Patch Tuesday: Microsoft Fixes Exploit Found In Wild

Microsoft has released its monthly Patch Tuesday security update that fixes a wide range of vulnerabilities, including one that is being exploited in the wild.

The update tackles a total of 62 vulnerabilities; 28 of which are rated as critical, and although this is lighter than last month, there is still plenty of work for system admins.

And for a long time this month’s Patch Tuesday update does not contain a security update for Adobe Flash (there is a bug fix however).

Security Update

“Microsoft resolved a total of 62 unique vulnerabilities, down nearly 20 percent from the 76 unique vulnerabilities resolved last month, noted Chris Goettl, Manager of Product Management (Security) at Ivanti.

“There were 10 bulletins of which nine were rated Critical and one Important,” he added. “The resolved vulnerabilities included two public disclosures and one vulnerability (CVE-2017-11826) that has been both exploited in the wild and publicly disclosed.”

He felt that system admins should pay attention to CVE-2017-8703, that concerns Windows Subsystem for Linux Denial of Service Vulnerability.

This flaw would allow an attacker to execute a specially crafted application to affect an object in memory allowing them to cause the system to become unresponsive.

Goettl also pointed to CVE-2017-11777 (Microsoft Office SharePoint XSS Vulnerability) and CVE-2017-11826 (Microsoft Office Memory Corruption Vulnerability) as worth paying attention to.

“This is a relatively light month in terms of severity, but with over 60 vulnerabilities being fixed there’s still plenty of patching to be done,” said Greg Wiseman, a senior security researcher at Rapid7.

Weak Encryption Keys

“Of note this month are the various Security Advisories Microsoft has published,” he added. “ADV170012 calls out a weak key generation vulnerability in certain Trusted Platform Module (TPM) chips from Infineon.”

This Windows flaw could result in weak cryptographic keys, but Wiseman also felt that two other advisories, ADV170016 and ADV170017, provide “defence in depth” changes for Server 2008 and Microsoft Office respectively.

“Of the patches released, 28 of these vulnerabilities are labelled as Critical,” said Jimmy Graham, director of product management at Qualys.

“Aside from CVE-2017-11826, priority should also be given to CVE-2017-11771, a vulnerability in the Windows Search service,” he said.

“As with several recent Patch Tuesdays, the majority of the vulnerabilities in this month’s release involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritising for workstation-type systems that use email and access the internet via a browser,” he added.

Quiz: Know all about Microsoft?