Microsoft has just released their patches for the month of November and Greg Wiseman, Rapid7’s Senior Security Researcher has provided his thoughts below.
Greg Wiseman, Senior Security Researcher at Rapid7:
“Web browser issues account for two-thirds of this month’s patched vulnerabilities, with 24 CVEs for Edge and 12 for Internet Explorer being fixed. Many of these are classified as Critical (allowing code execution without user interaction). This is no surprise, as browser bugs are typically well represented on Patch Tuesdays. On top of this are five Adobe Flash Player vulnerabilities, all of which are classified as Critical Remote Code Execution (RCE) bugs. In fact it’s quite a big month for Adobe, who have issued advisories across nine separate products, with 62 vulnerability fixes just for Acrobat and Reader. Most of these address critical RCE vulnerabilities. Given the prevalence of PDF documents, administrators should take a close look at whether Adobe software in their environment is up to date.
Back to Microsoft: no non-browser vulnerabilities are considered critical this month, but with a little bit of social engineering, an attacker could theoretically combine one of the Office-based RCE vulnerabilities like CVE-2017-11878 or CVE-2017-11882 with a Windows Kernel privilege escalation weakness such as CVE-2017-11847 to gain complete control over a system. Thankfully, none of the patched vulnerabilities this time around are known to be exploited in the wild.
Microsoft is also rolling out fixes to some of their open source projects, which is a relatively new trend. 16 of the Edge vulnerabilities have been resolved in ChakraCore, the open source part of Edge’s JavaScript engine. .NET Core is being patched for a denial of service (DoS) vulnerability (CVE-2017-11770), and ASP.NET Core has fixes for DoS (CVE-2017-11883), privilege escalation (CVE-2017-11879), and information disclosure (CVE-2017-8700) vulnerabilities this month. These aren’t updates in the traditional Microsoft sense, but fixes that developers should be sure are present when building software on top of these libraries.
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.