Redmond has addressed 32 CVE-listed vulnerabilities in Edge, Windows, and Office, as well as a hole in Internet Explorer last seen in the early-oughts. Get patching as soon as possible.
Leading this month’s Patch Tuesday charge is CVE-2017-11927, a bug in Windows that can be exploited by an attacker to snatch a victim’s NTLM hash, which could be cracked offline to reveal their password. A mark would have to be tricked into clicking on a link to a malicious website, SMB share, or UNC path, which would trigger exploitation via the little-used ITS protocol, a format used for serving compiled HTML help (CHM) files.
“In theory, you shouldn’t be able to access remote content using ITS outside of the Local Machine Zone thanks to a 2005 update,” explained Dustin Childs from Trend Micro’s Zero Day Initiative.
“It appears that has been circumvented by this bug, as it allows attackers who trick users into browsing to a malicious website or to malicious SMB destinations to leak info.”
As is often the case, scripting engine flaws in Microsoft Edge and Internet Explorer make up 17 of the 19 vulnerabilities rated by Microsoft as “critical” risks. Those flaws will allow remote code execution by way of a specially-crafted website: browsing a dodgy page could end up leaving you with malware or spyware on your machine.
The remaining critical issues are CVE-2017-11888, another remote code execution flaw caused by a memory corruption error in Edge, and CVE-2017-11937, the remote code execution flaw in Malware Protection Engine that Microsoft addressed with an out-of-band patch last week.
For the second straight month, Microsoft is also patching a security bypass flaw in Device Guard (CVE-2017-11899) that lets unsigned files pass themselves off as signed. This means malicious programs can masquerade as legit software.
“This is exactly the sort of bug malware authors seek, as it allows them to have their exploit appear as a trusted file to the target,” noted Childs.
CVE-2017-11885, a remote code execution vulnerability in the Routing and Remote Access feature of RPC for servers, also raised the eyes of security experts.
“Make sure you are patching systems that are using RRAS, and ensure it is not enabled on systems that do not require it, as disabling RRAS will protect against the vulnerability,” explained Gill Langston of Qualys.
“For that reason it is listed as exploitation less likely, but should get your attention after patching the browsers.”
Office users will want to update the suite to address a remote code execution flaw in Excel (CVE-2017-11935) – yes, an evil spreadsheet can execute arbitrary malware on your system when opened – and information disclosure vulnerabilities in PowerPoint (CVE-2017-11934) and Office (CVE-2017-11939).
Adobe, meanwhile, has just one patch to issue this month, a fix for a Business Logic Error (CVE-2017-11305) in Flash player that could allow for a reset of the global settings preferences file. ®