Microsoft has just released their patches for the month of November and Greg Wiseman, Rapid7’s Senior Security Researcher has provided his thoughts below.
Greg Wiseman, Senior Security Researcher at Rapid7:
“Web browser issues account for two-thirds of this month’s patched vulnerabilities, with 24 CVEs for Edge and 12 for Internet Explorer being fixed. Many of these are classified as Critical (allowing code execution without user interaction). This is no surprise, as browser bugs are typically well represented on Patch Tuesdays. On top of this are five Adobe Flash Player vulnerabilities, all of which are classified as Critical Remote Code Execution (RCE) bugs. In fact it’s quite a big month for Adobe, who have issued advisories across nine separate products, with 62 vulnerability fixes just for Acrobat and Reader. Most of these address critical RCE vulnerabilities. Given the prevalence of PDF documents, administrators should take a close look at whether Adobe software in their environment is up to date.
Back to Microsoft: no non-browser vulnerabilities are considered critical this month, but with a little bit of social engineering, an attacker could theoretically combine one of the Office-based RCE vulnerabilities like CVE-2017-11878 or CVE-2017-11882 with a Windows Kernel privilege escalation weakness such as CVE-2017-11847 to gain complete control over a system. Thankfully, none of the patched vulnerabilities this time around are known to be exploited in the wild.
Microsoft is also rolling out fixes to some of their open source projects, which is a relatively new trend. 16 of the Edge vulnerabilities have been resolved in ChakraCore, the open source part of Edge’s JavaScript engine. .NET Core is being patched for a denial of service (DoS) vulnerability (CVE-2017-11770), and ASP.NET Core has fixes for DoS (CVE-2017-11883), privilege escalation (CVE-2017-11879), and information disclosure (CVE-2017-8700) vulnerabilities this month. These aren’t updates in the traditional Microsoft sense, but fixes that developers should be sure are present when building software on top of these libraries.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.