Patch Tuesday: Microsoft Tackles 82 Security Flaws, Including One Zero-Day

Microsoft has pushed out its monthly Patch Tuesday security update that fixes a total of 82 vulnerabilities, spread across 14 updates for its software.

Amongst these fixes were one zero-day vulnerability that was being exploited in the wild, as well as and three newly revealed bugs that have yet to be exploited.

Meanwhile Adobe has also pushed out fixes for five critical vulnerabilities, two of which are for its much maligned Flash media player. Flash is of course being retired slowly, with support for it due to end in 2020.

Patch Tuesday

The 82 Microsoft patches for September cover a range of its products, 39 of which could result in Remote Code Execution (RCE). One of the most important to patch immediately for system administrators is a public exploit for Redmond’s augmented reality tool HoloLens.

“Today Microsoft released a fairly large batch of patches covering 81 vulnerabilities as part of September’s Patch Tuesday update, with 38 of them impacting Windows,” said Jimmy Graham, Director of Product Management at Qualys.

“Patches covering 27 of these vulnerabilities are labelled as Critical, and 39 can result in Remote Code Execution (RCE). According to Microsoft, one vulnerability impacting HoloLens has a public exploit.”

That said, Graham feels that top priority for systems admins to patch is CVE-2017-0161, an RCE vulnerability in NetBIOS that impacts both servers and workstations. And he recommends for users of Microsoft’s DHCP server, CVE-2017-8686 should be applied as well.

“Out of the 26 vulnerabilities that are both Critical and RCE, 22 of them impact Microsoft’s browsers,” he said. “Many of these vulnerabilities involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritising for workstation-type systems that use email and access the internet via a browser.

“September Patch Tuesday is in and it brings a high CVE count along with some public disclosures and a Zero Day to be concerned about,” said Chris Goettl, product manager with Ivanti.

He pointed out that affected Microsoft products includes Internet Explorer; Microsoft Edge; Microsoft Windows; Microsoft Office and Microsoft Office Services and Web Apps; as well as Skype for Business and Lync; .NET Framework and Microsoft Exchange Server.

“CVE-2017-8759 is a vulnerability in Microsoft .Net Framework’s processing of untrusted input. This is a user targeted vulnerability, meaning an attacker could convince a user to open a malicious document or application resulting in their ability to take control of the affected system.”

Goettl also pointed out that the three public disclosures this month are all on the Windows 10 platform. Two in the OS and one in the Edge browser.

Adobe Fixes

Meanwhile Adobe has also been busy after it released its own patches for five critical vulnerabilities, two of which concern Adobe Flash.

The other patches are for Adobe ColdFusion and RoboHelp.

“On the Adobe front this month, the Flash Player update includes fixes for two vulnerabilities (CVE-2017-11281, CVE-2017-11282).,” added Goettl.

“Both are rated as Critical,” he said. “The priorities assigned to each distribution do vary. For Flash Desktop and Flash for Edge and IE the update is rated as Critical (Priority 1 by Adobe terminology).  Flash for Chrome is rated as Important (Priority 2). Both vulnerabilities are Remote Code Execution vulnerabilities involving memory corruption to exploit.”

Quiz: Know all about Microsoft?