Microsoft patched 34 vulnerabilities that are part of its December Patch Tuesday release. A total of 20 vulnerabilities were rated critical and another 12 were rated important. Impacted are Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office, SharePoint and Exchange.
Notable patches include two (CVE-2017-11937 and CVE-2017-11940) fixes impacting Microsoft’s Malware Protection Engine (MPE). Both remote code execution vulnerabilities became known last week via research by the UK National Cyber Security Centre. Both were patched last week.
“These MPE vulnerabilities also affect Exchange Server, so back-end administrators do have some work to do this month,” said Greg Wiseman, senior security researcher at Rapid7.
“The biggest thing going on this month are bugs relating to Internet Explorer. Over half the CVEs this month are affecting IE and Edge,” said Chris Goettl, product manager, Ivanti. Over twenty of the 34 vulnerabilities are classified as a “scripting engine memory corruption vulnerability” impacting Microsoft browsers.
One scripting engine memory corruption vulnerabilities (CVE-2017-11907) is a remote code execution bug that exists when IE improperly accesses objects in memory. “An attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” wrote Microsoft. A successful exploit of the vulnerability gives the attacker the same user rights as the current user.
“It doesn’t take sophisticated social engineering tactics to convince most users to visit a malicious web page, or a legitimate, but compromised, website (as in a watering hole attack). If the user is browsing with an unpatched version of Internet Explorer or Edge, an attacker could execute arbitrary code. If the user has administrative rights, it’s game over and the attacker could take full control of the system,” Wiseman said.
Security experts are also recommending admin prioritize a patch for a Microsoft Excel remote code execution vulnerability (CVE-2017-11935) affecting Microsoft Office 2016. “Due to an error in the way Microsoft Office improperly handles objects in memory while parsing specially crafted files,” according to the CVE description. A remote attacker can exploit this issue by enticing a victim to open a specially crafted file, according to the CVE record.
“This vulnerability gives the attacker full control of the system. All I need to do is convince somebody to either open an attachment or come to my specially crafted website and download some content,” Goettl said. “Click-rates today are high. User are still the weakest security link. This is probably the one vulnerability that I would say is most likely to be exploited this month.”
Microsoft said none of the security issues that are part of Patch Tuesday security bulletin have been publicly disclosed or exploited.
Meanwhile researchers at the Zero Day Initiative are recommending special attention to a Windows information disclosure vulnerability bug (CVE-2017-11927). “This bug takes us all the way back to the early days of Internet Explorer and CHM (compressed help) files. This patch resolves an information disclosure vulnerability in the Windows its:// protocol handler,” notes ZDI in a blog post.
Microsoft describes the information disclosure vulnerability as a bug that exists when the Windows its:// protocol handler “unnecessarily sends traffic to a remote site in order to determine the zone of a provided URL.” Doing so could inadvertently expose sensitive user information to a malicious site.
“An attacker who successfully tricked a user into disclosing the user’s NTLM hash could attempt a brute-force attack to disclose the corresponding hash password,” Microsoft wrote.