Microsoft yesterday released a slew of new patches to cover 62 vulnerabilities, 28 of which are rated critical, although there was a rare month off for Adobe which had no products to fix.
It’s a relatively light patch load all round this month, down almost 20% from September’s Patch Tuesday.
However, there are still some urgent fixes to apply, notably to three publicly disclosed vulnerabilities, one of which is being actively exploited.
The latter is CVE-2017-11826, a Microsoft Office memory corruption vulnerability which could be exploited by sending a specially crafted file to a target and convincing them to open it.
“An attacker could also host a website containing specially crafted files designed to exploit the vulnerability,” explained Ivanti product manager, Chris Goettl. “If exploited, the attacker would have the same context as the user. In this case, least privilege would mitigate the impact of an exploited system.”
Also on the radar for admins should be publicly disclosed SharePoint cross-site scripting bug CVE-2017-11777, which could allow an attacker to access victims’ data and inject malicious content into their browser.
Plus, there’s the publicly disclosed CVE-2017-8703: a denial of service flaw in Windows Subsystem for Linux.
“We’ve been asked quite often if the Linux support Microsoft is adding into their operating system is going to introduce additional vulnerabilities,” explained Goettl. “The simple is answer is ‘yes,’ anytime new functionality is added there is always an opportunity for new vulnerabilities to be introduced.”
Adobe had no vulnerabilities to fix this month but took the opportunity to urge users to upgrade to the latest version of Flash Player released on Tuesday.