October Patch Tuesday: 61 bugs and one zero-day fixed

For its October Patch Tuesday, Microsoft has patched 61 vulnerabilities (27 of them critical) and one Office zero-day labeled as “important.”

Patch Tuesday October 2017

The zero-day

The memory corruption zero-day vulnerability in Microsoft Office (CVE-2017-11826) is reported to be actively exploited in the wild.

“An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system,” Microsoft noted.

“Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.

Needless to say, users should implement the offered security updates that plug it.

Other high-priority fixes

“Priority should also be given to CVE-2017-11771, which is a vulnerability in the Windows Search service,” noted Jimmy Graham, director of product management at Qualys.

“This is the fourth Patch Tuesday this year to feature a vulnerability in this service. As with the others, this vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations. While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya.”

We’ve already written about the risks raised by the vulnerabilities in the Windows DNS client (CVE-2017-11779), which could be triggered via a malformed DNS response sent by an attacker who is on the same network as the victim (e.g. on a free Wi-Fi network). Enterprise admins and end users alike are encouraged to implement the patches provided as soon as possible.

A crtical vulnerability in certain Trusted Platform Module (TPM) chips has also been flagged.

“This vulnerability is in the TPM chip itself, and not in Windows, but could result in weak cryptographic keys,” Graham explained.

“These keys are used for BitLocker, Biometric auth, and other areas of Windows. The updates provide a workaround for the weak keys leveraging additional logging and an option to use software-derived keys. Full remediation requires a firmware update from the device manufacturer.”

SANS ISC has also provided a clear overview of the fixed vulnerabilities, which can come in handy to all sysadmins.