Microsoft and Adobe Patch 139 Flaws this Month

Written by

Microsoft and Adobe have released a moderate patch update round this month, addressing 53 and 86 vulnerabilities respectively, including several with publicly available exploits.

Of the software flaws addressed by Redmond, 20 were critical, although none are thought to be currently exploited in the wild.

Qualys urged users to focus on CVE-2017-11830 and CVE-2017-11847, as they address a security feature bypass, and a privilege elevation respectively.

“From a prioritization standpoint, focus on the fixes for CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11871, and CVE-2017-11873, which all address the scripting engine in Edge and Internet Explorer, especially on laptops, and other workstation-type systems where the logged in user may have administrative privileges,” said Qualys.

“Microsoft lists exploitation as more likely for these vulnerabilities, especially if a user is tricked into viewing a malicious site or opening an attachment.”

In addition, there may be proof of concept exploit code available for the “important” rated vulnerability CVE-2017-11882, making this also worthy of note, the firm claimed.

Microsoft fixed the infamous WPA2 KRACK bug (CVE-2017-13080) during last month’s Patch Tuesday, although some admins may have missed it as the issue was only publicly disclosed a week later.

However, Ivanti product manager, Chris Goetll, warned that enterprise users could still be affected if they connect to unpatched public Wi-Fi.

“If you are going to do some online shopping from your phone, you may want to do it from the cellular network,” he added. “If you do connect to a Wi-Fi that could be exposed make sure you only transact on sites that are encrypted or as soon as you connect, establish a VPN connection to secure any transactions or data traffic you may be using.”

This month, patched vulnerabilities CVE-2017-11848, CVE-2017-11827, CVE-2017-11883, and CVE-2017-8700 all have public exploits available, although none are believed to have been used actively.

For Adobe, 62 of the 86 CVEs patched were for Acrobat and Reader.

“One thing to note is many of these updates may be a rated as a Priority 2, but this means it has critical vulnerabilities, just none actively being exploited or disclosed at this time,” explained Goettl.

“Ivanti recommends any Adobe Priority 2s get resolved quickly, especially for Flash Player.”

What’s hot on Infosecurity Magazine?