Last Updated: 2017-03-14 17:54:36 UTC
by Johannes Ullrich (Version: 1)
Today, Microsoft released its monthly security bulletins. February's delayed release was combined with this March release, which likely caused the large number of bulletins (18 total, which includes the Adobe Flash bulletin)
You can review the patch summary here: https://isc.sans.edu/mspatchdays.html?viewday=2017-03-14 or via our API.
Probably the most "scary" set of vulnerabilities in this update are CVE 2017-0143, CVE 2017-0144, CVE 2017-0145,CVE 2017-0146, CVE 2017-0148 . These are remote code execution vulnerabilities that allow an unauthenticated user to execute arbitrary code. Microsoft rates the exploitability with "1", indicating that it wouldn't be terribly difficult to develop an exploit for these. Yes, you already blocked SMB at your perimeter. But further reducing your attack surface is always a good idea. You may want to consider disabling SMBv1 (which should not cause any problems if you only use currently supported Windows versions).
The other two server related bulletins, MS17-015 for Exchange and MS17-016 for IIS, are more benign in comparison. Both are XSS vulnerabilities and could be used to elevate privileges by running code in an administrators browser.
Some of the highlights:
Six of the bulletins include vulnerabilities that have either already been made public or that are already being exploited:
MS17-006: One of the Internet Explorer information disclosure vulnerabilities (CVE 2017-0008) has been publicly disclosed in the past. This vulnerability applies to Internet Explorer and Edge (MS17-007).
MS17-007: In addition to CVE 2017-0008, there is a remote code execution vulnerability (%cve:2017-0037%%) that has been disclosed publicly. There are also three different spoofing vulnerabilities that have been disclosed publicly.
MS17-012: A denial of service vulnerability (CVE 2017-0016) has been publicly disclosed. Microsoft does not list this one as exploited, but an exploit has been publicly available for a bit over a month now. This is the SMB_TREE_CONNECT vulnerability that made quite a few headlines when it was released.
MS17-013: One of the 4 GDI elevation of privilege vulnerabilities (CVE 2017-0005) has already been exploited, but details had not been disclosed publicly.
MS17-017: A privilege escalation vulnerability in the Windows Kernel (CVE 2017-0050) has been publicly disclosed.
MS17-022: The XML Core Services Information Disclosure Vulnerability (CVE 2017-0022) has already been exploited. This exploit would target a client, and by loading a malicious XML file and attacker may learn about the existence of files on the disk.