Virtual Patching in the Spotlight Due to Unpatched Microsoft Vulnerabilities

Due to three recently disclosed Microsoft vulnerabilities, the use of Intrusion prevention system (IPS) protection to shield against vulnerabilities (often referred to as Virtual Patching) is back in the spotlight. These allow systems to be protected even if patches have not yet been released by vendors. The vulnerabilities were in the following components:

  1. Core SMB service
  2. Microsoft Internet Explorer and Microsoft Edge
  3. Graphics Device Interface

Let’s take a quick look at these vulnerabilities to understand them and their potential impact. We will also look at what mitigations you can use in the absence of patches for these.

CVE-2017-0016

This vulnerability is a memory corruption bug in the way Windows handles SMB traffic. To carry out this attack, a computer (or a user) has to be lured into connecting to a malicious SMB server. The malicious server serves packets that cause the connecting computer to crash. Proof of concept exploit code for this vulnerability is already publicly disclosed.

The vulnerability does not allow remote code execution and its impact is limited to a denial of Service, causing the computer to restart. The mitigations for this vulnerability are:

  • Limit outgoing access on ports 139 and 445.
  • Deploy IPS protection.

CVE-2017-0037

This vulnerability is a type confusion vulnerability in Microsoft Internet Explorer and Edge browsers. To exploit this vulnerability, an attacker would need to convince a user to visit a malicious web link. The link could be sent via email or chat, or embedded in documents. Details of this vulnerability, including proof-of-concept code, have been released by Google Project Zero.

This vulnerability allows an attacker to run arbitrary code with the same privileges as the logged-in user. The following mitigations may be useful:

  • Deploy IPS protection
  • Email filtering for phishing attacks
  • Web Reputation to block hosted scripts
  • Reduce accounts with administrator rights to reduce risk

CVE-2017-0038

This is a vulnerability in the Graphics Device Interface (GDI) component of Windows. GDI is used to render items like images and fonts on a display device or printer. To exploit this vulnerability, an attacker would need to entice victims to render a font or an image. The image or font could be embedded in a document as well. The attack can be delivered as an email attachment or through file-sharing. Details of this vulnerability, including proof-of-concept code, have been released by Google Project Zero.

This vulnerability allows disclosure of memory, which could leak sensitive information. The following mitigation can be used:

  • Deploy IPS protection.
  • Educate employees to not open attachments, and to open links only from trusted sources.

Trend Micro Deep Security provides protection against these vulnerabilities. Here are the details on the rules and disclosure timelines around these vulnerabilities.

CVE Deep Security Rule release date Disclosure date. Rule Name
CVE-2017-0016 Feb 2, 2017 Feb 1, 2017 1008138-Microsoft Windows Stack Overflow Remote Code Execution Vulnerability
CVE-2017-0038 Feb 20, 2017 Feb 21, 2017 1008171-Microsoft Windows Graphics Component Information Disclosure Vulnerability (CVE-2017-0038)
CVE-2017-0037 Feb 27, 2017 Feb 25, 2017 1008153-Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2017-0037)

TippingPoint customers are protected from attacks exploiting these vulnerabilities with the following MainlineDV filters:

  • 26893: SMB: Microsoft Windows mrxsmb20.dll Denial-of-Service Vulnerability
  • 26904: HTTP: Microsoft Windows EMF Parsing Information Disclosure Vulnerability

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Virtual Patching in the Spotlight Due to Unpatched Microsoft Vulnerabilities

Source: TrendLabs Security Intelligence Blog @ March 2, 2017 at 06:15AM

0
Share