CVE-2017-0223?

Topic

New Reply

Hi Woody,

I recently got a Microsoft Security Update Release email
Issued: May 25, 2017

Saying this:

The following CVEs have been added to May 2017 release.

* CVE-2017-8535
* CVE-2017-8536
* CVE-2017-8537
* CVE-2017-8538
* CVE-2017-8539
* CVE-2017-8540
* CVE-2017-8541
* CVE-2017-8542

Revision Information:
=====================

CVE-2017-0223

– CVE-2017-8542 | Microsoft Malware Protection Engine Denial
of Service Vulnerability

– CVE-2017-8541 | Microsoft Malware Protection Engine Remote
Code Execution Vulnerability

– CVE-2017-8540 | Microsoft Malware Protection Engine Remote
Code Execution Vulnerability

– CVE-2017-8539 | Microsoft Malware Protection Engine Denial
of Service Vulnerability

– CVE-2017-8538 | Microsoft Malware Protection Engine Remote
Code Execution Vulnerability

– CVE-2017-8537 | Microsoft Malware Protection Engine Denial
of Service Vulnerability

– CVE-2017-8536 | Microsoft Malware Protection Engine Denial
of Service Vulnerability

– CVE-2017-8535 | Microsoft Malware Protection Engine Denial
of Service Vulnerability

I am not sure what that is – or if I need it. I went to the link provided but there wasn’t any useful info. Any light you can shed on this is appreciated.

Thanks!

 

Reply | Quote

Replies

CVE-2017-0223
A remote code execution vulnerability exists in Microsoft Chakra Core in the way JavaScript engines render when handling objects in memory. aka “Scripting Engine Memory Corruption Vulnerability”. This vulnerability is unique from CVE-2017-0252.
See the Microsoft e-mail here

- https://portal.msrc.microsoft.com/en-us/security-guidance
 - Version: 1.0
 - Reason for Revision: Microsoft is releasing this out-of-band CVE 
   information to announce that a security update is available for 
   the Microsoft Malware Protection Engine. Microsoft recommends 
   that customers verify that the update is installed, and if 
   necessary, take steps to install the update. For more information 
   see the FAQ section
 - Originally posted: May 25, 2017  
 - Aggregate CVE Severity Rating: Critical
 - Version: 1.0

ChakraCore is the core part of the Chakra Javascript engine that powers Microsoft Edge
ChakraCore is the core part of Chakra, the high-performance JavaScript engine that powers Microsoft Edge and Windows applications written in HTML/CSS/JS. ChakraCore supports Just-in-time (JIT) compilation of JavaScript for x86/x64/ARM, garbage collection, and a wide range of the latest JavaScript features. ChakraCore also supports the JavaScript Runtime (JSRT) APIs, which allows you to easily embed ChakraCore in your applications.

See more on the ChakraCore here

Reply | Quote

Here’s more info  http://www.securitytracker.com/id/1038571

I believe this has been announced before.  As it applies to Microsoft Security Essentials (MSE), open MSE and click on the down arrow next to Help on the upper right., select About and check the Engine Version.  It should be 1.1.13704.0 or higher (mine right now is 1.1.13708.0, so I’m good).  The engine version should be automatically updated when you update new malware definitions via the Upgrade button in MSE.

 

I don’t know whether this Engine is relevant to other MS software or not.  Hope this helps.

 

Bonzo

Reply | Quote

To clarify:  The Engine Version should be HIGHER than 1.1.13704.0.  Mine is actually at 1.1.13804.0 right now.

 

Bonzo

1 user thanked author for this post.

lmacri

Reply | Quote

Showing confusion and possibly ignorance here. I read questions about MSE, a Win7 product. And answers referring to Edge, a Win10 product. Are both issues presented on the same machine? Dual-boot situation?

Appreciate any information, as I had considered and discarded that setup for myself. If it is a workable arrangement, I may reconsider it.

Thanks,
Paul

for comparison:
My Win7\MSE information, last updated earlier today:

Antimalware Client Version: 4.10.209.0
Engine Version: 1.1.13804.0
Antivirus definition: 1.245.137.0
Antispyware definition: 1.245.137.0
Network Inspection System Engine Version: 2.1.12706.0
Network Inspection System Definition Version: 116.97.0.0

Reply | Quote

The Malware Protection Engine also applies to Windiws Defender (Win10) and MSRT. I downloaded mrt.exe today and the file version was also 13804.0

1 user thanked author for this post.

Cascadian

Reply | Quote

Yes, that is true. I opted for brevity. What I mean is, are these updates appropriate to the Win7 environment that OP has, because there may be functionality in that older system. Or is this a mistake in the wealth of offerings from Microsoft, that does not properly discriminate the OS environment?

Edit: now recognize Bonzo and OP may be different individuals.

Reply | Quote

Paul, I think your Windows 7 machine is fine. CVE-2017-8535 through CVE-2017-8542 all have to do with the Engine you have in MSE. I think that the appearance of CVE-2017-0223 is a mistake (not the poster’s mistake, but MS’s mistake since the original email has CVE-2017-0223 in it) since it has to do with Microsoft Edge which is the browser in Windows 10. I don’t believe Windows 7 is even capable of supporting Edge; the last Microsoft browser Windows 7 supports is IE 11. So, I don’t think CVE-2017-0223, or for that matter CVE-2017-0252, are relevant to your computer.

I hope this helps, but of course if PKCano has a different take on this than I do, I’d go with him.

Bonzo (different than OP)

1 user thanked author for this post.

Cascadian

Reply | Quote

Thx, Bonzo. Exactly my opinion as well. And what I would have written for Lily, if I had understood the situation properly. Including the very important caveat, because I respect PKCano and how thin he spreads his efforts.

A lesson I had learned in a much earlier OS from wise advice in a mechanic’s world, don’t fix what ain’t broke. And the corollary, when it does break you will understand better why it broke, shortening the troubleshoot dramatically.

Since I am not a Norton/Symantec user, it makes me nervous to block a standing protection to repair another protection I do not use, because I am not accustomed to that procedure.

But I would take PKCano’s advice over mine, every day.

Reply | Quote

Thanks everyone. I am the OP – Lily – sorry not to have been more clear. I can’t seem to sign in for some reason.

Anyway – if I am running Win 7 – using FF/IE, not Edge, and don’t have MSE, then that notice about the CVE updates is not something I need to worry about?

Thanks!

LH

Reply | Quote

Not directly related, but you do have Windows Defender on Win7 and it does need to be updated to at least v1.1.13704.0. You can access it in the Action Center under Security.

1 user thanked author for this post.

Cascadian

Reply | Quote

Thanks! I usually don’t use Win Defender as I have Norton Internet Security running. I’ll turn it on and check for updates for it and be sure that it is at least v1.1.13704.0. It isn’t visible in the Action Center.

Reply | Quote

According to the BleepingComputer 30-May-2017 news article Microsoft Releases Out-of-Band Update to Fix Malware Protection Engine Flaws the engine must be patched to v1.1.13804.0 (not v1.1.13704.0) in order to protect against the latest vulnerabilities associated with the CVEs listed in the original post in this thread.  This was the second critical out-of-band update for the engine in May 2017.

1 user thanked author for this post.

MrBrian

Reply | Quote

Thank you very much for the information.

Reply | Quote

Imacri, do you know if this had another event delivered with today’s [6JUN2017] definition updates?

Almost always, these daily updates are less than 2MB in size. Normally anything larger results in an increment step in the defintion version number [currently 1.245.xxx.0] and/or a new engine. Today was another nearly 14MB delivery, but did not display an advance on either of those named indicators.

For reference, Win7sp1\MSE information now displays:
Antimalware Client Version: 4.10.209.0
Engine Version: 1.1.13804.0
Antivirus definition: 1.245.546.0
Antispyware definition: 1.245.546.0
Network Inspection System Engine Version: 2.1.12706.0
Network Inspection System Definition Version: 116.100.0.0

Engine 13804, and definitions 1.245.494.0, were both onboard prior to update. I am not as sure on other items listed.

Tinhat suspicions could say it is MSOffice or other materiel being delivered through the MSE pipe, because today is 1stTues, but I have no evidence of that.

Reply | Quote

Hi Paul:

I don’t use Win 7 SP1 or MSE but I just ran a manual Windows Update and my Windows Defender only received a typical 2 MB update for virus definition version v1.245.494.0.  My scan engine is still v1.1.13804.0 so it doesn’t look like there have been any further vulnerability patches for the MS Malware Protection Engine since v1.1.13804.0 was released on 26-May-2017.   Do your installed updates (Control Panel | Programs | Programs and Features | View Installed Updates) list any updates with an Installed On date from today?

What MS Office product do you use?  Microsoft releases non-security updates (i.e., feature enhancements) for supported MS Office products on the first Tuesday of the month (security updates are still released on the second Tuesday of the month with other Patch Tuesday updates) but I don’t see any MS Office 2007 or Office 2010 updates listed yet for June 2017 in the Microsoft Update Catalog.

According to the MS TechNet Security Update Guide the May 2017 security-only rollup KB4019263 for Win 7 SP1 was re-released yesterday but I’m not certain why.  The security bulletin <here> hasn’t been revised since 16-May-2017 so I don’t know if this revised patch was recently pushed out to all Win 7 SP1 users as a recommended patch.

PKCano started a thread in the Ask Woody Lounge today titled MS re-re-..release (again) of KB 2952664 and KB 2976978 that also notes that KB2952664 was recently re-released for Win 7 SP1, but it was apparently offered as an Optional update and should not have been installed unless you specifically selected it from the list of offered updates.

Reply | Quote

Imacri, thank you for the level of thought given. You hit all the points I was also considering, though you are better with the source material. You correctly ask for clarification of my use of WinUpdate, because I wasn’t clear. MSDefCon2 means I do not request or allow anything through that mechanism. In fact, I have not even initiated a check since the May Rollup I accepted following Wannacrypt. I monitor the manual MSE·AVdef update process because of surprises in the past, that’s how I’ve learned as much as I have.

Perhaps I should have started a question thread, thank you for addressing here. My curiosity was on possible Microsoft push of material through alternative means.

New development, following today’s more than 5MB delivery, a version increase in the Network Inspection engine and definition, bringing it inline with the 13804. Not alarmed, but wishing to verify I am not alone; as that would suggest a bad actor may be involved.

Reference information from MSE\help:
Antimalware Client Version: 4.10.209.0
Engine Version: 1.1.13804.0
Antivirus definition: 1.245.591.0
Antispyware definition: 1.245.591.0
Network Inspection System Engine Version: 2.1.13804.0
Network Inspection System Definition Version: 117.0.0.0

I read that your personal use is on a different system, so open to reactions from others, as well. I also note that all MS defensive applications, regardless of name, use the same packages.

Reply | Quote