Critical updates to IE and Flash for November Patch Tuesday

Greg Lambert
November 28, 2017
4 minutes

November brings a relatively light series of updates from Microsoft. We see a return to form, with Microsoft releasing another critical update to Adobe Flash and several critical patches to Microsoft Internet Explorer (IE) and Edge. Office and Windows platforms (desktop and server) have less severe reported exposures with no reported critical updates for November. Unfortunately, there are already a few reported deployment issues with the Windows updates, with the follow patch-related Knowledge Base (KB) issues reported by Microsoft:

  • 4048952, 4048954, 4048953 (Windows 10 1511, 1607, 1703) : Universal Windows Platform (UWP) applications that use JavaScript and asm.js may stop working after installing KB4041676. Internet Explorer 11 users who use SQL Server Reporting Services (SSRS) may not be able to scroll through a drop-down menu using the scroll bar.
  • 40489584048961 (Windows 8.x and Server 2012) : Users may see an error dialog that indicates that an application exception has occurred when closing some applications. This can affect applications that use mshtml.dll to load web content.
  • 4048957 , 4048960 (Windows 7 SP1 and Server 2008 SP1) : Users may see an error dialog that indicates that an application exception has occurred when closing some applications. This can affect applications that use mshtml.dll to load web content. Internet Explorer 11 users who use SQL Server Reporting Services (SSRS) may not be able to scroll through a drop-down menu using the scroll bar.

This Patch Tuesday affects the following platforms:

  • Browsers (Microsoft IE and Edge)
  • Microsoft Windows
  • Microsoft Office (Including Web Apps)
  • Microsoft ASP.NET Core, .NET Core and Chakra Core
  • Adobe Flash Player

Windows

For this month’s update to the Microsoft Windows desktop and server platforms, Microsoft has addressed 15 vulnerabilities rated as important or moderate – with no critical updates for this month. The potential security scenarios range from security bypass to spoofing. Unlike the potential issues with Microsoft Edge, none of these vulnerabilities have been publicly disclosed or reported as exploited. If you have upgraded to the latest release of Windows 10 (1709) you will have the least exposure of all Windows (desktop and server) platforms this month. If ever there was a strong business need for keeping current with Microsoft patches, this month is it. Add your Windows updates this month to your standard patch deployment schedule.

Browsers

Microsoft has addressed 20 reported vulnerabilities in both browser platforms with 16 rated as critical. Oddly, we don’t see any critical updates for IE 9 or IE 10. Instead, this month the focus is IE 11 and Edge with two publicly reported vulnerabilities CVE-2017-11848 and CVE-2017-11827) that could lead to remote execution scenarios. If you are running older systems (Windows 7 SP1), add your browser patches to your standard update schedule. If you are running IE 11 and Edge, this is a “Patch Now” update from Microsoft.

Microsoft Office

This month’s Microsoft Office update includes a single security advisory ADV170020 that addresses a number of “defence in depth” issues for all supported versions of Microsoft Office. This advisory is not particularly big, but it does include a number of files that have caused issues with Microsoft Outlook in the past. You can find out more about the file (WWLIB.DLL) and the potential update issues here. In addition to this advisory. Microsoft has addressed seven reported vulnerabilities rated as important. Given these concerns and moderate exploit vulnerabilities, add this update to your standard Office deployment schedule.

Microsoft ASP.NET Core, .NET Core and Chakra Core

Microsoft has released a number of updates to the Microsoft open source development platforms for .Net Core, ASP.NET and the Chakra CoreJavaScript engine. These updates attempt to resolve 20 vulnerabilities in these three development platforms with 14 rated as critical through remote code execution vulnerabilities and the remaining rated as important. Given that all of the ChakraCore issues are rated as critical and are linked to the IE and Edge browser platforms, the ChakraCore update should be rated as a “Patch Now” update while ASP.NET and .NET core patches should be added to your standard development platform update release schedule.

Adobe Flash Player

Microsoft has posted a security advisory (ADV170019)  for Adobe Flash Player (APSB17-33) that attempts to resolve five critical memory-related security vulnerabilities. This update affects all versions of Windows desktops (including the latest Windows 10 1709 release) and both Microsoft browsers (IE and Edge). This is a priority 2 update from Adobe and this is a “Patch Now” update for all Microsoft desktop platforms. The one caveat for this Flash Player update, is that if you install a language pack, you must re-install this patch. You can read more about this issue here.

Greg Lambert

CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Planning business modernization projects?

  • Windows 10/11 migration
  • MS server 2022
  • Migration to Azure

Is your application estate ready?

Assurance.

Unbounded.

3 months of patch protection, assessments and dependency reports for your entire portfolio.

  • No cost
  • No limit of applications
  • No software needed
  • No infrastructure required
  • No obligation
Contact us to get started