This is an surprising Oct Patch Tuesday recover from Microsoft. Normally, we would see a series of obligatory vicious updates from Microsoft for severe, massively deleterious exploits in possibly Adobe Flash Player or several reduction vicious though still obligatory issues in both of Microsoft’s browsers. This month is different. No Adobe Flash Player updates. we repeat, no Flash updates. And no obligatory browser updates, either.
For this Oct Patch Tuesday, Microsoft Office has a highest, many vicious rating with a publicly reported and already exploited disadvantage in a Word automation component. In addition, Microsoft has expelled a series of confidence advisories for Windows 10. The many vicious (ADV170012) relates to “a confidence disadvantage [which] exists in certain Trusted Platform Module (TPM) chipsets.” With a comparatively high CVSS measure of 7.3, this firmware refurbish requires some attention. You can also find a useful infographic from Chris Goettl’s blog here.
This month’s patches, advisories and updates from Microsoft impact a following technologies and platforms:
- Windows 10
- Microsoft .NET
- Microsoft Office and Skype
- Microsoft Browsers (IE11 and Edge)
If we are regulating Windows 10 Release 1511, afterwards this is the final month that we will accept confidence updates and patches. Now might be a good time to refurbish to a Fall Creators release, or during slightest pierce onto a Windows 10 1703 branch.
Microsoft has attempted to residence some-more than thirty vulnerabilities opposite Windows 7, Server 2008, Server 2012 and a progressing releases of Windows 10. There are 7 vicious updates for Windows 7, Server 2008 and a initial patch to a initial recover of Windows 10 (Build 1511). Unfortunately, we have seen reports of during slightest 4 famous issues that have been reported for this month’s Patch Tuesday updates including:
- 4041691: “After installing this update, downloading updates regulating demonstrate designation files might fail.”
- 4042895: “Users might see an blunder dialog that indicates that an focus difference has occurred when shutting some applications.”
- 4041676: “Systems with support enabled for USB Type-C might knowledge a blue shade or stop responding with a black shade when a complement shutdown is initiated.
- 4041681. “Some users might see an blunder dialog that indicates that an focus difference has occurred when shutting some applications.”
The many vicious emanate lifted opposite a Windows height is a publicly reported feat on a Linux subsystem for Windows 10. CVE-2017-8703 relates to a rejection of use form conflict on this platform, and given a publicly reported status, creates this Windows refurbish for Oct a “Patch Now” update.
Microsoft Office and Skype
Microsoft has addressed 9 reported vulnerabilities in Microsoft Office and Skype for Business for this Oct confidence update. None of these vulnerabilities have been rated as vicious by Microsoft, though one disadvantage has been publicly reported and exploited while a other was usually publicly reported with no famous “in a wild” exploits during a time of a confidence release. The sum for these SharePoint and Word vulnerabilities include:
- CVE-2017-11777: A cross-site scripting (XSS) disadvantage exists when Microsoft SharePoint Server does not scrupulously sanitize a specifically crafted web ask to an influenced SharePoint server that might lead to an betterment of payoff confidence issue. This disadvantage was rated as vicious by Microsoft.
CVE-2017-11826: A remote formula execution disadvantage exists in Microsoft Office program when a program fails to scrupulously hoop objects in memory. This disadvantage has been publicly reported and is famous to be exploited. This disadvantage could be exploited by a specifically crafted word record or email attachment.
Normally, Microsoft Office updates have a reduce coercion or slower roll-out report compared to a some-more obligatory browser or Adobe Flash updates. However for this month, a Microsoft Office refurbish is rated as a “Patch Now” refurbish from Microsoft.
Browsers (IE and Edge)
Microsoft has reported 4 reduce rated updates for Internet Explorer 11 on Server 2008 R2 and a serve twenty-two vicious updates to Microsoft Edge for all 4 expelled versions of Windows 10. Normally, we would see publicly reported issues or even confidence exploits reported in a wild, however not this month. As a browser updates will be rolled-up into a Windows 10 accumulative update, supplement these updates to your customary deployment effort.
This essay is published as partial of a IDG Contributor Network. Want to Join?