Windows 2008 September 2017 Multiple Security Updates

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Windows host is affected by multiple vulnerabilities.

Description :

The remote Windows host is missing multiple security updates released
on 2017/09/12. It is, therefore, affected by multiple
vulnerabilities :

- An information disclosure vulnerability exists when
Windows Hyper-V on a host operating system fails to
properly validate input from an authenticated user on a
guest operating system. To exploit the vulnerability, an
attacker on a guest operating system could run a
specially crafted application that could cause the
Hyper-V host operating system to disclose memory
information. An attacker who successfully exploited the
vulnerability could gain access to information on the
Hyper-V host operating system. The security update
addresses the vulnerability by correcting how Hyper-V
validates guest operating system user input.
(CVE-2017-8707)

- An information disclosure vulnerability exists in the
Windows System Information Console when it improperly
parses XML input containing a reference to an external
entity. An attacker who successfully exploited this
vulnerability could read arbitrary files via an XML
external entity (XXE) declaration. To exploit the
vulnerability, an attacker could create a file
containing specially crafted XML content and convince an
authenticated user to open the file. The update
addresses the vulnerability by modifying the way that
the Windows System Information Console parses XML input.
(CVE-2017-8710)

- An Information disclosure vulnerability exists in
Windows kernel that could allow an attacker to retrieve
information that could lead to a Kernel Address Space
Layout Randomization (KASLR) bypass. An attacker who
successfully exploited this vulnerability could retrieve
the memory address of a kernel object. To exploit this
vulnerability, an attacker would have to log on to an
affected system and run a specially crafted application.
The security update addresses the vulnerability by
correcting how the Windows kernel handles memory
addresses. (CVE-2017-8687)

- An information disclosure vulnerability exists when the
Microsoft Windows Graphics Component improperly handles
objects in memory. An attacker who successfully
exploited the vulnerability could obtain information to
further compromise the users system. To exploit this
vulnerability, an attacker would have to log on to an
affected system and run a specially crafted application.
The vulnerability would not allow an attacker to execute
code or to elevate user rights directly, but it could be
used to obtain information that could be used to try to
further compromise the affected system. The update
addresses the vulnerability by correcting the way in
which the Windows Graphics Component handles objects in
memory. (CVE-2017-8683)

- A remote code execution vulnerability exists when the
Windows font library improperly handles specially
crafted embedded fonts. An attacker who successfully
exploited this vulnerability could take control of the
affected system. An attacker could then install
programs; view, change, or delete data; or create new
accounts with full user rights. Users whose accounts are
configured to have fewer user rights on the system could
be less impacted than users who operate with
administrative user rights. There are multiple ways an
attacker could exploit this vulnerability. In a web-
based attack scenario, an attacker could host a
specially crafted website that is designed to exploit
this vulnerability and then convince a user to view the
website. An attacker would have no way to force users to
view the attacker-controlled content. Instead, an
attacker would have to convince users to take action,
typically by getting them to click a link in an email
message or in an Instant Messenger message that takes
users to the attacker's website, or by opening an
attachment sent through email. In a file sharing attack
scenario, an attacker could provide a specially crafted
document file that is designed to exploit this
vulnerability, and then convince a user to open the
document file. The security update addresses the
vulnerabilities by correcting how the Windows font
library handles embedded fonts. (CVE-2017-8682)

- A remote code execution vulnerability exists when
Windows Shell does not properly validate file copy
destinations. An attacker who successfully exploited the
vulnerability could run arbitrary code in the context of
the current user. If the current user is logged on with
administrative user rights, an attacker could take
control of the affected system. An attacker could then
install programs; view, change, or delete data; or
create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the
system could be less impacted than users who operate
with administrative user rights. To exploit the
vulnerability, a user must open a specially crafted
file. In an email attack scenario, an attacker could
exploit the vulnerability by sending the specially
crafted file to the user and then convincing the user to
open the file. In a web-based attack scenario, an
attacker could host a website (or leverage a compromised
website that accepts or hosts user-provided content)
that contains a specially crafted file designed to
exploit the vulnerability. An attacker would have no way
to force a user to visit the website. Instead, an
attacker would have to convince a user to click a link,
typically by way of an enticement in an email or Instant
Messenger message, and then convince the user to open
the specially crafted file. The security update
addresses the vulnerability by helping to ensure that
Windows Shell validates file copy destinations.
(CVE-2017-8699)

- An information disclosure vulnerability exists when the
Windows kernel fails to properly initialize a memory
address, allowing an attacker to retrieve information
that could lead to a Kernel Address Space Layout
Randomization (KASLR) bypass. An attacker who
successfully exploited this vulnerability could retrieve
the base address of the kernel driver from a compromised
process. To exploit this vulnerability, an attacker
would have to log on to an affected system and run a
specially crafted application. The security update
addresses the vulnerability by correcting how the
Windows kernel handles memory addresses. (CVE-2017-8708)

- An information disclosure vulnerability exists when
Windows Uniscribe improperly discloses the contents of
its memory. An attacker who successfully exploited the
vulnerability could obtain information to further
compromise the users system. There are multiple ways an
attacker could exploit the vulnerability, such as by
convincing a user to open a specially crafted document
or by convincing a user to visit an untrusted webpage.
The update addresses the vulnerability by correcting how
Windows Uniscribe handles objects in memory.
(CVE-2017-8695)

- An elevation of privilege vulnerability exists in
Windows when the Win32k component fails to properly
handle objects in memory. An attacker who successfully
exploited this vulnerability could run arbitrary code in
kernel mode. An attacker could then install programs;
view, change, or delete data; or create new accounts
with full user rights. To exploit this vulnerability, an
attacker would first have to log on to the system. An
attacker could then run a specially crafted application
that could exploit the vulnerability and take control of
an affected system. The update addresses this
vulnerability by correcting how Win32k handles objects
in memory. (CVE-2017-8720)

- A information disclosure vulnerability exists when the
Windows GDI+ component improperly discloses kernel
memory addresses. An attacker who successfully exploited
the vulnerability could obtain information to further
compromise the users system. To exploit this
vulnerability, an attacker would have to log on to an
affected system and run a specially crafted application.
The vulnerability would not allow an attacker to execute
code or to elevate user rights directly, but it could be
used to obtain information that could be used to try to
further compromise the affected system. The security
update addresses the vulnerability by correcting how the
Windows GDI+ component handles objects in memory.
(CVE-2017-8680, CVE-2017-8681, CVE-2017-8684,
CVE-2017-8685)

- A remote code execution vulnerability exists due to the
way Windows Uniscribe handles objects in memory. An
attacker who successfully exploited this vulnerability
could take control of the affected system. An attacker
could then install programs; view, change, or delete
data; or create new accounts with full user rights.
Users whose accounts are configured to have fewer user
rights on the system could be less impacted than users
who operate with administrative user rights. There are
multiple ways an attacker could exploit this
vulnerability: In a web-based attack scenario, an
attacker could host a specially crafted website designed
to exploit this vulnerability and then convince a user
to view the website. An attacker would have no way to
force users to view the attacker-controlled content.
Instead, an attacker would have to convince users to
take action, typically by getting them to click a link
in an email or instant message that takes users to the
attacker's website, or by opening an attachment sent
through email. In a file-sharing attack scenario, an
attacker could provide a specially crafted document file
designed to exploit this vulnerability and then convince
a user to open the document file.The security update
addresses the vulnerability by correcting how Windows
Uniscribe handles objects in memory. (CVE-2017-8696)

- An information disclosure vulnerability exists in the
way that the Windows Graphics Device Interface+ (GDI+)
handles objects in memory, allowing an attacker to
retrieve information from a targeted system. By itself,
the information disclosure does not allow arbitrary code
execution; however, it could allow arbitrary code to be
run if the attacker uses it in combination with another
vulnerability. To exploit this vulnerability, an
attacker would have to log on to an affected system and
run a specially crafted application. The security update
addresses the vulnerability by correcting how GDI+
handles memory addresses. (CVE-2017-8688)

- An elevation of privilege vulnerability exists in
Windows when the Windows kernel-mode driver fails to
properly handle objects in memory. An attacker who
successfully exploited this vulnerability could run
arbitrary code in kernel mode. An attacker could then
install programs; view, change, or delete data; or
create new accounts with full user rights. To exploit
this vulnerability, an attacker would first have to log
on to the system. An attacker could then run a specially
crafted application that could exploit the vulnerability
and take control of an affected system. The update
addresses this vulnerability by correcting how the
Windows kernel-mode driver handles objects in memory.
(CVE-2017-8675)

- A spoofing vulnerability exists in Microsoft's
implementation of the Bluetooth stack. An attacker who
successfully exploited this vulnerability could perform
a man-in-the-middle attack and force a user's computer
to unknowingly route traffic through the attacker's
computer. The attacker can then monitor and read the
traffic before sending it on to the intended recipient.
To exploit the vulnerability, the attacker needs to be
within the physical proximity of the targeted user, and
the user's computer needs to have Bluetooth enabled. The
attacker can then initiate a Bluetooth connection to the
target computer without the user's knowledge. The
security update addresses the vulnerability by
correcting how Windows handles Bluetooth requests.
(CVE-2017-8628)

- An information disclosure vulnerability exists when the
Windows kernel improperly handles objects in memory. An
attacker who successfully exploited this vulnerability
could obtain information to further compromise the users
system. To exploit this vulnerability, an attacker would
have to log on to an affected system and run a specially
crafted application. The vulnerability would not allow
an attacker to execute code or to elevate user rights
directly, but it could be used to obtain information
that could be used to try to further compromise the
affected system. The update addresses the vulnerability
by correcting how the Windows kernel handles objects in
memory. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,
CVE-2017-8719)

- An information disclosure vulnerability exists in the
way that the Windows Graphics Device Interface (GDI)
handles objects in memory, allowing an attacker to
retrieve information from a targeted system. By itself,
the information disclosure does not allow arbitrary code
execution; however, it could allow arbitrary code to be
run if the attacker uses it in combination with another
vulnerability. To exploit this vulnerability, an
attacker would have to log on to an affected system and
run a specially crafted application. Note that where the
severity is indicated as Critical in the Affected
Products table, the Preview Pane is an attack vector for
this vulnerability. The security update addresses the
vulnerability by correcting how GDI handles memory
addresses. (CVE-2017-8676)

See also :

https://support.microsoft.com/en-us/help/4032201/title
https://support.microsoft.com/en-us/help/4034786/title
https://support.microsoft.com/en-us/help/4038874/title
https://support.microsoft.com/en-us/help/4039038/title
https://support.microsoft.com/en-us/help/4039266/title
https://support.microsoft.com/en-us/help/4039325/title
https://support.microsoft.com/en-us/help/4039384/title

Solution :

Apply the following security updates :

- KB4032201
- KB4034786
- KB4038874
- KB4039038
- KB4039266
- KB4039325
- KB4039384

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 5.6
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true