Virtual Patching in the Spotlight Due to Unpatched Microsoft Vulnerabilities
Due to three recently disclosed Microsoft vulnerabilities, the use of Intrusion prevention system (IPS) protection to shield against vulnerabilities (often referred to as Virtual Patching) is back in the spotlight. These allow systems to be protected even if patches have not yet been released by vendors. The vulnerabilities were in the following components:
- Core SMB service
- Microsoft Internet Explorer and Microsoft Edge
- Graphics Device Interface
Let’s take a quick look at these vulnerabilities to understand them and their potential impact. We will also look at what mitigations you can use in the absence of patches for these.
CVE-2017-0016
This vulnerability is a memory corruption bug in the way Windows handles SMB traffic. To carry out this attack, a computer (or a user) has to be lured into connecting to a malicious SMB server. The malicious server serves packets that cause the connecting computer to crash. Proof of concept exploit code for this vulnerability is already publicly disclosed.
The vulnerability does not allow remote code execution and its impact is limited to a denial of Service, causing the computer to restart. The mitigations for this vulnerability are:
- Limit outgoing access on ports 139 and 445.
- Deploy IPS protection.
CVE-2017-0037
This vulnerability is a type confusion vulnerability in Microsoft Internet Explorer and Edge browsers. To exploit this vulnerability, an attacker would need to convince a user to visit a malicious web link. The link could be sent via email or chat, or embedded in documents. Details of this vulnerability, including proof-of-concept code, have been released by Google Project Zero.
This vulnerability allows an attacker to run arbitrary code with the same privileges as the logged-in user. The following mitigations may be useful:
- Deploy IPS protection
- Email filtering for phishing attacks
- Web Reputation to block hosted scripts
- Reduce accounts with administrator rights to reduce risk
CVE-2017-0038
This is a vulnerability in the Graphics Device Interface (GDI) component of Windows. GDI is used to render items like images and fonts on a display device or printer. To exploit this vulnerability, an attacker would need to entice victims to render a font or an image. The image or font could be embedded in a document as well. The attack can be delivered as an email attachment or through file-sharing. Details of this vulnerability, including proof-of-concept code, have been released by Google Project Zero.
This vulnerability allows disclosure of memory, which could leak sensitive information. The following mitigation can be used:
- Deploy IPS protection.
- Educate employees to not open attachments, and to open links only from trusted sources.
Trend Micro Deep Security provides protection against these vulnerabilities. Here are the details on the rules and disclosure timelines around these vulnerabilities.
| CVE | Deep Security Rule release date | Disclosure date. | Rule Name |
| CVE-2017-0016 | Feb 2, 2017 | Feb 1, 2017 | 1008138-Microsoft Windows Stack Overflow Remote Code Execution Vulnerability |
| CVE-2017-0038 | Feb 20, 2017 | Feb 21, 2017 | 1008171-Microsoft Windows Graphics Component Information Disclosure Vulnerability (CVE-2017-0038) |
| CVE-2017-0037 | Feb 27, 2017 | Feb 25, 2017 | 1008153-Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2017-0037) |
TippingPoint customers are protected from attacks exploiting these vulnerabilities with the following MainlineDV filters:
- 26893: SMB: Microsoft Windows mrxsmb20.dll Denial-of-Service Vulnerability
- 26904: HTTP: Microsoft Windows EMF Parsing Information Disclosure Vulnerability
Post from: Trendlabs Security Intelligence Blog – by Trend Micro
Virtual Patching in the Spotlight Due to Unpatched Microsoft Vulnerabilities
Read more: Virtual Patching in the Spotlight Due to Unpatched Microsoft Vulnerabilities