Zscaler Security Advisories

Security Advisory - May 09, 2017

Zscaler protects against 15 new vulnerabilities for Microsoft Outlook, Windows Graphics and Graphics Component, .NET Framework, Windows, Windows Kernel, Microsoft Office, Microsoft Office Services and Web Apps, Microsoft Edge and Internet Explorer.

Zscaler, working with Microsoft through their MAPP program, has proactively deployed protection for the following 15 vulnerabilities included in the May 2017 Microsoft security bulletins. Zscaler will continue to monitor exploits associated with all vulnerabilities in the April release and deploy additional protections as necessary. 

CVE-2017-0077 –  Win32k Information Disclosure Vulnerability

Severity: Important

Affected Software

  • Windows 7 
  • Windows Server 2012 R2
  • Windows RT 8.1
  • Windows Server 2012 R2 (Server Core installation)
  • Windows 10
  • Windows Server 2016  (Server Core installation)
  • Windows 10
  • Windows Server 2008

An information disclosure vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. On systems with Windows 7 for x64-based Systems or later installed, this vulnerability can lead to denial of service. To exploit the vulnerability, an attacker would have to either log on locally to an affected system, or convince a locally authenticated user to execute a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.

CVE-2017-0175 –  Windows Kernel Information Disclosure Vulnerability

Severity: Important

Affected Software

  • Windows 7 
  • Windows Server 2008

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.

CVE-2017-0213 –  Windows COM Elevation of Privilege Vulnerability

Severity: Important

Affected Software

  • Windows 7
  • Windows Server 2012 R2
  • Windows RT 8.1
  • Windows Server 2016
  • Windows 10
  • Windows Server 2008

An elevation of privilege exists in Windows COM Aggregate Marshaler. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. To exploit the vulnerability, an attacker could run a specially crafted application that could exploit the vulnerability. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. The update addresses the vulnerability by correcting how Windows COM Marshaler processes interface requests.

CVE-2017-0220 –  Windows Kernel Information Disclosure Vulnerability

Severity: Important

Affected Software

  • Windows 7 
  • Windows Server 2012
  • Windows Server 2008 

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.

CVE-2017-0221 –  Microsoft Edge Memory Corruption Vulnerability

Severity: Critical

Affected Software

  • Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems
  • Microsoft Edge on Windows 10 Version 1607 for x64-based Systems

A vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. To exploit the vulnerability, an attacker could host a specially crafted website through Microsoft Edge, and then convince a  user to view the website. The attacker could also take advantage of  compromised websites and websites that accept or host user-provided  content or advertisements by adding specially crafted content that could exploit the vulnerability. However, in all cases an attacker would  have no way to force a user to view the attacker-controlled content.  Instead, an attacker would have to convince a user to take action,  typically by way of enticement in an email or Instant Messenger message, or by opening an attachment sent through email. The update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory.

CVE-2017-0227 –  Microsoft Edge Memory Corruption Vulnerability

Severity: Critical

Affected Software

  • Microsoft Edge on Windows 10

A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the scripting rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how affected Microsoft scripting engines handle objects in memory.

CVE-2017-0228 –  Scripting Engine Memory Corruption Vulnerability

Severity: Critical

Affected Software

  • Internet Explorer 11 on Windows Server 2012 R2
  • Internet Explorer 11 on Windows RT 8.1
  • Internet Explorer 11 on Windows Server 2016
  • Microsoft Edge on Windows 10 

A remote code execution vulnerability exists in the way the Chakra JavaScript engine renders when handling objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra JavaScript scripting engine handles objects in memory.

CVE-2017-0234 – Scripting Engine Memory Corruption Vulnerability

Severity: Important

Affected Software

  • Microsoft Edge on Windows 10

A remote code execution vulnerability exists in the way the Chakra JavaScript engine renders when handling objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra JavaScript scripting engine handles objects in memory.

CVE-2017-0236 – Scripting Engine Memory Corruption Vulnerability

Severity: Critical

Affected Software

  • Microsoft Edge on Windows 10 

A remote code execution vulnerability exists in the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Edge rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by modifying how the Chakra JavaScript scripting engine handles objects in memory.

CVE-2017-0238 – Scripting Engine Memory Corruption Vulnerability

Severity: Important

Affected Software

  • Internet Explorer 9
  • Internet Explorer 11 
  • Microsoft Edge on Windows 10 

A remote code execution vulnerability exists in the way JavaScript scripting engines handle objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Edge rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how affected JavaScript scripting engines handle objects in memory.

CVE-2017-0240 – Microsoft Edge Memory Corruption Vulnerability

Severity: Critical

Affected Software

  • Microsoft Edge on Windows 10  

A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the scripting rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how affected Microsoft scripting engines handle objects in memory.

CVE-2017-0246 – Win32k Elevation of Privilege Vulnerability

Severity: Important

Affected Software

  • Windows 7
  • Windows Server 2008
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows RT 8.1
  • Windows Server 2016
  • Windows 10 
  • Windows Server 2016  (Server Core installation)
  • Windows Server 2008 

An elevation of privilege vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. On systems with Windows 7 for x64-based Systems or later installed, this vulnerability can lead to denial of service. To exploit the vulnerability, an attacker would have to either log on locally to an affected system, or convince a locally authenticated user to execute a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel-mode driver handles objects in memory and by helping to prevent unintended elevation of privilege from user mode.

CVE-2017-0259 – Windows Kernel Information Disclosure Vulnerability

Severity: Important

Affected Software

  • Windows 8.1
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows 10  

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel initializes objects in memory.

CVE-2017-0263 – Win32k Elevation of Privilege Vulnerability

Severity: Important

Affected Software

  • Windows 7 Service Pack 1
  • Windows Server 2008 R2 Service Pack 1 (Server Core installation)
  • Windows Server 2008 Service Pack 2 (Server Core installation)
  • Windows Server 2012
  • Windows 8.1
  • Windows Server 2012 R2
  • Windows RT 8.1
  • Windows 10
  • Windows Server 2016
  • Windows Server 2008 

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. 

CVE-2017-0266 –  Microsoft Edge Remote Code Execution Vulnerability

Severity: Critical

Affected Software

  • Microsoft Edge on Windows 10 

A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the scripting rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how affected Microsoft scripting engines handle objects in memory.