Microsoft Addresses Critical Security Flaws in October Patch Tuesday Release
In a significant update issued as part of this month’s “October Patch Tuesday,” Microsoft has rolled out security patches addressing 62 vulnerabilities across its product offerings, including a high-severity zero-day exploit affecting Microsoft Office. This proactive response comes amid rising concerns over cybersecurity threats targeting organizations worldwide.
The update encompasses a range of Microsoft products, including the Windows operating system, Internet Explorer, Microsoft Edge, Skype, Microsoft Lync, and SharePoint Server. Notably, in addition to the MS Office exploit, Microsoft has patched two publicly disclosed vulnerabilities concerning SharePoint Server and the Windows Subsystem for Linux, which, while disclosed, had not been actively exploited in the wild.
A critical vulnerability identified in the Windows DNS service poses an immediate risk, potentially enabling an attacker to execute arbitrary code via malicious DNS responses. This exploit could seriously compromise systems running Windows 8.1, Windows 10, and Windows Server editions from 2012 to 2016. Security researcher Nick Freeman detailed how an attacker could leverage public Wi-Fi networks to execute harmful code on connected devices, emphasizing the significant risk associated with compromised DNS environments. This aligns with the MITRE ATT&CK framework, particularly tactics of initial access and execution.
One of the most concerning vulnerabilities patched is the Microsoft Office memory corruption flaw (CVE-2017-11826), which has gained traction through targeted attacks. Cybercriminals can exploit this vulnerability by delivering malicious Office files to victims, persuading them to open these files. Once activated, the malicious code executes with the same privileges as the user, raising the stakes for users with administrative rights.
Another noteworthy issue is a denial of service vulnerability in the Windows Subsystem for Linux (CVE-2017-8703). Labeled as “important” by Microsoft, this flaw enables an attacker to execute a faulty application that can crash the system. Although this issue was previously disclosed, it remains critical as it opens pathways for system unresponsiveness, particularly affecting Windows 10 users.
Microsoft has also addressed a cross-site scripting (XSS) vulnerability (CVE-2017-11777) in SharePoint Server, affecting enterprise users. This flaw permits attackers to send maliciously crafted requests to servers, allowing for possible exploitation that could compromise user identities and internal data integrity. Such breaches fall under the MITRE tactics of persistence and execution, risking further exploitation of organizational resources.
In addition to the high-profile vulnerabilities mentioned, the update includes patches for 19 weaknesses within the scripting engine of both Edge and Internet Explorer, marking a broader effort to mitigate web-based security risks. The vulnerabilities present significant danger as they could allow an attacker to run arbitrary code simply by visiting a compromised webpage.
While October’s patch cycle does not feature updates for Adobe Flash — which notably lacks security patches — Microsoft’s comprehensive efforts serve as a robust reminder to organizations about the necessity of timely security updates. Business owners are urged to install these updates promptly to safeguard their systems from potential cyber intrusions. They can initiate the update process via Settings, navigate to Update & Security, and select Windows Update.
As the cybersecurity landscape evolves, organizations must remain vigilant against emerging threats. By understanding the tactics and techniques outlined in the MITRE ATT&CK framework, businesses can better prepare for and respond to potential vulnerabilities, ensuring the protection of their digital assets.