September brings a relatively large patch profile for Microsoft with 76 reported vulnerabilities, three public disclosures (thank you, Google) and unfortunately one zero day exploit. You used to be worried about browsers and Flash, now we have a publicly exploited vulnerability for augmented reality (AR) with a fix for Microsoft’s HoloLens headset.
For this September Patch Tuesday, Microsoft is only shipping security updates with patches to the following product groups:
- Browsers (IE and Edge)
- Windows Platforms (Desktop and Server)
- Microsoft Office (including Web Apps), Skype for Business and Exchange Server
- Adobe Flash Players
- The .NET Development Framework
In addition to the critical updates for .NET, Windows and Adobe Flash Player this month, Microsoft has published a short list of known issues found at these knowledge base articles (4038792, 4038793, 4011050). We have rated the updates to Windows, Microsoft Edge and .NET (unusually) and Adobe Player (as usual) as “Patch Now” updates from Microsoft.
For this September update from Microsoft we see a number of critical updates to IE and Edge which include:
- Updates to Internet Explorer 11’s navigation bar with search box.
- Addressed issue in Internet Explorer where undo is broken if character conversion is canceled using IME.
- Addressed issue in Internet Explorer where graphics render incorrectly.
- Addressed issue in Internet Explorer where the Delete key functioned improperly.
- Re-release of MS16-087- Security update for Windows print spooler components.
- Security updates to Microsoft Graphics Component, Windows kernel-mode drivers, Windows shell, Microsoft Uniscribe, Microsoft Windows PDF Library, Windows TPM, Windows Hyper-V, Windows kernel, Windows DHCP Server and Internet Explorer.
Most notable is the re-release of MS16-087 relating to print restrictions that may lead to a remote code execution scenario. If you are unable to deploy this patch in a timely manner, you may want to review Microsoft’s instructions on mitigating this security vulnerability found here. As this patch release for Edge includes a fix for a publicly disclosed vulnerability in the Edge Browser, add this update to your “Patch Now” update plan.
Windows platforms (desktop and server)
There is a long list of bug fixes in the latest build of Windows 10 (Build 15063.608) which can be found here. This month’s Windows 10 updates do not include any functionality changes or feature enhancements. However, there are a number of issues addressed with this latest release. For a full list of bug fixes and reported issues look here. After examining the changes in this latest Windows 10 build, there are a few core changes that may cause a number of compatibility issues with Microsoft Remote Access Server (RAS) legacy connections. IBM Rational Composer has been highlighted in our Patch Impact Assessment. Applications that depend on this legacy protocol may have connection issues. This problem will also affect Microsoft Edge users.
This month’s Windows update includes fixes for three publicly disclosed vulnerabilities with the following details:
- CVE-2017-8746 describes a security bypass vulnerability in Device Guard which could lead to an code injection scenario in PowerShell.
- CVE-2017-9417 relates to a remote code execution scenario in the Broadcom chipset in the Microsoft hololens augmented reality headset.
- CVE-2017-8723 is a vulnerability that affects both Windows 10 and Edge and has been reported as publicly exploited, potentially leading to a security bypass scenario in Microsoft Edge.
Microsoft has attempted to resolve up to 17 vulnerabilities, with three rated as critical, one rated as a “defense in depth” advisory and the remaining issues rated as important. The three critical vulnerabilities are described as:
- CVE-2017-8676: an information disclosure vulnerability in how Office files handle GDI+ requests.
- CVE-2017-8682: a remote code execution vulnerability in the Win32k graphics driver.
- CVE-2017-8696: a remote code execution vulnerability in how Office handles graphics files and websites.
In addition to these critical and important updates, Microsoft has published a security advisory for how Outlook handles foreign (Brazilian) fonts which can be found here ADV170015. Add these updates to your standard patch deployment effort.
Adobe Flash Player
Adobe attempts to resolve two (CVE-2017-1128, CVE-2017-11282) critical memory corruption vulnerabilities in Adobe Flash Player that if left un-patched could lead to a remote code execution scenario. Both of these severe vulnerabilities were reported by Google Project Zero and affect all Windows platforms and as well as all Google Chrome platforms. This is a high priority update for IE and Edge (as usual) and mid-level priority for Google Chrome. As usual, this is a “Patch Now” update from Microsoft.
The .NET Development Platform
Two important and one critical vulnerability in all supported versions of the Microsoft .NET development framework. The critical vulnerability (CVE-2017-8658) deals with a memory handling vulnerability in the Chakra Core scripting system. Interestingly, Microsoft has actually published the changes (and corresponding change logs) on Github which can be found here. These changes to the .NET framework are relatively minor after the major update to .NET with the June release 4.7. With a publicly exploited vulnerability to patch, this .NET update should be considered a “Patch Now” update from Microsoft.