Patch Tuesday: Microsoft Tackles 82 Security Flaws, Including One Zero-Day

Microsoft has pushed out its monthly Patch Tuesday security update that fixes a total of 82 vulnerabilities, spread across 14 updates for its software.

Amongst these fixes were one zero-day vulnerability that was being exploited in the wild, as well as and three newly revealed bugs that have yet to be exploited.

Meanwhile Adobe has also pushed out fixes for five critical vulnerabilities, two of which are for its much maligned Flash media player. Flash is of course being retired slowly, with support for it due to end in 2020.

Patch Tuesday

The 82 Microsoft patches for September cover a range of its products, 39 of which could result in Remote Code Execution (RCE). One of the most important to patch immediately for system administrators is a public exploit for Redmond’s augmented reality tool HoloLens.

“Today Microsoft released a fairly large batch of patches covering 81 vulnerabilities as part of September’s Patch Tuesday update, with 38 of them impacting Windows,” said Jimmy Graham, Director of Product Management at Qualys.

“Patches covering 27 of these vulnerabilities are labelled as Critical, and 39 can result in Remote Code Execution (RCE). According to Microsoft, one vulnerability impacting HoloLens has a public exploit.”

That said, Graham feels that top priority for systems admins to patch is CVE-2017-0161, an RCE vulnerability in NetBIOS that impacts both servers and workstations. And he recommends for users of Microsoft’s DHCP server, CVE-2017-8686 should be applied as well.

Loading ...

“Out of the 26 vulnerabilities that are both Critical and RCE, 22 of them impact Microsoft’s browsers,” he said. “Many of these vulnerabilities involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritising for workstation-type systems that use email and access the internet via a browser.

“September Patch Tuesday is in and it brings a high CVE count along with some public disclosures and a Zero Day to be concerned about,” said Chris Goettl, product manager with Ivanti.

He pointed out that affected Microsoft products includes Internet Explorer; Microsoft Edge; Microsoft Windows; Microsoft Office and Microsoft Office Services and Web Apps; as well as Skype for Business and Lync; .NET Framework and Microsoft Exchange Server.

CVE-2017-8759 is a vulnerability in Microsoft .Net Framework’s processing of untrusted input. This is a user targeted vulnerability, meaning an attacker could convince a user to open a malicious document or application resulting in their ability to take control of the affected system.”

Goettl also pointed out that the three public disclosures this month are all on the Windows 10 platform. Two in the OS and one in the Edge browser.

Adobe Fixes

Meanwhile Adobe has also been busy after it released its own patches for five critical vulnerabilities, two of which concern Adobe Flash.

The other patches are for Adobe ColdFusion and RoboHelp.

“On the Adobe front this month, the Flash Player update includes fixes for two vulnerabilities (CVE-2017-11281, CVE-2017-11282).,” added Goettl.

“Both are rated as Critical,” he said. “The priorities assigned to each distribution do vary. For Flash Desktop and Flash for Edge and IE the update is rated as Critical (Priority 1 by Adobe terminology).  Flash for Chrome is rated as Important (Priority 2). Both vulnerabilities are Remote Code Execution vulnerabilities involving memory corruption to exploit.”

Quiz: Know all about Microsoft?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

AT&T Admits Data Breach Impacted “Nearly All” Customers

American telecommunications giant AT&T admits that “nearly all” customer accounts were compromised in 2022 breach

14 hours ago

Elon Musk’s X Breached DSA Rules, EU Finds

X's Blue checks 'used to mean trustworthy sources of information. Now our preliminary view is…

17 hours ago

Japan’s SoftBank Acquires AI Chip Start-up Graphcore

SoftBank Group has purchased another British chip firm, with the acquisition of Bristol-based Graphcore Ltd…

19 hours ago

Samsung AI-Upgraded Bixby Voice Assistant Coming This Year

Samsung reportedly confirms it will launch the upgraded voice assistant Bixby this year, that will…

1 day ago

Next Neuralink Brain Implant Coming Soon, Says Musk

Despite an issue with first Neuralink implant in a patient, Elon Musk says second brain…

2 days ago

EU Accepts Apple’s Legal Commitments To Open NFC Access

Legal commitment over Apple's NFC-based mobile payments system, which is to be opened to rival…

2 days ago