Microsoft Issues November Security Updates Addressing 53 Vulnerabilities
This month marks another crucial Patch Tuesday, as Microsoft has issued a comprehensive set of security updates aimed at addressing a total of 53 vulnerabilities across various Windows products. Among these vulnerabilities, 19 have been designated as critical, followed by 31 classified as important and 3 deemed moderate. Affected systems include the Windows operating system, Microsoft Office, Microsoft Edge, Internet Explorer, and .NET Core, among others.
Notably, four of the vulnerabilities fixed in this update come with public exploits, making them particularly concerning for organizations. Fortunately, security expert Gill Langston of Qualys reported that these vulnerabilities are not currently being exploited in the wild. The vulnerabilities identified include CVE-2017-8700, related to information disclosure in ASP.NET Core; CVE-2017-11827, which allows remote code execution in Microsoft browsers; CVE-2017-11848, concerning information disclosure in Internet Explorer; and CVE-2017-11883, which could result in a denial of service in ASP.NET Core.
Interestingly, this month’s updates do not classify any of the patches for the Windows OS as critical. However, two vulnerabilities warrant particular attention: the Device Guard Security Feature Bypass Vulnerability (CVE-2017-11830) and a Privilege Elevation flaw (CVE-2017-11847). According to an analysis by Zero-Day Initiative, both vulnerabilities present a risk of being exploited to deploy malware. Specifically, CVE-2017-11830 could allow malware developers to bypass file authentication, while CVE-2017-11877, related to Office, fails to enforce macro settings—common tactics leveraged by attackers.
The update also addresses six remote code execution vulnerabilities in the Microsoft scripting engine that could allow attackers to execute malicious code in the context of the current user. These vulnerabilities (CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11871, and CVE-2017-11873) could be exploited through a specially crafted website hosted by an attacker, emphasizing the importance of awareness in web browsing practices.
Of particular concern is the long-standing remote code execution flaw (CVE-2017-11882) that affects all versions of Microsoft Office released in the past 17 years. This vulnerability revolves around improper memory management, allowing an attacker to execute malicious code if a user opens an infected file in Microsoft Office or Microsoft WordPad. As this vulnerability can result in system compromise, users are urged to exercise caution when handling Office files.
Beyond Microsoft’s updates, Adobe also released patches for its products, which address a whopping 62 vulnerabilities in Acrobat and Reader as part of a coordinated update. This underscores the significance of maintaining all software up-to-date across organizational environments.
Lastly, it is crucial for users to ensure that previous vulnerabilities, such as the KRACK vulnerability in the WPA2 wireless protocol, have also been patched. Business owners are strongly advised to promptly apply the November security patches to minimize the risk of cyber exploitation. To install these updates, users can navigate to Settings, select Update & Security, and click on Windows Update to check for the latest patches.
In conclusion, the November Patch Tuesday serves as a timely reminder for business owners to prioritize cybersecurity measures. Awareness of vulnerabilities, whether in Microsoft products or third-party applications, is essential for safeguarding sensitive data and maintaining the integrity of IT systems.