Security experts are urging network administrators to patch a Microsoft Office vulnerability that has been exploited in the wild.
The vulnerability (CVE-2017-11826) could allow remote code execution if a user opens a specially crafted Office file. It was one of 62 vulnerabilities patched by Microsoft as part of its monthly Patch Tuesday updates released today. Of those, 23 of the vulnerabilities are rated critical, 34 rated as important and 33 can result in remote code execution.
As for the Microsoft Office vulnerability Microsoft said: “If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The vulnerability is rated important, but tops the list of vulnerabilities to address this month because the bug has been exploited in the wild. Researchers at Qihoo 360 Core Security are credited for first detecting an in-the-wild attack that leveraged CVE-2017-11826 on Sept. 28.
“The attack only targeted limited customers,” wrote Qihoo. “The attacker embedded malicious .docx in the RTF files. Through reversing analysis of the sample C&C, we found that the attack was initiated in August and the launch date of the attack can be dated back to September.”
“Priority should also be given to CVE-2017-11771, which is a vulnerability in the Windows Search service. This is the fourth Patch Tuesday this year to feature a vulnerability in this service,” wrote Jimmy Graham, director of product management at Qualys in a blog post analysis of Tuesday’s patches. “As with the others, this vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations.”
He noted, while an exploit against CVE-2017-11771 can leverage SMB as an attack vector, it isn’t related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry and NotPetya.
Among other patches issued by Microsoft, the company addressed critical Windows DNS client vulnerabilities (CVE-2017-11779) with a patch that closed off an avenue where an attacker could relatively simply respond to DNS queries with malicious code and gain arbitrary code execution on Windows clients or Windows Server installations.
The flaws were discovered and privately disclosed to Microsoft by Nick Freeman, a security researcher with Bishop Fox. “An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account,” Microsoft said. Impacted is Windows 8.1 through 10 including Windows Server 2012 through 2016.
Another noteworthy bug is a Windows Subsystem for Linux, denial of service vulnerability (CVE-2017-8703). This previously publicly disclosed bug could allow an attacker to execute a specially crafted application to affect an object in memory allowing an attacker to cause the system to become unresponsive, Microsoft. The only affected product is Windows 10 (Version 1703).
Chris Goettl, manager of product management, security at Ivanti, also noted a critical Microsoft Office SharePoint XSS vulnerability (CVE-2017-11777) that can be abused by an attacker who send a specially crafted request to an affected SharePoint server. If successful, “the attacker would have the same security context as the current user allowing them to read data they should not have access to, use the victim’s identity to take actions on the SharePoint site on behalf of the user, and inject malicious content in the browser of the user,” Goettl said.
Lastly, it’s worth noting Microsoft’s support for Windows 10 November Update Version 1511 (released in 2015) ends with today’s updates. On the flip side, Microsoft has said the fourth major update to Windows 10 Fall Creators Update, will be release next week, on Oct. 17.
Today also marks the sunsetting of support for Microsoft Office 2007.