatically
execute arbitrary code in the context of the current
user. (CVE-2017-8464)

- Multiple elevation of privilege vulnerabilities exist in
the Windows kernel-mode driver due to improper handling
of objects in memory. A local attacker can exploit
these, via a specially crafted application, to run
processes in an elevated context. (CVE-2017-8465,
CVE-2017-8466, CVE-2017-8468)

- Multiple information disclosure vulnerabilities exist in
the Windows kernel due to improper initialization of
objects in memory. An authenticated, remote attacker can
exploit these, via a specially crafted application, to
disclose sensitive information. (CVE-2017-8470,
CVE-2017-8471, CVE-2017-8473, CVE-2017-8474,
CVE-2017-8475, CVE-2017-8476, CVE-2017-8477,
CVE-2017-8478, CVE-2017-8479, CVE-2017-8480,
CVE-2017-8481, CVE-2017-8482, CVE-2017-8483,
CVE-2017-8484, CVE-2017-8489, CVE-2017-8490,
CVE-2017-8491, CVE-2017-8492)

- A security bypass vulnerability exists due to a failure
to enforce case sensitivity for certain variable checks.
A local attacker can exploit this, via a specially
crafted application, to bypass Unified Extensible
Firmware Interface (UEFI) variable security.
(CVE-2017-8493)

- An elevation of privilege vulnerability exists in the
Windows Secure Kernel Mode feature due to a failure to
properly handle objects in memory. A local attacker can
exploit this, via a specially crafted application, to
bypass virtual trust levels (VTL). (CVE-2017-8494)

- A denial of service vulnerability exists in Windows due
to improper handling of kernel mode requests. An
unauthenticated, remote attacker can exploit this, via a
specially crafted kernel mode request, to cause the
machine to stop responding or rebooting. (CVE-2017-8515)

- Multiple remote code execution vulnerabilities exist in
Microsoft browsers in the JavaScript engines due to
improper handling of objects in memory. An
unauthenticated, remote attacker can exploit these, by
convincing a user to visit a specially crafted website,
to execute arbitrary code in the context of the current
user. (CVE-2017-8517, CVE-2017-8522, CVE-2017-8524,
CVE-2017-8548)

- A same-origin policy bypass vulnerability exists in
Microsoft Edge due to a failure to properly apply the
Same Origin Policy for HTML elements. An
unauthenticated, remote attacker can exploit this, by
convincing a user to follow a link, to load a page with
malicious content. (CVE-2017-8523)

- A remote code execution vulnerability exists in the
Windows font library due to improper handling of
embedded fonts. An unauthenticated, remote attacker can
exploit this, by convincing a user to visit a specially
crafted website or open a specially crafted Microsoft
document, to execute arbitrary code in the context of
the current user. (CVE-2017-8527)

- An information disclosure vulnerability exists in
Microsoft browsers in the scripting engines due to
improper handling of objects in memory. An
unauthenticated, remote attacker can exploit this, by
convincing a user to visit a specially crafted website,
to disclose files on a user's computer. (CVE-2017-8529)*

- A same-origin policy bypass vulnerability exists in
Microsoft Edge due to a failure to properly enforce
same-origin policies. An unauthenticated, remote
attacker can exploit this, by convincing a user to visit
a specially crafted website, to disclose information
from origins outside the current one. (CVE-2017-8530)

- A remote code execution vulnerability exists in the
Windows Search functionality due to improper handling of
objects in memory. An unauthenticated, remote attacker
can exploit this, via a specially crafted SMB message,
to execute arbitrary code. (CVE-2017-8543)

- An information disclosure vulnerability exists in the
Windows Search functionality due to improper handling of
objects in memory. An unauthenticated, remote attacker
can exploit this, via a specially crafted SMB message,
to disclose sensitive information. (CVE-2017-8544)

- A remote code execution vulnerability exists in Internet
Explorer due to improper handling of objects in memory.
An unauthenticated, remote attacker can exploit this, by
convincing a user to visit a specially crafted website,
to execute arbitrary code in the context of the current
user. (CVE-2017-8547)

- A remote code execution vulnerability exists in
Microsoft Edge in the JavaScript scripting engine due to
improper handling of objects in memory. An
unauthenticated, remote attacker can exploit this, by
convincing a user to visit a specially crafted website,
to execute arbitrary code in the context of the current
user. (CVE-2017-8549)

- An information disclosure vulnerability exists in the
Windows Graphics component due to improper handling of
objects in memory. An authenticated, remote attacker can
exploit this, via a specially crafted application, to
disclose sensitive information. (CVE-2017-8575)

- An elevation of privilege vulnerability exists in the
Windows Graphics component due to improper
initialization of objects in memory. A local attacker
can exploit this, via a specially crafted application,
to execute arbitrary code in kernel mode.
(CVE-2017-8576)

- An elevation of privilege vulnerability exists DirectX
due to improper handling of objects in memory. A local
attacker can exploit this, via a specially crafted
application, to execute arbitrary code in kernel mode.
(CVE-2017-8576)

- An information disclosure vulnerability exists in the
Windows kernel due to improper handling of objects in
memory. An authenticated, remote attacker can exploit
this, via a specially crafted application, to disclose
the contents of memory. (CVE-2017-8554)

* note that a registry value must be added to enable the
fix for CVE-2017-8529. if the patch is installed but
not enabled, the registry key needed will be detailed
in the output below.

See also :

http://www.nessus.org/u?46ed25c8

Solution :

Apply security update KB4022714.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true