This report contains detail for the following vulnerabilities:
| Tag | CVE ID | CVE Title |
|---|---|---|
| .NET Framework | CVE-2017-8585 | .NET Denial of Service Vulnerability |
| Adobe Flash Player | ADV170009 | July Flash Security Update |
| ASP .NET | CVE-2017-8582 | Https.sys Information Disclosure Vulnerability |
| HoloLens | CVE-2017-8584 | HoloLens Remote Code Execution Vulnerability |
| Internet Explorer | CVE-2017-8592 | Microsoft Browser Security Feature Bypass |
| Internet Explorer | CVE-2017-8594 | Internet Explorer Memory Corruption Vulnerability |
| Internet Explorer | CVE-2017-8618 | Scripting Engine Memory Corruption Vulnerability |
| Kerberos | CVE-2017-8495 | Kerberos SNAME Security Feature Bypass Vulnerability |
| Microsoft Browsers | CVE-2017-8602 | Microsoft Browser Spoofing Vulnerability |
| Microsoft Edge | CVE-2017-8611 | Microsoft Edge Spoofing Vulnerability |
| Microsoft Edge | CVE-2017-8596 | Microsoft Edge Memory Corruption Vulnerability |
| Microsoft Edge | CVE-2017-8617 | Microsoft Edge Remote Code Execution Vulnerability |
| Microsoft Edge | CVE-2017-8599 | Microsoft Edge Security Feature Bypass Vulnerability |
| Microsoft Edge | CVE-2017-8619 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Exchange Server | CVE-2017-8621 | Microsoft Exchange Open Redirect Vulnerability |
| Microsoft Exchange Server | CVE-2017-8560 | Microsoft Exchange Cross-Site Scripting Vulnerability |
| Microsoft Exchange Server | CVE-2017-8559 | Microsoft Exchange Cross-Site Scripting Vulnerability |
| Microsoft Graphics Component | CVE-2017-8577 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2017-8578 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2017-8573 | Microsoft Graphics Component Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2017-8574 | Microsoft Graphics Component Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2017-8556 | Microsoft Graphics Component Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2017-8580 | Win32k Elevation of Privilege Vulnerability |
| Microsoft NTFS | CVE-2017-8587 | Windows Explorer Denial of Service Vulnerability |
| Microsoft Office | CVE-2017-0243 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2017-8502 | Microsoft Office Memory Corruption Vulnerability |
| Microsoft Office | CVE-2017-8501 | Microsoft Office Memory Corruption Vulnerability |
| Microsoft Office | CVE-2017-8570 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2017-8569 | SharePoint Server XSS Vulnerability |
| Microsoft PowerShell | CVE-2017-8565 | Windows PowerShell Remote Code Execution Vulnerability |
| Microsoft Scripting Engine | CVE-2017-8610 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-8601 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-8604 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-8598 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-8608 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-8605 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-8606 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-8603 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-8607 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-8609 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-8595 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Windows | CVE-2017-8557 | Windows System Information Console Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2017-8566 | Windows IME Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2017-0170 | Windows Performance Monitor Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2017-8590 | Windows CLFS Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2017-8562 | Windows ALPC Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2017-8589 | Windows Search Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2017-8563 | Windows Elevation of Privilege Vulnerability |
| Microsoft WordPad | CVE-2017-8588 | WordPad Remote Code Execution Vulnerability |
| Windows Kernel | CVE-2017-8564 | Windows Kernel Information Disclosure Vulnerability |
| Windows Kernel | CVE-2017-8561 | Windows Kernel Elevation of Privilege Vulnerability |
| Windows Kernel-Mode Drivers | CVE-2017-8486 | Win32k Information Disclosure Vulnerability |
| Windows Kernel-Mode Drivers | CVE-2017-8467 | Win32k Elevation of Privilege Vulnerability |
| Windows Kernel-Mode Drivers | CVE-2017-8581 | Win32k Elevation of Privilege Vulnerability |
| Windows Shell | CVE-2017-8463 | Windows Explorer Remote Code Execution Vulnerability |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-0243 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user. Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Office handles files in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-0243 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Business Productivity Servers 2010 Service Pack 2 | 3203459 (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2007 Service Pack 3 | 2880514 (Security Update) | Important | Remote Code Execution | 2767772 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2010 Service Pack 2 (32-bit editions) | 3203468 (Security Update) | Important | Remote Code Execution | 2956073 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2010 Service Pack 2 (64-bit editions) | 3203468 (Security Update) | Important | Remote Code Execution | 2956073 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office Web Apps 2010 Service Pack 2 | 3203469 (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2017-0243 | @j00sean https://twitter.com/j00sean |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8569 MITRE NVD |
CVE Title: SharePoint Server XSS Vulnerability
Description: An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user. The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8569 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 3213544 (Security Update) | Important | Elevation of Privilege | 3203432 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2017-8569 | Ashar Javed (@soaj1664ashar),Hyundai AutoEver Europe GmbH https://www.twitter.com/soaj1664ashar,https://www.hyundai-autoever.eu/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8570 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user. Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Office handles files in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8570 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Office 2007 Service Pack 3 | 3213640 (Security Update) | Important | Remote Code Execution | 3203436 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2010 Service Pack 2 (32-bit editions) | 3213624 (Security Update) | Important | Remote Code Execution | 3203460 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2010 Service Pack 2 (64-bit editions) | 3213624 (Security Update) | Important | Remote Code Execution | 3203460 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 RT Service Pack 1 | 3213555 (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 Service Pack 1 (32-bit editions) | 3213555 (Security Update) | Important | Remote Code Execution | 3203386 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 Service Pack 1 (64-bit editions) | 3213555 (Security Update) | Important | Remote Code Execution | 3203386 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2016 (32-bit edition) | 3213545 (Security Update) | Important | Remote Code Execution | 3191882 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 3213545 (Security Update) | Important | Remote Code Execution | 3191882 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2017-8570 | Haifei Li of the McAfee Security Team http://www.mcafee.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8573 MITRE NVD |
CVE Title: Microsoft Graphics Component Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Microsoft Graphics Component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8573 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Elevation of Privilege | 4022726 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8573 | Peter Hlavaty ( @zer0mem ), Tencent at KeenLab https://twitter.com/zer0mem,http://keenlab.tencent.com/en |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8574 MITRE NVD |
CVE Title: Microsoft Graphics Component Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Microsoft Graphics Component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8574 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8574 | Peter Hlavaty ( @zer0mem ), Tencent at KeenLab https://twitter.com/zer0mem,http://keenlab.tencent.com/en |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8577 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Microsoft Graphics Component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8577 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Elevation of Privilege | 4022726 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Unknown |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Unknown |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8577 | Chaitin Security Research Lab working with Trend Micro’s Zero Day Initiative (ZDI) http://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8578 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Microsoft Graphics Component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8578 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Elevation of Privilege | 4022726 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8578 | Tencent Security - Team Sniper (Keen Lab and PC Mgr) working with Trend Micro’s Zero Day Initiative (ZDI) http://www.tencent.com/,http://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8580 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Microsoft Graphics Component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8580 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Elevation of Privilege | 4022726 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Unknown |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Unknown |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8580 | Tencent Security - Team Sniper (Keen Lab and PC Mgr) working with Trend Micro’s Zero Day Initiative (ZDI) http://www.tencent.com/,http://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8581 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8581 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Elevation of Privilege | 4022726 | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Unknown |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Unknown |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.10 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8581 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8582 MITRE NVD |
CVE Title: Https.sys Information Disclosure Vulnerability
Description: An Information Disclosure vulnerability exists when the HTTP.sys server application component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the HTTP.sys server application system. A remote unauthenticated attacker could exploit this vulnerability by issuing a request to the HTTP.sys server application. The update addresses the vulnerability by correcting how the HTTP.sys server application handles objects in memory.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Exploitation Unlikely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8582 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Information Disclosure | 4022727 | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Information Disclosure | 4022727 | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Information Disclosure | 4022714 | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Information Disclosure | 4022714 | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Information Disclosure | 4022725 | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Information Disclosure | 4022725 | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Information Disclosure | 4022726 | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4022914 (Security Update) | Important | Information Disclosure | None | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4022914 (Security Update) | Important | Information Disclosure | None | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4022914 (Security Update) | Important | Information Disclosure | None | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4022914 (Security Update) | Important | Information Disclosure | None | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4022914 (Security Update) | Important | Information Disclosure | None | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Information Disclosure | 4022724 |
Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Information Disclosure | 4022724 |
Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 5.90 Temporal: 5.50 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8582 | Marcin Kosieradzki of P2ware https://p2ware.com |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8584 MITRE NVD |
CVE Title: HoloLens Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when HoloLens improperly handles objects in memory. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted WiFi packet. The update addresses the vulnerability by correcting how Hololens handles objects in memory.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | Yes | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8584 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 7.50 Temporal: 7.00 Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 7.50 Temporal: 7.00 Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 7.50 Temporal: 7.00 Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 7.50 Temporal: 7.00 Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8584 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8585 MITRE NVD |
CVE Title: .NET Denial of Service Vulnerability
Description: A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. The update addresses the vulnerability by correcting how the .NET web application handles web requests.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Exploitation Unlikely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8585 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft .NET Framework 4.6 on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Denial of Service | 4022727 | Base: 7.50 Temporal: 7.50 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Yes |
| Microsoft .NET Framework 4.6 on Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Denial of Service | 4022727 | Base: 7.50 Temporal: 7.50 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Yes |
| Microsoft .NET Framework 4.6.1 on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Denial of Service | 4022714 | Base: 7.50 Temporal: 7.50 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Yes |
| Microsoft .NET Framework 4.6.1 on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Denial of Service | 4022714 | Base: 7.50 Temporal: 7.50 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Yes |
| Microsoft .NET Framework 4.6.2/4.7 on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Denial of Service | 4022715 | Base: 7.50 Temporal: 7.50 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Yes |
| Microsoft .NET Framework 4.6.2/4.7 on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Denial of Service | 4022715 | Base: 7.50 Temporal: 7.50 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Yes |
| Microsoft .NET Framework 4.6.2/4.7 on Windows Server 2016 | 4025339 (Security Update) | Important | Denial of Service | 4022715 | Base: 7.50 Temporal: 7.50 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Yes |
| Microsoft .NET Framework 4.6.2/4.7 on Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Denial of Service | 4022715 | Base: 7.50 Temporal: 7.50 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Yes |
| Microsoft .NET Framework 4.7 on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Denial of Service | 4022725 | Base: 7.50 Temporal: 7.50 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Yes |
| Microsoft .NET Framework 4.7 on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Denial of Service | 4022725 | Base: 7.50 Temporal: 7.50 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8585 | David Fernandez of Sidertia Solutions http://www.sidertia.com |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8587 MITRE NVD |
CVE Title: Windows Explorer Denial of Service Vulnerability
Description: An Denial Of Service vulnerability exists when Windows Explorer attempts to open a non-existent file. An attacker who successfully exploited this vulnerability could cause a denial of service. A attacker could exploit this vulnerability by hosting a specially crafted web site and convince a user to browse to the page, containing the reference to the non-existing file, and cause the victim's system to stop responding. An attacker could not force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's site The update addresses the vulnerability by correcting how Windows Explorer handles open attempts for non-existent files.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Exploitation Unlikely | Not Applicable | Yes | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8587 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Denial of Service | 4022727 | Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Denial of Service | 4022727 | Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Denial of Service | 4022714 | Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Denial of Service | 4022714 | Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Denial of Service | 4022719 |
Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Denial of Service | 4022719 |
Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Denial of Service | 4022726 |
Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Denial of Service | 4022726 |
Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Denial of Service | 4022726 | Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025674 (Security Update) | Important | Denial of Service | 2840149 | Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025674 (Security Update) | Important | Denial of Service | 2840149 | Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4025674 (Security Update) | Important | Denial of Service | 2840149 | Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025674 (Security Update) | Important | Denial of Service | 2840149 | Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025674 (Security Update) | Important | Denial of Service | 2840149 | Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Denial of Service | 4022719 |
Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Denial of Service | 4022719 |
Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Denial of Service | 4022719 |
Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Denial of Service | 4022724 |
Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Denial of Service | 4022724 |
Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Denial of Service | 4022726 |
Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Denial of Service | 4022726 |
Base: 6.50 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8587 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8588 MITRE NVD |
CVE Title: WordPad Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the way that Microsoft WordPad parses specially crafted files. Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft WordPad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file. The update addresses the vulnerability by correcting the way that Microsoft WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft WordPad will leverage to resolve the identified issue. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8588 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Remote Code Execution | 4022727 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Remote Code Execution | 4022727 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Remote Code Execution | 4022714 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Remote Code Execution | 4022714 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Remote Code Execution | 4022715 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Remote Code Execution | 4022715 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Remote Code Execution | 4022725 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Remote Code Execution | 4022725 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Remote Code Execution | 4022719 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Remote Code Execution | 4022719 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Remote Code Execution | 4022726 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Remote Code Execution | 4022726 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Remote Code Execution | 4022726 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4026061 (Security Update) | Important | Remote Code Execution | None | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4026061 (Security Update) | Important | Remote Code Execution | None | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4026061 (Security Update) | Important | Remote Code Execution | None | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4026061 (Security Update) | Important | Remote Code Execution | None | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4026061 (Security Update) | Important | Remote Code Execution | None | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Remote Code Execution | 4022719 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Remote Code Execution | 4022719 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Remote Code Execution | 4022719 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Remote Code Execution | 4022724 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Remote Code Execution | 4022724 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Remote Code Execution | 4022726 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Remote Code Execution | 4022726 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Remote Code Execution | 4022715 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Remote Code Execution | 4022715 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8588 | Pedro Gallegos and Willson David of Microsoft Office Security Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8589 MITRE NVD |
CVE Title: Windows Search Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit the vulnerability, the attacker could send specially crafted messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer. The security update addresses the vulnerability by correcting how Windows Search handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8589 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Critical | Remote Code Execution | 4022719 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Critical | Remote Code Execution | 4022719 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Critical | Remote Code Execution | 4022726 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Critical | Remote Code Execution | 4022726 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Critical | Remote Code Execution | 4022726 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4032955 (Security Update) | Critical | Remote Code Execution | None | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4032955 (Security Update) | Critical | Remote Code Execution | None | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4032955 (Security Update) | Critical | Remote Code Execution | None | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4032955 (Security Update) | Critical | Remote Code Execution | None | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4032955 (Security Update) | Critical | Remote Code Execution | None | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Critical | Remote Code Execution | 4022719 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Critical | Remote Code Execution | 4022719 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Critical | Remote Code Execution | 4022719 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Critical | Remote Code Execution | 4022724 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Critical | Remote Code Execution | 4022724 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Critical | Remote Code Execution | 4022726 |
Base: 8.10 Temporal: 8.10 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Critical | Remote Code Execution | 4022726 |
Base: 8.10 Temporal: 8.10 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8589 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8590 MITRE NVD |
CVE Title: Windows CLFS Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control of the affected system. An attacker who successfully exploited this vulnerability could run processes in an elevated context. The update addresses the vulnerability by correcting how CLFS handles objects in memory. Note: The Common Log File System (CLFS) is a high-performance, general-purpose log file subsystem that dedicated client applications can use and multiple clients can share to optimize log access. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8590 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Elevation of Privilege | 4022726 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4026059 (Security Update) | Important | Elevation of Privilege | 3181707; 3203838 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4026059 (Security Update) | Important | Elevation of Privilege | 3181707; 3203838 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4026059 (Security Update) | Important | Elevation of Privilege | 3181707; 3203838 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4026059 (Security Update) | Important | Elevation of Privilege | 3181707; 3203838 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4026059 (Security Update) | Important | Elevation of Privilege | 3181707; 3203838 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8590 | 360 Security working with Trend Micro’s Zero Day Initiative (ZDI) http://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8592 MITRE NVD |
CVE Title: Microsoft Browser Security Feature Bypass
Description: A security feature bypass vulnerability exists when Microsoft Browsers improperly handle redirect requests. This vulnerability allows Microsoft Browsers to bypass CORS redirect restrictions and to follow redirect requests that should otherwise be ignored. An attacker who successfully exploited this vulnerability could force the browser to send data that would otherwise be restricted to a destination web site of their choice. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft browsers and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how affected Microsoft Browsers handle redirect requests. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Low | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Exploitation Unlikely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8592 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 10 on Windows Server 2012 | 4025331 (Monthly Rollup) 4025252 (IE Cumulative) |
Low | Security Feature Bypass | 4022724 4021558 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Security Feature Bypass | 4022727 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Security Feature Bypass | 4022727 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Security Feature Bypass | 4022714 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Security Feature Bypass | 4022714 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Security Feature Bypass | 4022715 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Security Feature Bypass | 4022715 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Security Feature Bypass | 4022725 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Security Feature Bypass | 4022725 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 | 4025341 (Monthly Rollup) 4025252 (IE Cumulative) |
Important | Security Feature Bypass | 4022719 4021558 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 | 4025341 (Monthly Rollup) 4025252 (IE Cumulative) |
Important | Security Feature Bypass | 4022719 4021558 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Important | Security Feature Bypass | 4022726 4021558 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Important | Security Feature Bypass | 4022726 4021558 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Security Feature Bypass | 4022726 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025341 (Monthly Rollup) 4025252 (IE Cumulative) |
Low | Security Feature Bypass | 4022719 4021558 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Low | Security Feature Bypass | 4022726 4021558 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4025339 (Security Update) | Low | Security Feature Bypass | 4022715 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025252 (IE Cumulative) | Low | Security Feature Bypass | 4021558 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Security Feature Bypass | 4022727 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Security Feature Bypass | 4022727 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Security Feature Bypass | 4022714 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Security Feature Bypass | 4022714 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Security Feature Bypass | 4022727 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Security Feature Bypass | 4022727 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Security Feature Bypass | 4022714 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Security Feature Bypass | 4022714 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Security Feature Bypass | 4022715 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Security Feature Bypass | 4022715 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Security Feature Bypass | 4022719 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Security Feature Bypass | 4022719 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Security Feature Bypass | 4022726 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Security Feature Bypass | 4022726 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Security Feature Bypass | 4022726 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025240 (Security Update) | Important | Security Feature Bypass | 3216916 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025240 (Security Update) | Important | Security Feature Bypass | 3216916 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4025240 (Security Update) | Important | Security Feature Bypass | 3216916 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025240 (Security Update) | Important | Security Feature Bypass | 3216916 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025240 (Security Update) | Important | Security Feature Bypass | 3216916 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Security Feature Bypass | 4022719 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Security Feature Bypass | 4022719 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Security Feature Bypass | 4022724 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Security Feature Bypass | 4022724 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Security Feature Bypass | 4022726 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Security Feature Bypass | 4022726 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Security Feature Bypass | 4022715 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Security Feature Bypass | 4022715 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8592 | Soroush Dalili (@irsdl) from NCC Group |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8594 MITRE NVD |
CVE Title: Internet Explorer Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by an enticement in an email or instant message, or by getting them to open an attachment sent through email. The security update addresses the vulnerability by modifying how Internet Explorer handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8594 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Critical | Remote Code Execution | 4022726 4021558 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Critical | Remote Code Execution | 4022726 4021558 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4025336 (Monthly Rollup) | Critical | Remote Code Execution | 4022726 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Moderate | Remote Code Execution | 4022726 4021558 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8594 | Ivan Fratric of Google Project Zero https://www.google.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8595 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way Microsoft Edge handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. In addition, an attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. Finally, the attacker could take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8595 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8595 | Anonymous working with Trend Micro’s Zero Day Initiative (ZDI) http://www.zerodayinitiative.com/ Microsoft ChakraCore Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8596 MITRE NVD |
CVE Title: Microsoft Edge Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way Microsoft Edge handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. In addition, an attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. Finally, the attacker could take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8596 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8596 | MSRC Vulnerabilities and Mitigations Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8617 MITRE NVD |
CVE Title: Microsoft Edge Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the way Microsoft Edge handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. In addition, an attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. Finally, the attacker could take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8617 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8617 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8618 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the VBScript engine, when rendered in Internet Explorer, handles objects in memory. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Internet Explorer rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by modifying how the VBScript scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Moderate | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8618 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 10 on Windows Server 2012 | 4025331 (Monthly Rollup) 4025252 (IE Cumulative) |
Moderate | Remote Code Execution | 4022724 4021558 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for x64-based Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 | 4025341 (Monthly Rollup) 4025252 (IE Cumulative) |
Critical | Remote Code Execution | 4022719 4021558 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 | 4025341 (Monthly Rollup) 4025252 (IE Cumulative) |
Critical | Remote Code Execution | 4022719 4021558 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Critical | Remote Code Execution | 4022726 4021558 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Critical | Remote Code Execution | 4022726 4021558 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4025336 (Monthly Rollup) | Critical | Remote Code Execution | 4022726 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025341 (Monthly Rollup) 4025252 (IE Cumulative) |
Moderate | Remote Code Execution | 4022719 4021558 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Moderate | Remote Code Execution | 4022726 4021558 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025252 (IE Cumulative) | Moderate | Remote Code Execution | 4021558 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4025252 (IE Cumulative) | Moderate | Remote Code Execution | 4021558 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8618 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8619 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way Microsoft Edge handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. In addition, an attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. Finally, the attacker could take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8619 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8619 | Yuki Chen of Qihoo 360 Vulcan Team http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8621 MITRE NVD |
CVE Title: Microsoft Exchange Open Redirect Vulnerability
Description: An open redirect vulnerability exists in Microsoft Exchange that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL, and convince the user to click the link. When an authenticated Exchange user clicks the link, the authenticated user's browser session could be redirected to a malicious site that is designed to impersonate a legitimate website. By doing so, the attacker could trick the user and potentially acquire sensitive information, such as the user's credentials. The update addresses the vulnerability by correcting how Exchange handles open redirect requests. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information Published. |
Moderate | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Exploitation Unlikely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8621 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Exchange Server 2010 Service Pack 3 | 4018588 (Security Update) | Moderate | Spoofing | 4011326 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Exchange Server 2013 Cumulative Update 16 | 4018588 (Security Update) | Moderate | Spoofing | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Exchange Server 2013 Service Pack 1 | 4018588 (Security Update) | Moderate | Spoofing | 4012178 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Exchange Server 2016 Cumulative Update 5 | 4018588 (Security Update) | Moderate | Spoofing | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2017-8621 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-0170 MITRE NVD |
CVE Title: Windows Performance Monitor Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists in the Windows Performance Monitor Console when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration. To exploit the vulnerability, an attacker could create specially crafted XML data and convince an authenticated user to create a Data Collector Set and import the file. To create a Data Collector Set, the user must be a member of the Performance Log Users or Local Administrators group. The update addresses the vulnerability by modifying the way that the Windows Performance Monitor Console parses XML input. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Moderate | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Exploitation Unlikely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-0170 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Moderate | Information Disclosure | 4022727 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Moderate | Information Disclosure | 4022727 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Moderate | Information Disclosure | 4022714 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Moderate | Information Disclosure | 4022714 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Moderate | Information Disclosure | 4022715 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Moderate | Information Disclosure | 4022715 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Moderate | Information Disclosure | 4022725 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Moderate | Information Disclosure | 4022725 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Moderate | Information Disclosure | 4022719 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Moderate | Information Disclosure | 4022719 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Moderate | Information Disclosure | 4022726 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Moderate | Information Disclosure | 4022726 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025397 (Security Update) | Moderate | Information Disclosure | None | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025397 (Security Update) | Moderate | Information Disclosure | None | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4025397 (Security Update) | Moderate | Information Disclosure | None | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025397 (Security Update) | Moderate | Information Disclosure | None | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025397 (Security Update) | Moderate | Information Disclosure | None | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Moderate | Information Disclosure | 4022719 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Moderate | Information Disclosure | 4022719 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Moderate | Information Disclosure | 4022719 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Moderate | Information Disclosure | 4022724 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Moderate | Information Disclosure | 4022724 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Moderate | Information Disclosure | 4022726 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Moderate | Information Disclosure | 4022726 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Moderate | Information Disclosure | 4022715 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Moderate | Information Disclosure | 4022715 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-0170 | David Fernandez of Sidertia Solutions https://www.sidertia.com |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8463 MITRE NVD |
CVE Title: Windows Explorer Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Windows Explorer improperly handles executable files and shares during rename operations. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another user. Users not running as administrators would be less affected. To exploit this vulnerability, an attacker would first share both
a folder and malware named with an executable extension, and then trick the user
into thinking that the malware was the folder. The attacker could not force the user to open or browse the share but could use email or instant messages to trick them into doing so. The update addresses the vulnerability by correcting how Windows Explorer handles executable files and shares during rename operations.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8463 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Critical | Remote Code Execution | 4022719 |
Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Critical | Remote Code Execution | 4022719 |
Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Critical | Remote Code Execution | 4022726 |
Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Critical | Remote Code Execution | 4022726 |
Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Critical | Remote Code Execution | 4022726 | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025497 (Security Update) | Critical | Remote Code Execution | None | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025497 (Security Update) | Critical | Remote Code Execution | None | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4025497 (Security Update) | Critical | Remote Code Execution | None | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025497 (Security Update) | Critical | Remote Code Execution | None | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025497 (Security Update) | Critical | Remote Code Execution | None | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Critical | Remote Code Execution | 4022719 |
Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Critical | Remote Code Execution | 4022719 |
Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Critical | Remote Code Execution | 4022719 |
Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Critical | Remote Code Execution | 4022724 |
Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Critical | Remote Code Execution | 4022724 |
Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Critical | Remote Code Execution | 4022726 |
Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Critical | Remote Code Execution | 4022726 |
Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 6.30 Temporal: 6.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8463 | Tencent Security – Sword Team working with Trend Micro’s Zero Day Initiative (ZDI) http://www.tencent.com/,http://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8467 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Microsoft Graphics Component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8467 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Elevation of Privilege | 4022726 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Unknown |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Unknown |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8467 | GuoPengfei from 360 Codesafe Team working with Trend Micro’s Zero Day Initiative (ZDI) http://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8486 MITRE NVD |
CVE Title: Win32k Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists in Microsoft Windows when Win32k fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. The update addresses the vulnerability by correcting how the Win32k handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8486 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Information Disclosure | 4022727 | Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Information Disclosure | 4022727 | Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Information Disclosure | 4022714 | Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Information Disclosure | 4022714 | Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Information Disclosure | 4022725 | Base: 4.70 Temporal: 4.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Information Disclosure | 4022725 | Base: 4.70 Temporal: 4.70 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Information Disclosure | 4022726 | Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025877 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Unknown |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Unknown |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4025877 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025877 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Information Disclosure | 4022724 |
Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Information Disclosure | 4022724 |
Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 4.70 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8486 | pgboy and zhong_sf of Qihoo 360 Vulcan Team working with Trend Micro’s Zero Day Initiative (ZDI) http://www.360.com/,http://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8495 MITRE NVD |
CVE Title: Kerberos SNAME Security Feature Bypass Vulnerability
Description: A security feature bypass vulnerability exists in Microsoft Windows when Kerberos fails to prevent tampering with the SNAME field during ticket exchange. An attacker who successfully exploited this vulnerability could use it to bypass Extended Protection for Authentication. To exploit this vulnerability, an attacker would have to be able to launch a man-in-the-middle (MiTM) attack against the traffic passing between a client and the server. The update addresses this vulnerability by adding integrity protection to the SNAME field. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8495 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Security Feature Bypass | 4022727 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Security Feature Bypass | 4022727 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Security Feature Bypass | 4022714 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Security Feature Bypass | 4022714 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Security Feature Bypass | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Security Feature Bypass | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Security Feature Bypass | 4022725 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Security Feature Bypass | 4022725 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Security Feature Bypass | 4022719 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Security Feature Bypass | 4022719 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Security Feature Bypass | 4022726 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Security Feature Bypass | 4022726 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Security Feature Bypass | 4022726 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4022746 (Security Update) | Important | Security Feature Bypass | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4022746 (Security Update) | Important | Security Feature Bypass | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4022746 (Security Update) | Important | Security Feature Bypass | 3011780 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4022746 (Security Update) | Important | Security Feature Bypass | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4022746 (Security Update) | Important | Security Feature Bypass | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Security Feature Bypass | 4022719 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Security Feature Bypass | 4022719 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Security Feature Bypass | 4022719 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Security Feature Bypass | 4022724 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Security Feature Bypass | 4022724 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Security Feature Bypass | 4022726 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Security Feature Bypass | 4022726 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Security Feature Bypass | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Security Feature Bypass | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8495 | Jeffrey Eric Altman (@jaltman) - AuriStor, Inc. https://twitter.com/jaltman,https://www.auristor.com Viktor Dukhovni (@vdukhovni) - Two Sigma Investments https://twitter.com/vdukhovni,https://www.twosigma.com |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8501 MITRE NVD |
CVE Title: Microsoft Office Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. Note that the Preview Pane is not an attack vector for this vulnerability. The security update addresses the vulnerability by correcting how Office handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8501 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Excel Services on Microsoft SharePoint Server 2010 Service Pack 2 | 3191902 (Security Update) | Important | Remote Code Execution | 3191840 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2007 Service Pack 3 | 3191894 (Security Update) | Important | Remote Code Execution | 3191827 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2010 Service Pack 2 (32-bit editions) | 3191907 (Security Update) | Important | Remote Code Execution | 3191847 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2010 Service Pack 2 (64-bit editions) | 3191907 (Security Update) | Important | Remote Code Execution | 3191847 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2013 RT Service Pack 1 | 3213537 (Security Update) | Important | Remote Code Execution | 3172542 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2013 Service Pack 1 (32-bit editions) | 3213537 (Security Update) | Important | Remote Code Execution | 3172542 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2013 Service Pack 1 (64-bit editions) | 3213537 (Security Update) | Important | Remote Code Execution | 3172542 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2016 (32-bit edition) | 3203477 (Security Update) | Important | Remote Code Execution | 3178673 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 3203477 (Security Update) | Important | Remote Code Execution | 3178673 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel Viewer 2007 Service Pack 3 | 3191833 (Security Update) | Important | Remote Code Execution | 3178680 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2016 for Mac | 3212224 (Security Update) | Important | Remote Code Execution | 3212223 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office Compatibility Pack Service Pack 3 | 3191897 (Security Update) | Important | Remote Code Execution | 3191830 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office for Mac 2011 | 3212224 (Security Update) | Important | Remote Code Execution | 3212223 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office Online Server 2016 | 3213657 (Security Update) | Important | Remote Code Execution | 3203485 | Base: N/A Temporal: N/A Vector: N/A |
Unknown |
| Microsoft SharePoint Enterprise Server 2013 | 3213559 (Security Update) | Important | Remote Code Execution | 3203390 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2017-8501 | Yangkang (@dnpushme) & Liyadong & Wanglu of Qihoo 360 Qex Team https://twitter.com/dnpushme,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8502 MITRE NVD |
CVE Title: Microsoft Office Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. Note that the Preview Pane is not an attack vector for this vulnerability. The security update addresses the vulnerability by correcting how Office handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8502 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Excel 2010 Service Pack 2 (32-bit editions) | 3191907 (Security Update) | Important | Remote Code Execution | 3191847 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2010 Service Pack 2 (64-bit editions) | 3191907 (Security Update) | Important | Remote Code Execution | 3191847 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2013 RT Service Pack 1 | 3213537 (Security Update) | Important | Remote Code Execution | 3172542 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2013 Service Pack 1 (32-bit editions) | 3213537 (Security Update) | Important | Remote Code Execution | 3172542 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2013 Service Pack 1 (64-bit editions) | 3213537 (Security Update) | Important | Remote Code Execution | 3172542 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2016 (32-bit edition) | 3203477 (Security Update) | Important | Remote Code Execution | 3178673 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 3203477 (Security Update) | Important | Remote Code Execution | 3178673 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2017-8502 | Yong Chuan Koh (@yongchuank of MWR Infosecurity https://twitter.com/yongchuank |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8556 MITRE NVD |
CVE Title: Microsoft Graphics Component Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Microsoft Graphics Component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8556 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Elevation of Privilege | 4022726 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Unknown |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Unknown |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025877 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8556 | WenQunWang of Tencent's Xuanwu LAB http://www.tencent.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8557 MITRE NVD |
CVE Title: Windows System Information Console Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists in the Windows System Information Console when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration.
To exploit the vulnerability, an attacker could create a file containing specially crafted XML content and convince an authenticated user to open the file. The update addresses the vulnerability by modifying the way that the Windows System Information Console parses XML input.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8557 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Information Disclosure | 4022727 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Information Disclosure | 4022727 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Information Disclosure | 4022714 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Information Disclosure | 4022714 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Information Disclosure | 4022725 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Information Disclosure | 4022725 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Information Disclosure | 4022726 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025398 (Security Update) | Important | Information Disclosure | None | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025398 (Security Update) | Important | Information Disclosure | None | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4025398 (Security Update) | Important | Information Disclosure | None | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025398 (Security Update) | Important | Information Disclosure | None | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025398 (Security Update) | Important | Information Disclosure | None | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Information Disclosure | 4022724 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Information Disclosure | 4022724 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8557 | SaifAllah benMassaoud (@benmassaou) https://twitter.com/benmassaou |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8560 MITRE NVD |
CVE Title: Microsoft Exchange Cross-Site Scripting Vulnerability
Description: An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests. An attacker who successfully exploited this vulnerability could perform script/content injection attacks and attempt to trick the user into disclosing sensitive information. To exploit the vulnerability, an attacker could send a specially crafted email message containing a malicious link to a user. Alternatively, an attacker could use a chat client to social engineer a user into clicking the malicious link. The security update addresses the vulnerability by correcting how Microsoft Exchange validates web requests. Note: In order to exploit this vulnerability, a user must click a maliciously crafted link from an attacker. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Exploitation Unlikely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8560 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Exchange Server 2013 Cumulative Update 16 | 4018588 (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Exchange Server 2013 Service Pack 1 | 4018588 (Security Update) | Important | Elevation of Privilege | 4012178 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Exchange Server 2016 Cumulative Update 5 | 4018588 (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2017-8560 | Ashar Javed @soaj1664ashar of Hyundai AutoEver Europe GmbH https://twitter.com/soaj1664ashar,https://www.hyundai-autoever.eu/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8559 MITRE NVD |
CVE Title: Microsoft Exchange Cross-Site Scripting Vulnerability
Description: An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests. An attacker who successfully exploited this vulnerability could perform script/content injection attacks and attempt to trick the user into disclosing sensitive information. To exploit the vulnerability, an attacker could send a specially crafted email message containing a malicious link to a user. Alternatively, an attacker could use a chat client to social engineer a user into clicking the malicious link. The security update addresses the vulnerability by correcting how Microsoft Exchange validates web requests. Note: In order to exploit this vulnerability, a user must click a maliciously crafted link from an attacker. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Exploitation Unlikely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8559 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Exchange Server 2013 Cumulative Update 16 | 4018588 (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Exchange Server 2013 Service Pack 1 | 4018588 (Security Update) | Important | Elevation of Privilege | 4012178 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Exchange Server 2016 Cumulative Update 5 | 4018588 (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2017-8559 | Adrian Ivascu |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8561 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8561 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Elevation of Privilege | 4022726 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8561 | Peter Hlavaty (@zer0mem), KeenLab, Tencent https://twitter.com/zer0mem,http://www.tencent.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8562 MITRE NVD |
CVE Title: Windows ALPC Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to ALPC.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8562 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Elevation of Privilege | 4022726 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8562 | Alex Ionescu of Winsider Seminars & Solutions, Inc. http://www.windows-internals.com |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8563 MITRE NVD |
CVE Title: Windows Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Microsoft Windows when Kerberos falls back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol. In a remote attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to send malicious traffic to a domain controller. An attacker who successfully exploited this vulnerability could run processes in an elevated context. The update addresses this vulnerability by incorporating enhancements to authentication protocols designed to mitigate authentication attacks. It revolves around the concept of channel binding information. FAQ: In addition to installing the updates for CVE-2017-8563 are there any further steps I need to carry out to be protected from this CVE? Yes. To make LDAP authentication over SSL/TLS more secure, administrators need to create a LdapEnforceChannelBinding registry setting on a Domain Controller. For more information about setting this registry key, see Microsoft Knowledge Base article 4034879.Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8563 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Elevation of Privilege | 4022727 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Elevation of Privilege | 4022714 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Elevation of Privilege | 4022726 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025409 (Security Update) | Important | Elevation of Privilege | 3184471 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025409 (Security Update) | Important | Elevation of Privilege | 3184471 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4025409 (Security Update) | Important | Elevation of Privilege | 3184471 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025409 (Security Update) | Important | Elevation of Privilege | 3184471 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025409 (Security Update) | Important | Elevation of Privilege | 3184471 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Elevation of Privilege | 4022719 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Elevation of Privilege | 4022724 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Elevation of Privilege | 4022726 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8563 | Yaron Zinar, Eyal Karni, Roman Blachman Preempt https://www.preempt.com |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8564 MITRE NVD |
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address, allowing an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. An attacker who successfully exploited this vulnerability could retrieve the base address of the kernel driver from a compromised process. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows kernel handles memory addresses.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Exploitation Unlikely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8564 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Information Disclosure | 4022727 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Information Disclosure | 4022727 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Information Disclosure | 4022714 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Information Disclosure | 4022714 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Information Disclosure | 4022725 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Information Disclosure | 4022725 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Information Disclosure | 4022726 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4022748 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4022748 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4022748 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4022748 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4022748 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Information Disclosure | 4022719 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Information Disclosure | 4022724 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Information Disclosure | 4022724 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Information Disclosure | 4022726 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Information Disclosure | 4022715 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8564 | Mateusz Jurczyk of Google Project Zero http://www.google.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8565 MITRE NVD |
CVE Title: Windows PowerShell Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in PowerShell when PSObject wraps a CIM Instance. An attacker who successfully exploited this vulnerability could execute malicious code on a vulnerable system. In an attack scenario, an attacker could execute malicious code in a PowerShell remote session. The update addresses the vulnerability by correcting how PowerShell deserializes user supplied scripts.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8565 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Remote Code Execution | 4022727 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Remote Code Execution | 4022727 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Remote Code Execution | 4022714 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Remote Code Execution | 4022714 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Remote Code Execution | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Remote Code Execution | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Remote Code Execution | 4022725 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Remote Code Execution | 4022725 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Remote Code Execution | 4022719 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Remote Code Execution | 4022719 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Remote Code Execution | 4022726 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Remote Code Execution | 4022726 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Remote Code Execution | 4022726 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025872 (Security Update) | Important | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4025872 (Security Update) | Important | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4025872 (Security Update) | Important | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4025872 (Security Update) | Important | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Remote Code Execution | 4022719 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4025337 (Security Only) 4025341 (Monthly Rollup) |
Important | Remote Code Execution | 4022719 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Remote Code Execution | 4022724 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4025331 (Monthly Rollup) 4025343 (Security Only) |
Important | Remote Code Execution | 4022724 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Remote Code Execution | 4022726 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4025333 (Security Only) 4025336 (Monthly Rollup) |
Important | Remote Code Execution | 4022726 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Remote Code Execution | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Remote Code Execution | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8565 | Oleksandr Mirosh and Alvaro Muñoz (@pwntester) from Hewlett-Packard Enterprise Security https://twitter.com/pwntester |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8566 MITRE NVD |
CVE Title: Windows IME Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows Input Method Editor (IME) when IME improperly handles parameters in a method of a DCOM class. The DCOM server is a Windows component installed regardless of which languages/IMEs are enabled. An attacker can instantiate the DCOM class and exploit the system even if IME is not enabled. To exploit this vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses this vulnerability by correcting how Windows IME handles parameters in a method of a DCOM class.
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8566 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Elevation of Privilege | 4022725 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4025339 (Security Update) | Important | Elevation of Privilege | 4022715 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8566 | Pedro Gallegos of Microsoft Office Security Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8598 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way Microsoft Edge handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. In addition, an attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. Finally, the attacker could take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8598 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8598 | bee13oy of CloverSec Labs working with Trend Micro's Zero Day Initiative http://www.zerodayinitiative.com/ Christian Holler (decoder, @mozdeco) - own-hero Team https://twitter.com/mozdeco?lang=en,own-hero.net Lokihart of Google Project Zero http://www.google.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8599 MITRE NVD |
CVE Title: Microsoft Edge Security Feature Bypass Vulnerability
Description: A security feature bypass vulnerability exists when Microsoft Edge fails to correctly apply Same Origin Policy for HTML elements present in other browser windows. An attacker could use this vulnerability to trick a user into loading a page with malicious content. To exploit this vulnerability, an attacker would need to trick a user into loading a page or visiting a website. The page could also be injected into a compromised website or ad network. The update addresses the vulnerability by correcting the Same Origin Policy check for scripts attempting to manipulate HTML elements in other browser windows. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8599 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Security Feature Bypass | 4022727 | Base: 6.50 Temporal: 5.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Security Feature Bypass | 4022727 | Base: 6.50 Temporal: 5.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Security Feature Bypass | 4022714 | Base: 6.50 Temporal: 5.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Security Feature Bypass | 4022714 | Base: 6.50 Temporal: 5.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Security Feature Bypass | 4022715 | Base: 6.50 Temporal: 5.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Security Feature Bypass | 4022715 | Base: 6.50 Temporal: 5.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Security Feature Bypass | 4022725 | Base: 6.50 Temporal: 5.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Security Feature Bypass | 4022725 | Base: 6.50 Temporal: 5.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Low | Security Feature Bypass | 4022715 | Base: 4.50 Temporal: 4.10 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8599 | Jun Kokatsu (@shhnjk) https://twitter.com/shhnjk |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8601 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Edge rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by modifying how the Chakra JavaScript scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8601 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8601 | Hao Linan of Qihoo 360 Vulcan Team https://www.360.com Wang Yuan of Nanyang Technological University working with Trend Micro's Zero Day Initiative http://www.zerodayinitiative.com/ Lin Yang @SJTU working with Trend Micro's Zero Day Initiative https://twitter.com/SJTU,http://www.zerodayinitiative.com/ Liu Long of Qihoo 360 Vulcan Team http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8602 MITRE NVD |
CVE Title: Microsoft Browser Spoofing Vulnerability
Description: A spoofing vulnerability exists when an affected Microsoft browser does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could trick a user by redirecting the user to a specially crafted website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it. In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically via an enticement in email or instant message, and then convince the user to interact with content on the website. The security update addresses the vulnerability by correcting how Microsoft browsers parse HTTP responses. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | N/A | Not Applicable | Yes | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8602 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 11 on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Spoofing | 4022727 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Spoofing | 4022727 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Spoofing | 4022714 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Spoofing | 4022714 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Spoofing | 4022715 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Spoofing | 4022715 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Spoofing | 4022725 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Spoofing | 4022725 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 | 4025341 (Monthly Rollup) 4025252 (IE Cumulative) |
Important | Spoofing | 4022719 4021558 |
Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 | 4025341 (Monthly Rollup) 4025252 (IE Cumulative) |
Important | Spoofing | 4022719 4021558 |
Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Important | Spoofing | 4022726 4021558 |
Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Important | Spoofing | 4022726 4021558 |
Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4025336 (Monthly Rollup) | Important | Spoofing | 4022726 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025341 (Monthly Rollup) 4025252 (IE Cumulative) |
Low | Spoofing | 4022719 4021558 |
Base: 2.40 Temporal: 2.30 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Low | Spoofing | 4022726 4021558 |
Base: 2.40 Temporal: 2.30 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4025339 (Security Update) | Low | Spoofing | 4022715 | Base: 2.40 Temporal: 2.30 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Important | Spoofing | 4022727 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4025338 (Security Update) | Important | Spoofing | 4022727 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Important | Spoofing | 4022714 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Important | Spoofing | 4022714 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Important | Spoofing | 4022715 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Important | Spoofing | 4022715 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Important | Spoofing | 4022725 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Important | Spoofing | 4022725 | Base: 4.30 Temporal: 4.00 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Low | Spoofing | 4022715 | Base: 2.40 Temporal: 2.30 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8602 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8603 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way Microsoft Edge handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. In addition, an attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. Finally, the attacker could take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8603 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8603 | Dhanesh Kizhakkinan of FireEye, Inc. https://www.fireeye.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8604 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way Microsoft Edge handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. In addition, an attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. Finally, the attacker could take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8604 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8604 | Dhanesh Kizhakkinan of FireEye, Inc. https://www.fireeye.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8605 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way Microsoft Edge handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. In addition, an attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. Finally, the attacker could take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8605 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8605 | Qixun Zhao of Qihoo 360 Vulcan Team https://www.weibo.com/babyboaes/,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8606 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way JavaScript engines render when handling objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how Microsoft browser JavaScript scripting engines handle objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Moderate | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8606 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 10 on Windows Server 2012 | 4025331 (Monthly Rollup) 4025252 (IE Cumulative) |
Moderate | Remote Code Execution | 4022724 4021558 |
Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for x64-based Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 | 4025252 (IE Cumulative) | Critical | Remote Code Execution | 4021558 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 | 4025252 (IE Cumulative) | Critical | Remote Code Execution | 4021558 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Critical | Remote Code Execution | 4022726 4021558 |
Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Critical | Remote Code Execution | 4022726 4021558 |
Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4025336 (Monthly Rollup) | Critical | Remote Code Execution | 4022726 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025252 (IE Cumulative) | Moderate | Remote Code Execution | 4021558 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4025252 (IE Cumulative) | Moderate | Remote Code Execution | 4021558 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025252 (IE Cumulative) | Moderate | Remote Code Execution | 4021558 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4025252 (IE Cumulative) | Moderate | Remote Code Execution | 4021558 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8606 | Microsoft ChakraCore Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8607 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way JavaScript engines render when handling objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how Microsoft browser JavaScript scripting engines handle objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8607 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 10 on Windows Server 2012 | 4025331 (Monthly Rollup) 4025252 (IE Cumulative) |
Moderate | Remote Code Execution | 4022724 4021558 |
Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for x64-based Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 | 4025252 (IE Cumulative) | Critical | Remote Code Execution | 4021558 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 | 4025252 (IE Cumulative) | Critical | Remote Code Execution | 4021558 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Critical | Remote Code Execution | 4022726 4021558 |
Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Critical | Remote Code Execution | 4022726 4021558 |
Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4025336 (Monthly Rollup) | Critical | Remote Code Execution | 4022726 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4025252 (IE Cumulative) | Moderate | Remote Code Execution | 4021558 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Moderate | Remote Code Execution | 4022726 4021558 |
Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025252 (IE Cumulative) | Moderate | Remote Code Execution | 4021558 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4025252 (IE Cumulative) | Moderate | Remote Code Execution | 4021558 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 3.10 Temporal: 2.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8607 | Microsoft ChakraCore Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8608 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way JavaScript engines render when handling objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how Microsoft browser JavaScript scripting engines handle objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8608 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 10 on Windows Server 2012 | 4025331 (Monthly Rollup) 4025252 (IE Cumulative) |
Moderate | Remote Code Execution | 4022724 4021558 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for x64-based Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Critical | Remote Code Execution | 4022726 4021558 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Critical | Remote Code Execution | 4022726 4021558 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4025336 (Monthly Rollup) | Critical | Remote Code Execution | 4022726 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4025336 (Monthly Rollup) 4025252 (IE Cumulative) |
Moderate | Remote Code Execution | 4022726 4021558 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4025252 (IE Cumulative) | Moderate | Remote Code Execution | 4021558 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4025252 (IE Cumulative) | Moderate | Remote Code Execution | 4021558 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8608 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8609 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Scripting Engine renders when handling objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer or Microsoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the scripting rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerabilities. The security update addresses the vulnerability by modifying how the Scripting Engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Moderate | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8609 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4025338 (Security Update) | Critical | Remote Code Execution | 4022727 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Critical | Remote Code Execution | 4022714 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Critical | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Moderate | Remote Code Execution | 4022715 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8609 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8610 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way Microsoft Edge handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. In addition, an attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. Finally, the attacker could take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8610 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Critical | Remote Code Execution | 4022725 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8610 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2017-8611 MITRE NVD |
CVE Title: Microsoft Edge Spoofing Vulnerability
Description: A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could trick a user by redirecting the user to a specially crafted website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it. In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website. The update addresses the vulnerability by correcting how Microsoft Edge parses HTTP responses. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2017-07-11T07:00:00 Information published. |
Moderate | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | Yes | No |
The following tables list the affected software details for the vulnerability.
| CVE-2017-8611 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4025338 (Security Update) | Moderate | Spoofing | 4022727 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4025338 (Security Update) | Moderate | Spoofing | 4022727 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for 32-bit Systems | 4025344 (Security Update) | Moderate | Spoofing | 4022714 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1511 for x64-based Systems | 4025344 (Security Update) | Moderate | Spoofing | 4022714 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4025339 (Security Update) | Moderate | Spoofing | 4022715 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4025339 (Security Update) | Moderate | Spoofing | 4022715 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4025342 (Security Update) | Moderate | Spoofing | 4022725 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4025342 (Security Update) | Moderate | Spoofing | 4022725 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4025339 (Security Update) | Low | Spoofing | 4022715 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2017-8611 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| ADV170009 MITRE NVD |
CVE Title: July Flash Security Update
Description: This security update addresses the following vulnerabilities, which are described in Adobe Security Bulletin APSB17-21: CVE-2017-3099, CVE-2017-3080, CVE-2017-3100 FAQ: How could an attacker exploit these vulnerabilities? In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. In a web-based attack scenario where the user is using Internet Explorer in the Windows 8-style UI, an attacker would first need to compromise a website already listed in the Compatibility View (CV) list. An attacker could then host a website that contains specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. For more information about Internet Explorer and the CV List, please see the MSDN Article, Developer Guidance for websites with content for Adobe Flash Player in Windows 8. Mitigations: Workarounds: Workaround refers to a setting or configuration change that would help block known attack vectors before you apply the update.
Revision: 1.0 2017-07-11T07:00:00 Information Published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| ADV170009 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Adobe Flash Player on Windows 10 for 32-bit Systems | 4025376 (Security Update) | Critical | Remote Code Execution | 4022730 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 for x64-based Systems | 4025376 (Security Update) | Critical | Remote Code Execution | 4022730 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1511 for 32-bit Systems | 4025376 (Security Update) | Critical | Remote Code Execution | 4022730 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1511 for x64-based Systems | 4025376 (Security Update) | Critical | Remote Code Execution | 4022730 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1607 for 32-bit Systems | 4025376 (Security Update) | Critical | Remote Code Execution | 4022730 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1607 for x64-based Systems | 4025376 (Security Update) | Critical | Remote Code Execution | 4022730 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1703 for 32-bit Systems | 4025376 (Security Update) | Critical | Remote Code Execution | 4022730 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1703 for x64-based Systems | 4025376 (Security Update) | Critical | Remote Code Execution | 4022730 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 8.1 for 32-bit systems | 4025376 (Security Update) | Critical | Remote Code Execution | 4022730 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 8.1 for x64-based systems | 4025376 (Security Update) | Critical | Remote Code Execution | 4022730 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows RT 8.1 | 4025376 (Security Update) | Critical | Remote Code Execution | 4022730 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows Server 2012 | 4025376 (Security Update) | Critical | Remote Code Execution | 4022730 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows Server 2012 R2 | 4025376 (Security Update) | Critical | Remote Code Execution | 4022730 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows Server 2016 | 4025376 (Security Update) | Critical | Remote Code Execution | 4022730 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| CVE ID | Acknowledgements |
| ADV170009 | None |