Microsoft has just released their patches for the month of November and Greg Wiseman, Rapid7’s Senior Security Researcher has provided his thoughts below.
Greg Wiseman, Senior Security Researcher at Rapid7:
“Web browser issues account for two-thirds of this month’s patched vulnerabilities, with 24 CVEs for Edge and 12 for Internet Explorer being fixed. Many of these are classified as Critical (allowing code execution without user interaction). This is no surprise, as browser bugs are typically well represented on Patch Tuesdays. On top of this are five Adobe Flash Player vulnerabilities, all of which are classified as Critical Remote Code Execution (RCE) bugs. In fact it’s quite a big month for Adobe, who have issued advisories across nine separate products, with 62 vulnerability fixes just for Acrobat and Reader. Most of these address critical RCE vulnerabilities. Given the prevalence of PDF documents, administrators should take a close look at whether Adobe software in their environment is up to date.
Back to Microsoft: no non-browser vulnerabilities are considered critical this month, but with a little bit of social engineering, an attacker could theoretically combine one of the Office-based RCE vulnerabilities like CVE-2017-11878 or CVE-2017-11882 with a Windows Kernel privilege escalation weakness such as CVE-2017-11847 to gain complete control over a system. Thankfully, none of the patched vulnerabilities this time around are known to be exploited in the wild.