(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft Windows Hyper-V CVE-2017-0021 Memory Corruption Vulnerability
Adobe Flash Player APSB17-07 Multiple Use After Free Remote Code Execution Vulnerabilities
Adobe Flash Player APSB17-07 Multiple Memory Corruption Vulnerabilities
Microsoft Internet Explorer and Edge CVE-2017-0037 Remote Memory Corruption Vulnerability
Microsoft Windows CVE-2017-0038 Incomplete Fix Information Disclosure Vulnerability
Microsoft Windows Graphics Component CVE-2017-0073 Local Information Disclosure Vulnerability
Microsoft Windows Graphics CVE-2017-0025 Local Privilege Escalation Vulnerability
Microsoft Edge Fetch API allows setting of arbitrary request headers

Enlarge (credit: AlienVault)

Eight days after developers patched a critical flaw in the Apache Struts Web application framework, there has been no let-up in the volley of attacks attempting to exploit the vulnerability, which affects a disproportionate number of high-impact websites, a security researcher said Tuesday.

As of Tuesday morning, 503 unique IP addresses were attempting to exploit the code execution bug, Jaime Blasco, chief scientist with security firm AlienVault Labs, told Ars. Based on the addresses, the attack origins were most concentrated in China (300 unique IPs), followed by the US (92), Taiwan (71), Hong Kong (15), the Netherlands (9), Russia (4), Canada (3), Italy (3), the UK, (3), and Indonesia (3). In an attempt to go undetected, the attackers in many cases have tweaked the two exploits that were being widely used in last week's wave. AlienVault has responded by updating the signatures it uses to detect the attacks.

The five-year-old vulnerability resides in Web applications that were developed using a buggy version of Apache Struts. In many cases, the use of a single such app allows attackers to inject commands of their choice into the Web server hosting it. Like the attacks seen last week, the exploits are being used to infect vulnerable servers with a wide variety of malware.

Read 4 remaining paragraphs | Comments

Microsoft Windows Uniscribe CVE-2017-0088 Remote Code Execution Vulnerability
Microsoft Windows Uniscribe CVE-2017-0086 Remote Code Execution Vulnerability
Microsoft Windows Uniscribe CVE-2017-0084 Remote Code Execution Vulnerability
SAP ERP Remote Authorization Bypass Vulnerability
Adobe Flash Player CVE-2017-3000 Information Disclosure Vulnerability
Adobe Flash Player CVE-2017-2997 Buffer Overflow Vulnerability
Trend Micro InterScan Messaging Security CVE-2017-6398 Remote Code Execution Vulnerability
Oracle Java SE CVE-2016-5548 Remote Security Vulnerability
Oracle Java SE CVE-2016-5549 Remote Security Vulnerability
Oracle Java SE and JRockit CVE-2017-3253 Remote Security Vulnerability

Today, Microsoft released its monthly security bulletins. Februarys delayed release was combined with this March release, which likely caused the large number of bulletins (18 total, which includes the Adobe Flash bulletin)

You can review the patch summary here:https://isc.sans.edu/mspatchdays.html?viewday=2017-03-14or via our API.

Probably the most scary set of vulnerabilities in this update are %%cve:2017-0143%%, %%cve:2017-0144%%, %%cve:2017-0145%%,%%cve:2017-0146%%,%%cve:2017-0148%% . These are remote code execution vulnerabilities that allow an unauthenticated user to execute arbitrary code. Microsoft rates the exploitability with 1, indicating that it wouldnt be terribly difficult to develop an exploit for these. Yes, you already blocked SMB at your perimeter. But further reducing your attack surface is always a good idea. You may want to consider disabling SMBv1 (which should not cause any problems if you only use currently supported Windows versions).

The other two server related bulletins, MS17-015 for Exchange and MS17-016 for IIS, are more benign in comparison. Both are XSS vulnerabilities and could be used to elevate privileges by running code in an administrators browser.

Some of the highlights:

Six of the bulletins include vulnerabilities that have either already been made public or that are already being exploited:

MS17-006: One of the Internet Explorer information disclosure vulnerabilities (%%cve:2017-0008%%) has been publicly disclosed in the past. This vulnerability applies to Internet Explorer and Edge (MS17-007).

MS17-007: In addition to %%cve:2017-0008%%, there is a remote code execution vulnerability(%cve:2017-0037%%) that has been disclosed publicly. There are also three different spoofing vulnerabilities that have been disclosed publicly.

MS17-012: A denial of service vulnerability (%%cve:2017-0016%%) has been publicly disclosed. Microsoft does not list this one as exploited, but an exploit has been publicly available for a bit over a month now. This is the SMB_TREE_CONNECT vulnerability that made quite a few headlines when it was released.

MS17-013: One of the 4 GDI elevation of privilege vulnerabilities(%%cve:2017-0005%%) has already been exploited, but details had not been disclosed publicly.

MS17-017: A privilege escalation vulnerability in the Windows Kernel (%%cve:2017-0050%%) has been publicly disclosed.

MS17-022: The XML Core Services Information Disclosure Vulnerability (%%cve:2017-0022%%) has already been exploited. This exploit would target a client, and by loading a malicious XML file and attacker may learn about the existence of files on the disk.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Joomla com_virtuemart Component - 'id' Parameter Sql Injection Vulnerability
Adups CVE-2016-10136 Local Information Disclosure Vulnerability
Adups CVE-2016-10137 Local Privilege Escalation Vulnerability
CodeIgniter 'system/libraries/Email.php' Remote Code Execution Vulnerability
Joomla com_registrationpro Component - 'did' Parameter Sql Injection Vulnerability
Multiple LG Android Mobile Devices CVE-2016-10135 Multiple Security Bypass Vulnerabilities
Joomla com_fidecalendar Component - 'aid' Parameter Sql Injection Vulnerability
Hitek Software Automize CVE-2016-10102 Information Disclosure Vulnerability
Joomla com_kunena Component - 'id' Parameter Sql Injection Vulnerability
Joomla com_sngevents Component - 'id' Parameter Sql Injection Vulnerability
Symantec Web Gateway CVE-2016-9096 Multiple Cross Site Scripting Vulnerabilities
Multiple F5 BIG-IP Products CVE-2016-7469 HTML Injection Vulnerability
Internet Storm Center Infocon Status