This is an unusual October Patch Tuesday release from Microsoft. Normally, we would see a number of urgent critical updates from Microsoft for severe, massively damaging exploits in either Adobe Flash Player or several less severe but still urgent issues in both of Microsoft’s browsers. This month is different. No Adobe Flash Player updates. I repeat, no Flash updates. And no urgent browser updates, either.
For this October Patch Tuesday, Microsoft Office has the highest, most serious rating with a publicly reported and already exploited vulnerability in the Word automation component. In addition, Microsoft has released a number of security advisories for Windows 10. The most serious (ADV170012) relates to “a security vulnerability [which] exists in certain Trusted Platform Module (TPM) chipsets.” With a relatively high CVSS score of 7.3, this firmware update requires some attention. You can also find a helpful infographic from Chris Goettl’s blog here.
This month’s patches, advisories and updates from Microsoft affect the following technologies and platforms:
- Windows 10
- Microsoft .NET
- Microsoft Office and Skype
- Microsoft Browsers (IE11 and Edge)
If you are running Windows 10 Release 1511, then this is the last month that you will receive security updates and patches. Now may be a good time to update to the Fall Creators release, or at least move onto the Windows 10 1703 branch.
Windows 10
Microsoft has attempted to address more than thirty vulnerabilities across Windows 7, Server 2008, Server 2012 and the earlier releases of Windows 10. There are seven critical updates for Windows 7, Server 2008 and the first patch to the initial release of Windows 10 (Build 1511). Unfortunately, we have seen reports of at least four known issues that have been reported for this month’s Patch Tuesday updates including:
- 4041691: “After installing this update, downloading updates using express installation files may fail.”
- 4042895: “Users may see an error dialog that indicates that an application exception has occurred when closing some applications.”
- 4041676: “Systems with support enabled for USB Type-C may experience a blue screen or stop responding with a black screen when a system shutdown is initiated.
- 4041681. “Some users may see an error dialog that indicates that an application exception has occurred when closing some applications.”
The most serious issue raised against the Windows platform is a publicly reported exploit on the Linux subsystem for Windows 10. CVE-2017-8703 relates to a denial of service type attack on this platform, and given its publicly reported status, makes this Windows update for October a “Patch Now” update.
Microsoft .NET
Microsoft has not released any updates to the .NET development platform. This is great news, as the latest version (you can read the announcement for .NET 4.7 here) has not generated significant issues yet. Or, at least, no major security issues have required a patch or update response from Microsoft. However, the ChakraCore JavaScript engine attracted three reported vulnerabilities (CVE-2017-11797, CVE-2017-11801, CVE-2017-11767) this month with each leading to a potential remote code execution scenario. As part of these updates, the ChakraCore JavaScript engine for Edge has been updated and released in source form through NuGet which can be found here.
Microsoft Office and Skype
Microsoft has addressed nine reported vulnerabilities in Microsoft Office and Skype for Business for this October security update. None of these vulnerabilities have been rated as critical by Microsoft, but one vulnerability has been publicly reported and exploited while the other was only publicly reported with no known “in the wild” exploits at the time of the security release. The details for these SharePoint and Word vulnerabilities include:
- CVE-2017-11777: A cross-site scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server that may lead to an elevation of privilege security issue. This vulnerability was rated as important by Microsoft.
- CVE-2017-11826: A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. This vulnerability has been publicly reported and is known to be exploited. This vulnerability could be exploited through a specially crafted word file or email attachment.
Normally, Microsoft Office updates have a lower urgency or slower roll-out schedule compared to the more urgent browser or Adobe Flash updates. However for this month, the Microsoft Office update is rated as a “Patch Now” update from Microsoft.
Browsers (IE and Edge)
Microsoft has reported four lower rated updates for Internet Explorer 11 on Server 2008 R2 and a further twenty-two critical updates to Microsoft Edge for all four released versions of Windows 10. Normally, we would see publicly reported issues or even security exploits reported in the wild, however not this month. As the browser updates will be rolled-up into the Windows 10 cumulative update, add these updates to your standard deployment effort.