Patch Tuesday: Microsoft’s Last Security Update Of 2017 Targets Browsers

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Web browser vulnerabilities receive the most attention from Microsoft in its pre Christmas update

The last Patch Tuesday from Microsoft in 2017 is lighter than last months’ offering and is mostly geared towards fixing problems with Redmond’s web browsers.

Indeed December’s Patch Tuesday release has patched 34 vulnerabilities, 20 of which are rated as critical and 12 rated as important.

Microsoft has also provided further information on which products are reaching the end of support in 2018, so system admins can begin their preparations now.

microsoft-patch

Browser Patches

It is the usual suspects of Microsoft products patched this month including Internet Explorer, Edge, Microsoft Windows, Office, SharePoint and Exchange.

“No big surprises from Microsoft this month, with over 70 percent of the 34 vulnerabilities addressed being web browser defects,” explained Greg Wiseman, senior security researcher at Rapid7, and warned that most of these are Critical Remote Code Execution (RCE) vulnerabilities.

Two of this month’s vulnerabilities were actually patched last week; CVE-2017-11937 and CVE-2017-11940 are Critical RCE vulnerabilities in Microsoft’s Malware Protection Engine (MPE),” said Wiseman. “Fixes for the MPE may come out at any time, as they are delivered via the same update mechanism as malware signatures (which are updated multiple times per day).

“These MPE vulnerabilities also affect Exchange Server, so back-end administrators do have some work to do this month,” he added.

“Exchange Server is also getting a fix for CVE-2017-11932, a spoofing vulnerability that could allow script or content injection attacks, potentially leading to sensitive information disclosure or redirection to a malicious website. Also on the back end, CVE-2017-11885 affects servers with Routing and Remote Access enabled.”

Another expert also pointed December’s patch update has been relative quiet, considering the busy year for patches that system admins have had to contend with.

“Patch Tuesday December is only a small flurry of updates,” said Chris Goettl, manager, product management at Ivanti. “Total CVE count from Microsoft is 32 unique CVEs and none of these are Exploited or Disclosed at this time. Adobe has an update for Flash Player resolving one Moderate CVE.”

“Most of the December vulnerabilities are in the Microsoft browsers this month so make the IE and Edge browser updates a high priority.

“The Office update is also of concern, but don’t ignore the Exchange and SharePoint updates for too long. This month’s Exchange update impacts OWA and includes 1 CVE that is more complex to exploit, but could be used in conjunction with other CVEs as a pivot to chain an attack. SharePoint also includes 1 CVE that could allow for Cross Site Scripting attack that could allow for an elevation of privilege.”

Quiet End

“This December Patch Tuesday is considerably lighter than last month’s patch releases,” added Gill Langston, director of product management at Qualys. “While only three of the fixes were for Windows operating systems, the majority of the vulnerabilities to pay attention to are Browser/Scripting Engine-based.”

Langston recommended that admins pay the most attention to the browsers and the Scripting Engine Memory Corruption Vulnerabilities.

“There is one Windows OS vulnerability that should be reviewed, and that is the fix for CVE-2017-11885, which is a Remote Code Execution using RPC on systems that have Routing and Remote Access service (RRAS) enabled,” said Langston.

“So all in all, a rather quiet end to a busy year in vulnerabilities.”

Do you know all about security in 2017? Try our quiz!