Microsoft’s Patch Tuesday for October addresses 62 vulnerabilities, 27 of which are critical and 35 important in terms of severity; many of these flaws can lead to remote code execution (RCE). Microsoft’s fixes are patches for features in the Windows operating system (OS) and Microsoft Office (including Office Web Apps), Skype for Business, Edge, Internet Explorer (including the Chakra Core browser engine), Exchange Server, and .NET development framework, among others. As per Microsoft’s previous advisories, this month’s Patch Tuesday also marks the end of support and patches/updates for Office 2007 and Outlook 2007.
Of note is Microsoft’s fix for CVE-2017-11826, a memory corruption vulnerability in Microsoft Office that was publicly disclosed and reported to be actively exploited in the wild. If successfully exploited, it can enable attackers to take over the system via RCE. According to Microsoft, if the hijacked system/user has administration rights, the attacker can install programs, modify data, or create accounts with full privileges.
Several vulnerabilities were also identified, and Microsoft considers patches for these to be priority updates:
- CVE-2017-11771: an RCE flaw in the Windows Search service; specially crafted messages sent to the service can enable attackers to elevate privileges and take control of the system. In an enterprise setting, this vulnerability can be triggered via Server Message Block (SMB) connection. This is the fourth time a vulnerability was seen in the Windows Search service this year.
- CVE-2017-11779: an RCE vulnerability in Windows’ Domain Name Servers (DNS) client. Trend Micro’s William Gamazo Sanchez was one of the two researchers who discovered and disclosed the issue to Microsoft. The flaw was found in the implementation of a data record feature used in Domain Name System Security Extensions (DNSSEC), a group of security-related extensions to the DNS protocol. An attacker can carry out arbitrary code execution on Windows clients or Windows servers simply by responding to DNS queries with malicious code. Systems and servers running Windows 8.1 to 10 and Windows Server 2012 to 2016 are affected.
- CVE-2017-8703: a denial-of-service (DOS) vulnerability in Subsystem for Linux, Windows’ compatibility layer that enables developers to run Linux tools and applications. CVE-2017-8703 is related to how objects in memory are improperly handled, resulting in denial of service against the local system when successfully exploited. The vulnerability affects systems running Windows 10 (Version 1703).
- CVE-2017-11777: a cross-site scripting flaw in Microsoft’s SharePoint Server, related to how web requests to a vulnerable SharePoint Server are not properly sanitized. A successful exploit enables attackers to access, delete or alter the affected SharePoint site.
The following vulnerabilities were disclosed via Trend Micro’s Zero Day Initiative (ZDI):
Trend Micro Solutions Trend Micro™ Deep Security and Vulnerability Protection protect user systems from any threats that may target these Microsoft vulnerabilities via the following DPI rules:
- 1008634 – Microsoft Windows Graphics Remote Code Execution Vulnerability (CVE-2017-11762)
- 1008635 – Microsoft Windows Graphics Remote Code Execution Vulnerability (CVE-2017-11763)
- 1008636 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-11793)
- 1008637 – Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11798)
- 1008638 – Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11800)
- 1008639 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-11810)
- 1008640 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-11822)
- 1008642 – Microsoft Windows Win32k Multiple Elevation of Privilege Vulnerabilities (CVE-2017-8689)
- 1008642 – Microsoft Windows Win32k Multiple Elevation of Privilege Vulnerabilities (CVE-2017-8694)
- 1008643 – Microsoft Windows Shell Memory Corruption Vulnerability (CVE-2017-8727)
Trend Micro™ TippingPoint™ customers are protected from threats that may exploit the vulnerabilities via these MainlineDV filters:
- 28925: HTTP: Microsoft Chakra Array JIT Optimization Type Confusion Vulnerability
- 29151: HTTP: Microsoft Internet Explorer and Excel Urlmon Information Disclosure Vulnerability
- 29152: HTTP: Microsoft Windows Font Embedding Information Disclosure Vulnerability
- 29692: HTTP: Windows Kernel-Mode Driver Privilege Escalation Vulnerability
- 29693: HTTP: Windows Kernel-Mode Driver Privilege Escalation Vulnerability
- 29699: HTTP: Microsoft Internet Explorer swapNode Memory Corruption Vulnerability
- 29687: HTTP: Microsoft Edge substringData Information Disclosure Vulnerability
- 29698: HTTP: Microsoft Embedded OpenType EOT Font Memory Corruption Vulnerability
- 29694: HTTP: Microsoft Windows SMB Find_First2 Denial-of-Service Vulnerability
- 29704: HTTP: Microsoft Internet Explorer onbeforeeditfocus Memory Corruption Vulnerability
- 29705: HTTP: Microsoft Scripting Engine stringify Memory Corruption Vulnerability
- 29706: HTTP: Microsoft Edge AsmJsChangeHeapBuffer Memory Corruption Vulnerability
- 29707: HTTP: Windows Scripting Engine Memory Corruption Vulnerability
Update as of October 16, 2017, 9:30 PM PDT
Microsoft has indicated in a separate bulletin that the Key Reinstallation Attack (KRACK) vulnerability in WPA2 was fixed as part of this Patch Tuesday cycle.