Patch Tuesday: Microsoft Fixes Exploit Found In Wild

Microsoft has released its monthly Patch Tuesday security update that fixes a wide range of vulnerabilities, including one that is being exploited in the wild.

The update tackles a total of 62 vulnerabilities; 28 of which are rated as critical, and although this is lighter than last month, there is still plenty of work for system admins.

And for a long time this month’s Patch Tuesday update does not contain a security update for Adobe Flash (there is a bug fix however).

Security Update

“Microsoft resolved a total of 62 unique vulnerabilities, down nearly 20 percent from the 76 unique vulnerabilities resolved last month, noted Chris Goettl, Manager of Product Management (Security) at Ivanti.

“There were 10 bulletins of which nine were rated Critical and one Important,” he added. “The resolved vulnerabilities included two public disclosures and one vulnerability (CVE-2017-11826) that has been both exploited in the wild and publicly disclosed.”

He felt that system admins should pay attention to CVE-2017-8703, that concerns Windows Subsystem for Linux Denial of Service Vulnerability.

This flaw would allow an attacker to execute a specially crafted application to affect an object in memory allowing them to cause the system to become unresponsive.

Goettl also pointed to CVE-2017-11777 (Microsoft Office SharePoint XSS Vulnerability) and CVE-2017-11826 (Microsoft Office Memory Corruption Vulnerability) as worth paying attention to.

“This is a relatively light month in terms of severity, but with over 60 vulnerabilities being fixed there’s still plenty of patching to be done,” said Greg Wiseman, a senior security researcher at Rapid7.

Loading ...

Weak Encryption Keys

“Of note this month are the various Security Advisories Microsoft has published,” he added. “ADV170012 calls out a weak key generation vulnerability in certain Trusted Platform Module (TPM) chips from Infineon.”

This Windows flaw could result in weak cryptographic keys, but Wiseman also felt that two other advisories, ADV170016 and ADV170017, provide “defence in depth” changes for Server 2008 and Microsoft Office respectively.

“Of the patches released, 28 of these vulnerabilities are labelled as Critical,” said Jimmy Graham, director of product management at Qualys.

“Aside from CVE-2017-11826, priority should also be given to CVE-2017-11771, a vulnerability in the Windows Search service,” he said.

“As with several recent Patch Tuesdays, the majority of the vulnerabilities in this month’s release involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritising for workstation-type systems that use email and access the internet via a browser,” he added.

Quiz: Know all about Microsoft?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Tesla Shares Surge On China Advanced Self-Driving Push

Tesla makes key advances toward advanced self-driving rollout in China as chief Elon Musk meets…

10 hours ago

UK Law Aims To Boost Security For ‘Smart’ Devices

New UK rules bring in basic security requirements for millions of internet-connected devices, aiming to…

11 hours ago

Alphabet Value Surges Over $2tn On Dividend Plan

Google parent Alphabet sees market capitalisation surge over $2tn on plan to over first-ever cash…

17 hours ago

Google Asks US Court To Dismiss Federal Adtech Case

Google asks Virginia federal court to dismiss case brought by US Justice Department and eight…

18 hours ago

Snap Sees Surge In Users, Ad Revenues

Snapchat parent Snap reports user growth, revenues in spite of tough competition, in what may…

18 hours ago

Shein Subject To Most Stringent EU Digital Rules

Quick-growing fast-fashion company Shein must comply with most stringent level of EU digital rules after…

19 hours ago