November brings a relatively light series of updates from Microsoft. We see a return to form, with Microsoft releasing another critical update to Adobe Flash and several critical patches to Microsoft Internet Explorer (IE) and Edge. Office and Windows platforms (desktop and server) have less severe reported exposures with no reported critical updates for November. Unfortunately, there are already a few reported deployment issues with the Windows updates, with the follow patch-related Knowledge Base (KB) issues reported by Microsoft:
- 4048958, 4048961 (Windows 8.x and Server 2012) : Users may see an error dialog that indicates that an application exception has occurred when closing some applications. This can affect applications that use mshtml.dll to load web content.
- 4048957 , 4048960 (Windows 7 SP1 and Server 2008 SP1) : Users may see an error dialog that indicates that an application exception has occurred when closing some applications. This can affect applications that use mshtml.dll to load web content. Internet Explorer 11 users who use SQL Server Reporting Services (SSRS) may not be able to scroll through a drop-down menu using the scroll bar.
This Patch Tuesday affects the following platforms:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows
- Microsoft Office (Including Web Apps)
- Microsoft ASP.NET Core, .NET Core and Chakra Core
- Adobe Flash Player
For this month’s update to the Microsoft Windows desktop and server platforms, Microsoft has addressed 15 vulnerabilities rated as important or moderate – with no critical updates for this month. The potential security scenarios range from security bypass to spoofing. Unlike the potential issues with Microsoft Edge, none of these vulnerabilities have been publicly disclosed or reported as exploited. If you have upgraded to the latest release of Windows 10 (1709) you will have the least exposure of all Windows (desktop and server) platforms this month. If ever there was a strong business need for keeping current with Microsoft patches, this month is it. Add your Windows updates this month to your standard patch deployment schedule.
Microsoft has addressed 20 reported vulnerabilities in both browser platforms with 16 rated as critical. Oddly, we don’t see any critical updates for IE 9 or IE 10. Instead, this month the focus is IE 11 and Edge with two publicly reported vulnerabilities CVE-2017-11848 and CVE-2017-11827) that could lead to remote execution scenarios. If you are running older systems (Windows 7 SP1), add your browser patches to your standard update schedule. If you are running IE 11 and Edge, this is a “Patch Now” update from Microsoft.
This month’s Microsoft Office update includes a single security advisory ADV170020 that addresses a number of “defence in depth” issues for all supported versions of Microsoft Office. This advisory is not particularly big, but it does include a number of files that have caused issues with Microsoft Outlook in the past. You can find out more about the file (WWLIB.DLL) and the potential update issues here. In addition to this advisory. Microsoft has addressed seven reported vulnerabilities rated as important. Given these concerns and moderate exploit vulnerabilities, add this update to your standard Office deployment schedule.
Microsoft ASP.NET Core, .NET Core and Chakra Core
Adobe Flash Player
Microsoft has posted a security advisory (ADV170019) for Adobe Flash Player (APSB17-33) that attempts to resolve five critical memory-related security vulnerabilities. This update affects all versions of Windows desktops (including the latest Windows 10 1709 release) and both Microsoft browsers (IE and Edge). This is a priority 2 update from Adobe and this is a “Patch Now” update for all Microsoft desktop platforms. The one caveat for this Flash Player update, is that if you install a language pack, you must re-install this patch. You can read more about this issue here.