Microsoft has taken pity on system administrators with a relatively light patch update round this month, with 32 unique CVEs, none of which have been publicly disclosed or exploited.
December’s Patch Tuesday includes 20 critical fixes and 12 rated “important”, while 24 address remote code execution issues.
Most of the vulnerabilities addressed this month are found in IE and Edge and experts have urged firms to prioritize these.
“We recommend prioritizing patching user-facing workstations to address the 19 critical Internet Explorer and Edge updates released today by Microsoft, as they are listed as “Exploitation More Likely”. There are no known exploits as of yet, but this is an opportunity to remain ahead of any future exploits that may be released,” explained Qualys director of product management, Gill Langston.
“There is one Windows OS vulnerability that should be reviewed, and that is the fix for CVE-2017-11885, which is a Remote Code Execution using RPC on systems that have Routing and Remote Access service (RRAS) enabled. Make sure you are patching systems that are using RRAS, and ensure it is not enabled on systems that do not require it, as disabling RRAS will protect against the vulnerability. For that reason it is listed as Exploitation less likely, but should get your attention after patching the browsers.”
Elsewhere, an RCE vulnerability in Excel was flagged by Ivanti product management manager, Chris Goettl.
“CVE-2017-11935 is a vulnerability in how Microsoft Office handles objects in memory. An attacker could create a specially crafted file to perform actions in the context of the current user. This is a case where proper privilege management would mitigate the impact if exploited,” he explained.
“The attack could take the form of an email attachment, or as specially crafted content hosted on a website and convince a user to open the specially crafted file to exploit the vulnerability. Depending on your source open rates phishing attempts are still around 30% and click rates at around 12% so a user targeted exploit like this is perfect for an attacker to take advantage of.”
Adobe released just one patch this month: APSB17-42 is listed as a “Business Logic Error” and rated Priority 2.
Last week, Redmond issued two out-of-band fixes for critical flaws in its Malware Protection Engine.