==================================================================== CERT-Renater Note d'Information No. 2017/VULN250 _____________________________________________________________________ DATE : 13/09/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows versions 7, 8.1, RT 8.1, 10, Server 2008, Server 2012, Server 2016, Systems running Internet Explorer, Microsoft Edge, Microsoft Office, Microsoft Lync, Microsoft .NET Framework, Office Online Server, Skype for Business, Microsoft SharePoint Server, Microsoft SQL Server, Adobe Flash Player for Windows. ===================================================================== https://portal.msrc.microsoft.com/en-us/security-guidance ____________________________________________________________________ ******************************************************************** Microsoft Security Update Summary for September 2017 Issued: September 12, 2017 ******************************************************************** This summary lists security updates released for September 2017. Complete information for the September 2017 security update release can Be found at . Critical Security Updates ============================ Adobe Flash Player Internet Explorer 11 Microsoft Edge Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office Word Viewer Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1511 for 32-bit Systems Windows 10 Version 1511 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1703 for 32-bit Systems Windows 10 Version 1703 for x64-based Systems Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8.1 for 32-bit systems Windows 8.1 for x64-based systems Windows RT 8.1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows Server 2016 Windows Server 2016 (Server Core installation) Important Security Updates ============================ Excel Services Microsoft Excel 2007 Service Pack 3 Microsoft Excel 2010 Service Pack 2 (32-bit editions) Microsoft Excel 2010 Service Pack 2 (64-bit editions) Microsoft Excel 2013 RT Service Pack 1 Microsoft Excel 2013 Service Pack 1 (32-bit editions) Microsoft Excel 2013 Service Pack 1 (64-bit editions) Microsoft Excel 2016 (32-bit edition) Microsoft Excel 2016 (64-bit edition) Microsoft Excel 2016 for Mac Microsoft Excel for Mac 2011 Microsoft Excel Viewer 2007 Service Pack 3 Microsoft Excel Web App 2013 Service Pack 1 Microsoft Exchange Server 2013 Cumulative Update 16 Microsoft Exchange Server 2013 Cumulative Update 17 Microsoft Exchange Server 2013 Service Pack 1 Microsoft Exchange Server 2016 Cumulative Update 5 Microsoft Exchange Server 2016 Cumulative Update 6 Microsoft Live Meeting 2007 Add-in Microsoft Live Meeting 2007 Console Microsoft Lync 2010 (32-bit) Microsoft Lync 2010 (64-bit) Microsoft Lync 2010 Attendee (admin level install) Microsoft Lync 2010 Attendee (user level install) Microsoft Lync 2013 Service Pack 1 (32-bit) Microsoft Lync 2013 Service Pack 1 (64-bit) Microsoft Lync Basic 2013 Service Pack 1 (32-bit) Microsoft Lync Basic 2013 Service Pack 1 (64-bit) Microsoft Office 2013 RT Service Pack 1 Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Office 2013 Service Pack 1 (64-bit editions) Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (64-bit edition) Microsoft Office 2016 for Mac Microsoft Office Compatibility Pack Service Pack 3 Microsoft Office for Mac 2011 Microsoft Office Web Apps 2010 Service Pack 2 Microsoft Office Web Apps 2013 Service Pack 1 Microsoft Office Web Apps Server 2013 Service Pack 1 Microsoft PowerPoint 2007 Service Pack 3 Microsoft PowerPoint 2010 Service Pack 2 (32-bit editions) Microsoft PowerPoint 2010 Service Pack 2 (64-bit editions) Microsoft PowerPoint 2013 RT Service Pack 1 Microsoft PowerPoint 2013 Service Pack 1 (32-bit editions) Microsoft PowerPoint 2013 Service Pack 1 (64-bit editions) Microsoft PowerPoint 2016 (32-bit edition) Microsoft PowerPoint 2016 (64-bit edition) Microsoft PowerPoint Viewer 2007 Microsoft Publisher 2007 Service Pack 3 Microsoft Publisher 2010 Service Pack 2 (32-bit editions) Microsoft Publisher 2010 Service Pack 2 (64-bit editions) Microsoft SharePoint Enterprise Server 2016 Microsoft SharePoint Foundation 2013 Service Pack 1 Microsoft SharePoint Server 2013 Service Pack 1 Office Online Server Skype for Business 2016 (32-bit) Skype for Business 2016 (64-bit) Skype for Business 2016 Basic (32-bit) Skype for Business 2016 Basic (64-bit) Windows Server 2012 (Server Core installation) Microsoft SharePoint Server 2007 Service Pack 3 (32-bit editions) Microsoft SharePoint Server 2007 Service Pack 3 (64-bit editions) Microsoft SharePoint Server 2010 Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6.1 Microsoft .NET Framework 4.6.2 Microsoft .NET Framework 4.6.2/4.7 Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7 Microsoft .NET Framework 4.7 Moderate Security Updates ============================ Internet Explorer 9 Internet Explorer 10 Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ============================================================= If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security information, or installing security updates. You can obtain the MSRC public PGP key at . ******************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 ____________________________________________________________________ ******************************************************************** Title: Microsoft Security Update Releases Issued: Septemner 12, 2017 ******************************************************************** Summary ======= The following CVEs and security bulletins have undergone a major revision increment. * CVE-2016-0165 * CVE-2016-3238 * CVE-2016-3326 * CVE-2016-3376 * CVE-2017-0213 * CVE-2017-8529 * CVE-2017-8599 * MS16-039 * MS16-APR * MS16-087 * MS16-JUL * MS16-095 * MS16-AUG * MS16-123 * MS16-OCT CVE Revision Information: ===================== CVE-2016-0165 - Title: CVE-2016-0165 | Win32k Elevation of Privilege Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance - Reason for Revision: Revised the Affected Products table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-0165. Consumers running Windows 10 are automatically protected. Microsoft recommends that enterprise customers running Windows 10 Version 1703 ensure they have update 4038788 installed to be protected from this vulnerability. - Originally posted: April 12, 2016 - Updated: September 12, 2017 - CVE Severity Rating: Important - Version: 2.0 CVE-2016-3238 - Title: CVE-2016-3238 | Windows Print Spooler Remote Code Execution Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance - Reason for Revision: To address known issues with the 3170455 update for CVE-2016-3238, Microsoft has made available the following updates for currently-supported versions of Microsoft Windows: • Rereleased update 3170455 for Windows Server 2008 • Monthly Rollup 4038777 and Security Update 4038779 for Windows 7 and Windows Server 2008 R2 • Monthly Rollup 4038799 and Security Update 4038786 for Windows Server 2012 • Monthly Rollup 4038792 and Security Update 4038793 for Windows 8.1 and Windows Server 2012 R2 • Cumulative Update 4038781 for Windows 10 • Cumulative Update 4038781 for Windows 10 Version 1511 • Cumulative Update 4038782 for Windows 10 Version 1607 and Windows Server 2016. Microsoft recommends that customers running Windows Server 2008 reinstall update 3170455. Microsoft recommends that customers running other supported versions of Windows install the appropriate update. See Microsoft Knowledge Base Article 3170005 (https://support. microsoft.com/en-us/help/3170005) for more information. - Originally posted: July 12, 2016 - Updated: September 12, 2017 - CVE Severity Rating: Critical - Version: 2.0 CVE-2016-3326 - Title: CVE-2016-3326 | Microsoft Browser Information Disclosure Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance - Reason for Revision: Revised the Affected Products table to include Microsoft Edge and Internet Explorer 11 installed on Windows 10 Version 1703 for 32-bit Systems, and Microsoft Edge and Internet Explorer 11 installed on Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3326. In addition, corrected the Affected Products table to include Microsoft Edge installed on Windows 10, Windows 10 Version 1511, and Windows 10 Version 1607 because they are also affected by this vulnerability. Consumers using Windows 10 are automatically protected. Microsoft recommends that enterprise customers running Microsoft Edge or Internet Explorer on Windows 10 Version 1703 ensure they have update 4038788 installed to be protected from this vulnerability. Customers who are running other versions of Windows 10 and who have installed the August cumulative updates do not need to take any further action. - Originally posted: August 9, 2016 - Updated: September 12, 2017 - CVE Severity Rating: Important - Version: 3.0 CVE-2016-3376 - Title: CVE-2016-3376 | Win32k Elevation of Privilege Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance - Reason for Revision: Revised the Affected Products table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3376. Consumers using Windows 10 are automatically protected. Microsoft recommends that enterprise customers running Windows 10 Version 1703 ensure they have update 4038788 installed to be protected from this vulnerability. - Originally posted: October 11, 2016 - Updated: September 12, 2017 - CVE Severity Rating: Important - Version: 3.0 CVE-2017-0213 - Title: CVE-2017-0213 | Windows COM Elevation of Privilege Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance - Reason for Revision: To comprehensively address CVE-2017-0213, Microsoft has released security update 4038788 for Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems. Consumers using Windows 10 are automatically protected. Microsoft recommends that enterprise customers running Windows 10 Version 1703 ensure that they have update 4038788 installed to be protected from this vulnerability. - Originally posted: May 8, 2017 - Updated: September 12, 2017 - CVE Severity Rating: Important - Version: 3.0 CVE-2017-8529 - Title: CVE-2017-8529 | Microsoft Browser Information Disclosure Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance - Reason for Revision: To address known print regression issues customers may experience when printing from Internet Explorer or Microsoft Edge after installing any of the June security updates, monthly rollups, or IE cumulative updates, Microsoft has released the following September security updates: Internet Explorer Cumulative Update 4036586; Monthly Rollups 4038777, 4038799, 4038792; Security Updates 4038781, 4038783, 4038782, and 4038788 for all affected editions of Microsoft Edge and Internet Explorer when installed on supported editions of Windows. Please note that with the installation of these updates, the solution to CVE-2017-8529 is turned off by default to help prevent the risk of further issues with print regressions, and must be activated via your Registry. To be fully protected from this vulnerability, please see the Update FAQ section for instructions to activate the solution. - Originally posted: June 13, 2017 - Updated: September 12, 2017 - CVE Severity Rating: Moderate - Version: 5.0 CVE-2017-8599 - Title: CVE-2017-8599 | Microsoft Edge Security Feature Bypass Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance - Reason for Revision: To comprehensively address CVE-2017-8599, Microsoft has released September security updates for all affected editions of Microsoft Edge installed on supported editions of Windows 10. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. - Originally posted: July 11, 2017 - Updated: September 12, 2017 - CVE Severity Rating: Important - Version: 2.0 Security Bulletin Revision Information: ===================== MS16-039 - Title: Security Update for Microsoft Graphics Component (3148522) - https://technet.microsoft.com/library/security/ms16-039.aspx - Reason for Revision: Revised the Microsoft Windows affected software table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-0165. Consumers running Windows 10 are automatically protected. Microsoft recommends that enterprise customers running Windows 10 Version 1703 ensure they have update 4038788 installed to be protected from this vulnerability. - Originally posted: April 12, 2016 - Updated: September 12, 2017 - Bulletin Severity Rating: Critical - Version: 4.0 MS16-APR - Title: Microsoft Security Bulletin Summary for April 2016 - https://technet.microsoft.com/library/security/ms16-APR.aspx - Reason for Revision: For MS16-039, revised the Windows Operating Systems and Components affected software table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-0165. Consumers running Windows 10 are automatically protected. Microsoft recommends that enterprise customers running Windows 10 Version 1703 ensure they have update 4038788 installed to be protected from this vulnerability. - Originally posted: April 12, 2016 - Updated: September 12, 2017 - Bulletin Severity Rating: N/A - Version: 4.0 MS16-087 - Title: Security Update for Windows Print Spooler Components (3170005) - https://technet.microsoft.com/library/security/ms16-087.aspx - Reason for Revision: To address known issues with the 3170455 update for CVE-2016-3238, Microsoft has made available the following updates for currently-supported versions of Microsoft Windows: Rereleased update 3170455 for Windows Server 2008 Monthly Rollup 4038777 and Security Update 4038779 for Windows 7 and Windows Server 2008 R2 Monthly Rollup 4038799 and Security Update 4038786 for Windows Server 2012 Monthly Rollup 4038792 and Security Update 4038793 for Windows 8.1 and Windows Server 2012 R2 Cumulative Update 4038781 for Windows 10 Cumulative Update 4038781 for Windows 10 Version 1511 Cumulative Update 4038782 for Windows 10 Version 1607 and Windows Server 2016. Microsoft recommends that customers running Windows Server 2008 reinstall update 3170455. Microsoft recommends that customers running other supported versions of Windows install the appropriate update. See Microsoft Knowledge Base Article 3170005 for more information. - Originally posted: July 12, 2016 - Updated: September 12, 2017 - Bulletin Severity Rating: Critical - Version: 2.0 MS16-JUL - Title: Microsoft Security Bulletin Summary for July 2016 - https://technet.microsoft.com/library/security/ms16-JUL.aspx - Reason for Revision: For MS16-087, To address known issues with the 3170455 update for CVE-2016-3238, Microsoft has made available the following updates for currently-supported versions of Microsoft Windows: Rereleased update 3170455 for Windows Server 2008 Monthly Rollup 4038777 and Security Update 4038779 for Windows 7 and Windows Server 2008 R2 Monthly Rollup 4038799 and Security Update 4038786 for Windows Server 2012 Monthly Rollup 4038792 and Security Update 4038793 for Windows 8.1 and Windows Server 2012 R2 Cumulative Update 4038781 for Windows 10 Cumulative Update 4038781 for Windows 10 Version 1511 Cumulative Update 4038782 for Windows 10 Version 1607 and Windows Server 2016. Microsoft recommends that customers running Windows Server 2008 reinstall update 3170455. Microsoft recommends that customers running other supported versions of Windows install the appropriate update. See Microsoft Knowledge Base Article 3170005 for more information. - Originally posted: July 12, 2016 - Updated: September 12, 2017 - Bulletin Severity Rating: N/A - Version: 2.0 MS16-095 - Title: Cumulative Security Update for Internet Explorer (3177356) - https://technet.microsoft.com/library/security/ms16-095.aspx - Reason for Revision: Revised the Affected Software table to include Internet Explorer 11 installed on Windows 10 Version 1703 for 32-bit Systems and Internet Explorer 11 installed on Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3326. Consumers using Windows 10 are automatically protected. Microsoft recommends that enterprise customers running Internet Explorer on Windows 10 Version 1703 ensure they have update 4038788 installed to be protected from this vulnerability. Customers who are running other versions of Windows 10 and who have installed the June cumulative updates do not need to take any further action. - Originally posted: August 9, 2016 - Updated: September 12, 2017 - Bulletin Severity Rating: Critical - Version: 3.0 MS16-AUG - Title: Microsoft Security Bulletin Summary for August 2016 - https://technet.microsoft.com/library/security/ms16-AUG.aspx - Reason for Revision: For MS16-095, revised the Windows Operating System and Components Affected Software table to include Internet Explorer 11 installed on Windows 10 Version 1703 for 32-bit Systems and Internet Explorer 11 installed on Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3326. Microsoft recommends that customers running Internet Explorer on Windows 10 Version 1703 install update 4038788 to be protected from this vulnerability. - Originally posted: August 9, 2016 - Updated: September 12, 2017 - Bulletin Severity Rating: N/A - Version: 3.0 MS16-123 - Title: Security Update for Windows Kernel-Mode Drivers (3192892) - https://technet.microsoft.com/library/security/ms16-123.aspx - Reason for Revision: Revised the Affected Software table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3376. Consumers using Windows 10 are automatically protected. Microsoft recommends that enterprise customers running Windows 10 Version 1703 ensure they have update 4038788 installed to be protected from this vulnerability. - Originally posted: October 11, 2016 - Updated: September 12, 2017 - Bulletin Severity Rating: Important - Version: 3.0 MS16-OCT - Title: Microsoft Security Bulletin Summary for October 2016 - https://technet.microsoft.com/library/security/ms16-OCT.aspx - Reason for Revision: For MS16-123, revised the Windows Operating System and Components affected software table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3376. Consumers using Windows 10 are automatically protected. Microsoft recommends that enterprise customers running Windows 10 Version 1703 ensure they have update 4038788 installed to be protected from this vulnerability. - Originally posted: October 11, 2016 - Updated: September 12, 2017 - Bulletin Severity Rating: N/A - Version: 3.0 Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ============================================================= If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security bulletins, or installing security updates. You can obtain the MSRC public PGP key at . ******************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you’ve requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================