No zero-day vulnerabilities this month, but still a moderate number of patches from Microsoft
Microsoft has issued fixes for a range of products in its November Patch Tuesday update, but thankfully none of the vulnerabilities are currently being exploited in the wild.
The 53 vulnerabilities are spread across the board, including the usual suspects such as Internet Explorer, Edge, Office and the Windows OS.
But unlike Microsoft’s moderate number of bug fixes this month, Adobe has release a hefty 62 patches for serious vulnerabilities.
“This November Patch Tuesday is moderate in volume and severity,” blogged Gill Langston of Qualys. “Microsoft released patches to address 53 unique vulnerabilities, with 25 focused on Remote Code Execution fixes. Windows OS receives 14 patches, while the lion’s share is focused on Browsers, Microsoft Office, and Adobe.”
Unusually, there are no vulnerabilities currently being exploited in the wild (so called zero-day flaws), and indeed none of the Windows OS fixes are rated as critical, but Qualys does recommend focusing on CVE-2017-11830 and CVE-2017-11847, as they address a Security Feature Bypass, and a Privilege Elevation respectively.
“It should also be noted that last Patch Tuesday, Microsoft quietly released the fix for CVE-2017-13080, widely known as the KRACK vulnerability in WPA2 wireless protocol, but did not make it known until a week later, when the vulnerability was publicly disclosed,” Qualys said. “Therefore, it is recommended you ensure last month’s security patches are fully addressed.”
“We are in the holiday shopping season now and there will be plenty of opportunists out to take advantage of the KRACK vulnerability in Wi-Fi WPA security protocol,” said Chris Goettl, manager of product management at Ivanti.
“Pretty much any Wi-Fi using the WPA or WPA2 encryption could be exploited. This means an attacker could eavesdrop on your connection and gain access to sensitive information including username\password, credit card info, or any other PII being transmitted over the Wi-Fi unencrypted.”
“Microsoft’s Patch Tuesday update for November looks fairly tame. [Forty-seven] total unique vulnerabilities resolved across 11 updates. Two of these have been publicly disclosed, which means enough information has been released to the public to allow a threat actor to create an exploit or at least giving them a jump start on where to begin.”
“Web browser issues account for two-thirds of this month’s patched vulnerabilities, with 24 CVEs for Edge and 12 for Internet Explorer being fixed,” added Greg Wiseman, senior security researcher at Rapid7.
“Many of these are classified as Critical (allowing code execution without user interaction). This is no surprise, as browser bugs are typically well represented on Patch Tuesdays.
“.NET Core is being patched for a denial of service (DoS) vulnerability (CVE-2017-11770), and ASP.NET Core has fixes for DoS (CVE-2017-11883), privilege escalation (CVE-2017-11879), and information disclosure (CVE-2017-8700) vulnerabilities this month.”
Whilst system admins will have to do some work to patch Microsoft products, they should be aware of the large number of fixes from Adobe.
“Adobe has 9 total product updates this month and many Critical security vulnerabilities being resolved.” continued Goettl.
“One thing to note is many of these updates may be a rated as a Priority 2, but this means it has Critical vulnerabilities, just none actively being exploited or disclosed at this time. Ivanti recommends any Adobe Priority 2s get resolved quickly, especially for Flash Player.”
“In fact it’s quite a big month for Adobe, who have issued advisories across nine separate products, with 62 vulnerability fixes just for Acrobat and Reader,” suggested Wiseman. “Most of these address critical RCE vulnerabilities. Given the prevalence of PDF documents, administrators should take a close look at whether Adobe software in their environment is up to date.”
Do you know all about security in 2017? Try our quiz!