Normal size security update for July as Microsoft delivers first fix for its HoloLen product
Microsoft has delivered an average sized Patch Tuesday security update for July that addresses a total of 54 vulnerabilities, 19 of which are rated as critical.
The patches over the usual Microsoft suspects including Windows (7, 8.1, 10); its Edge web browser, Internet Explorer; Windows Server; and Office.
But Redmond has also for the first time issued a patch update for its virtual reality computer, Hololens.
As is usual, the advise for system administrators is to pay immediate attention to the 19 critical patches, as these can lead to remote code execution if left unpatched.
But the good news is that none of these flaws are currently being exploited in the wild.
The flaw can be remotely exploited and can impact both servers and workstations.
Another priority says Graham, especially for Windows domain controllers, is CVE-2017-8563, which can be utilised to elevate privileges and obtain system-level access to domain controllers.
Graham also thinks that CVE-2017-8463, which concerns a Windows Explorer vulnerability, as well as multiple browser vulnerabilities in Internet Explorer and Edge.
Meanwhile Greg Wiseman, senior security researcher at Rapid7, points out that most of the critical vulnerabilities patched this month concern client-side systems, mostly Internet Explorer and Edge.
“Browser-based RCE vulnerabilities are a significant attack vector, but they typically require some degree of social engineering in order to convince the user to visit a malicious web page,” noted Wiseman. “Similarly with most Microsoft Office bugs (eight CVEs this month); users need to be tricked into opening attachments.
“More concerning are RCE vulnerabilities that do not require any user interaction,” he added. “Exploits can be weaponized to quickly spread malware, as we’ve seen with the recent ransomware outbreaks.”
Palo Alto Networks recently told Silicon that evolving ransomware is now the biggest cyber security threat being faced.