Patch Tuesday: Microsoft’s 53 Vulnerabilities Surpassed By Adobe Fixes

Microsoft has issued fixes for a range of products in its November Patch Tuesday update, but thankfully none of the vulnerabilities are currently being exploited in the wild.

The 53 vulnerabilities are spread across the board, including the usual suspects such as Internet Explorer, Edge, Office and the Windows OS.

But unlike Microsoft’s moderate number of bug fixes this month, Adobe has release a hefty 62 patches for serious vulnerabilities.

Microsoft Patches

“This November Patch Tuesday is moderate in volume and severity,” blogged Gill Langston of Qualys. “Microsoft released patches to address 53 unique vulnerabilities, with 25 focused on Remote Code Execution fixes. Windows OS receives 14 patches, while the lion’s share is focused on Browsers, Microsoft Office, and Adobe.”

Unusually, there are no vulnerabilities currently being exploited in the wild (so called zero-day flaws), and indeed none of the Windows OS fixes are rated as critical, but Qualys does recommend focusing on CVE-2017-11830 and CVE-2017-11847, as they address a Security Feature Bypass, and a Privilege Elevation respectively.

“It should also be noted that last Patch Tuesday, Microsoft quietly released the fix for CVE-2017-13080, widely known as the KRACK vulnerability in WPA2 wireless protocol, but did not make it known until a week later, when the vulnerability was publicly disclosed,” Qualys said. “Therefore, it is recommended you ensure last month’s security patches are fully addressed.”

“We are in the holiday shopping season now and there will be plenty of opportunists out to take advantage of the KRACK vulnerability in Wi-Fi WPA security protocol,” said Chris Goettl, manager of product management at Ivanti.

“Pretty much any Wi-Fi using the WPA or WPA2 encryption could be exploited. This means an attacker could eavesdrop on your connection and gain access to sensitive information including username\password, credit card info, or any other PII being transmitted over the Wi-Fi unencrypted.”

“Microsoft’s Patch Tuesday update for November looks fairly tame. [Forty-seven] total unique vulnerabilities resolved across 11 updates. Two of these have been publicly disclosed, which means enough information has been released to the public to allow a threat actor to create an exploit or at least giving them a jump start on where to begin.”

“Web browser issues account for two-thirds of this month’s patched vulnerabilities, with 24 CVEs for Edge and 12 for Internet Explorer being fixed,” added Greg Wiseman, senior security researcher at Rapid7.

“Many of these are classified as Critical (allowing code execution without user interaction). This is no surprise, as browser bugs are typically well represented on Patch Tuesdays.

“Microsoft is also rolling out fixes to some of their open source projects, which is a relatively new trend. 16 of the Edge vulnerabilities have been resolved in ChakraCore, the open source part of Edge’s JavaScript engine.

“.NET Core is being patched for a denial of service (DoS) vulnerability (CVE-2017-11770), and ASP.NET Core has fixes for DoS (CVE-2017-11883), privilege escalation (CVE-2017-11879), and information disclosure (CVE-2017-8700) vulnerabilities this month.”

Does IoT security concern you?

  • Yes (89%)
  • No (11%)

Loading ...

Adobe Patches

Whilst system admins will have to do some work to patch Microsoft products, they should be aware of the large number of fixes from Adobe.

“Adobe has 9 total product updates this month and many Critical security vulnerabilities being resolved.” continued Goettl.

“One thing to note is many of these updates may be a rated as a Priority 2, but this means it has Critical vulnerabilities, just none actively being exploited or disclosed at this time. Ivanti recommends any Adobe Priority 2s get resolved quickly, especially for Flash Player.”

“In fact it’s quite a big month for Adobe, who have issued advisories across nine separate products, with 62 vulnerability fixes just for Acrobat and Reader,” suggested Wiseman. “Most of these address critical RCE vulnerabilities. Given the prevalence of PDF documents, administrators should take a close look at whether Adobe software in their environment is up to date.”

Do you know all about security in 2017? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

X Plans To Challenge EU DSA Breach Findings

Social media platform X says it disagrees with EU DSA findings as chief Elon Musk…

13 mins ago

AT&T Cloud Hack Part Of Ongoing Campaign, Experts Say

Hack of nearly all AT&T customers is part of campaign carried out by criminal gang…

43 mins ago

SpaceX Falcon 9 Rocket Explodes In Orbit

Second stage of SpaceX Falcon 9 rocket explodes in orbit in company's first failure since…

1 hour ago

Tesla Delays Robotaxi Event To October

Tesla shares volatile after report says it delays robotaxi event two months to allow teams…

2 hours ago

Honor Launches ‘World’s Slimmest’ Foldable AI Smartphone

Huawei spin-off Honor looks to compete with Samsung, Huawei, Apple with slim Magic V3 foldable…

2 hours ago

AT&T Admits Data Breach Impacted “Nearly All” Customers

American telecommunications giant AT&T admits that “nearly all” customer accounts were compromised in 2022 breach

3 days ago