As part of its “October Patch Tuesday,” Microsoft has today released a large batch of security updates to patch a total of 62 vulnerabilities in its products, including a severe MS office zero-day flaw that has been exploited in the wild.
Security updates also include patches for Microsoft Windows operating systems, Internet Explorer, Microsoft Edge, Skype, Microsoft Lync and Microsoft SharePoint Server.
Besides the MS Office vulnerability, the company has also addressed two other publicly disclosed (but not yet targeted in the wild) vulnerabilities that affect the SharePoint Server and the Windows Subsystem for Linux.
October patch Tuesday also fixes a critical Windows DNS vulnerability that could be exploited by a malicious DNS server to execute arbitrary code on the targeted system. Below you can find a brief technical explanation of all above mentioned critical and important vulnerabilities.
Microsoft Office Memory Corruption Vulnerability (CVE-2017-11826)
This vulnerability, classified by Microsoft as “important,” is caused by a memory corruption issue. It affects all supported versions of MS Office and has been actively exploited by the attackers in targeted attacks.
An attacker could exploit this vulnerability either by sending a specially crafted Microsoft Office file to the victims and convincing them to open it, or hosting a site containing specially crafted files and tricking victims to visit it.
Once opened, the malicious code within the booby-trapped Office file will execute with the same rights as the logged-in user. So, users with least privilege on their systems are less impacted than those having higher admin rights.
The vulnerability was reported to Microsoft by security researchers at China-based security firm Qihoo 360 Core Security, who initially detected an in-the-wild cyber attack which involved malicious RTF files and leveraged this vulnerability on September 28.
Microsoft Windows DNSAPI Remote Code Execution Vulnerability (CVE-2017-11779)
Among other critical vulnerabilities patched by Microsoft include a critical remote code execution flaw in the Windows DNS client that affects computers running Windows 8.1 and Windows 10, and Windows Server 2012 through 2016.
The vulnerability can be triggered by a malicious DNS response, allowing an attacker gain arbitrary code execution on Windows clients or Windows Server installations in the context of the software application that made the DNS request.
Nick Freeman, a security researcher from security firm Bishop Fox, discovered the vulnerability and demonstrated how an attacker connected to a public Wi-Fi network could run malicious code on a victim’s machine, escalate privileges and take full control over the target computer or server.
“This means that if an attacker controls your DNS server (e.g., through a Man-in-the-Middle attack or a malicious coffee-shop hotspot) – they can gain access to your system,” the researcher explains.
“This doesn’t only affect web browsers – your computer makes DNS queries in the background all the time, and any query can be responded to in order to trigger this issue.”
For full technical details, you can watch the video demonstration by Bishop Fox’s Dan Petro and head on to Bishop Fox’s blog post.
Windows Subsystem for Linux Denial of Service Vulnerability (CVE-2017-8703)
This denial of service (DoS) issue is yet another noteworthy vulnerability which resides in Windows Subsystem for Linux.
The vulnerability, classified by Microsoft as “important,” was previously publicly disclosed, but wasn’t found actively exploited in the wild.
The vulnerability could allow an attacker to execute a malicious application to affect an object in the memory, which eventually allows that the application to crash the target system and made it unresponsive.
The only affected Microsoft product by this vulnerability is Windows 10 (Version 1703). “The update addresses the vulnerability by correcting how Windows Subsystem for Linux handles objects in memory,” Microsoft said in its advisory.
Microsoft Office SharePoint XSS Vulnerability (CVE-2017-11777)
Another previously disclosed but not yet under attack vulnerability is a cross-site scripting (XSS) flaw in Microsoft SharePoint Server that affects SharePoint Enterprise Server 2013 Service Pack 1 and SharePoint Enterprise Server 2016.
The vulnerability, also classified by Microsoft as “important,” can be exploited by sending a maliciously crafted request to an affected SharePoint server.
Successful exploitation of this vulnerability could allow an attacker to perform cross-site scripting attacks on affected systems and execute malicious script in the same security context of the current user.
“The attacks could allow the attacker to read content that the attacker is not authorised to read, use the victim’s identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user,” Microsoft explains.
Besides these, the company has patched a total of 19 vulnerabilities in the scripting engine in Edge and Internet Explorer that could allow web pages to achieve remote-code execution, with the logged-in user’s permissions, via memory corruption flaws.
Just opening a web page could potentially land you in trouble by executing malware, spyware, ransomware, and other nasty software on the vulnerable computer.
More RCE And Other Vulnerabilities
Redmond also patched two vulnerabilities in the Windows font library that can allow a web page or document to execute malicious code on a vulnerable machine and hijack it on opening a file with a specially crafted embedded font or visiting a website hosting the malicious file.
The update also includes fixes for a bug in Windows TRIE (CVE-2017-11769) that allows DLL files to achieve remote code execution, a programming error (CVE-2017-11776) in Outlook that leaves its emails open to snooping over supposedly secure connections.
Other issues patched this month include two remote code execution flaws in the Windows Shell and a remote code execution bug in Windows Search.
Microsoft also published an advisory warning user of a security feature bypass issue affecting the firmware of Infineon Trusted Platform Modules (TPMs).
Surprisingly, Adobe Flash does not include any security patches. Meanwhile, Adobe has skipped October’s Patch Tuesday altogether.
Users are strongly advised to apply October security patches as soon as possible in order to keep hackers and cybercriminals away from taking control over their computers.
For installing security updates, simply head on to Settings → Update security → Windows Update → Check for updates, or you can install the updates manually.