‘Tis the season – for bright lights and Santa and holiday decorations – but whether you’re sipping a warm drink by the fireplace or donning your summer apparel in the sweltering heat of the southern hemisphere’s summer, there’s one thing we all have in common: the necessity of keeping our systems updated to ward off any little malware elves.
It has been a busy year for IT security professionals, who have had to contend with ransomware epidemics, increasingly sophisticated phishing techniques, DDoSaaS (distributed denial of service for hire), the emergence of PowerShell-based attacks, and more. Staying ahead of the attackers is always a challenge, but keeping software up to date is an important defensive tactic in every IT admin’s arsenal. Microsoft and other software vendors do their best to make it a little easier for you.
This month, there was an out-of-band update issued on December 6 to address a critical security issue (remote code execution) in the underlying Malware Protection Engine in Windows Defender, which is also part of several other Microsoft products and services.
On Patch Tuesday, Microsoft issued one security advisory as well as fixes for 32 vulnerabilities in their software, most of them in the Internet Explorer and Edge web browsers. Also patched were Windows, Office, and Exchange, and of course the usual Adobe Flash security fix is in the mix. Twenty of the thirty-two were categorized as critical issues, while twelve (the rest) were classified as important.
Remote code execution continues to lead the pack in terms of impact, with 24 of the 32 being RCE issues.
Let’s take a closer look at these releases:
The following security advisory was released on Patch Tuesday this month:
- Microsoft Security Advisory 4056318 – Guidance for securing AD DS account used by Azure AD Connect for directory synchronization. Provides information regarding security settings for the AD DS (Active Directory Domain Services) account used by Azure AD Connect for directory synchronization, along with guidance on what on-premises AD administrators can do to ensure that the account is properly secured. For more information, see https://technet.microsoft.com/library/security/4056318
- ADV17022 – Adobe Flash Player for Windows. Critical update addresses a remote code execution vulnerability rated priority 2 by Adobe. For more information, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170022
Out of band update released December 6
- Microsoft Malware Protection Engine RCE Vulnerability update was issued on December 6. This is caused by the Microsoft Malware Protection Engine not properly scanning a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. It affects Windows Defender, Microsoft Security Essentials, Forefront Endpoint Protection, System Center Endpoint Protection, Intune Endpoint Protection, and Exchange Server 2013 and 2016. For more information, see the advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11937
Products Updated on Patch Tuesday
- Windows 7 and 8.1 – 2 vulnerabilities, both classified as important.
- Windows 10 – 3 vulnerabilities, all of which are classified as important.
- Windows Server 2008, 2008 R2, 2012, and 2012 R2 – 2 vulnerabilities, both of which are classified as important.
- Windows Server 2016 – 3 vulnerabilities, all of which are classified as important.
- Internet Explorer 11 and Microsoft Edge – 13 vulnerabilities. 12 classified as critical in Edge, 9 classified as critical in IE, the rest classified as important.
- Monthly rollup for Windows 7 SP1 and Windows Server 2008 R2. For more information, see https://support.microsoft.com/en-us/help/4054518/windows-7-update-kb4054518
- Monthly rollup for Windows 8.1 and Server 2012 R2. For more information, see https://support.microsoft.com/en-us/help/4054519/windows-81-update-kb4054519
- Cumulative update for Windows 10 Version 1709 to build 16299.125. For more information, see https://support.microsoft.com/en-us/help/4054517/windows-10-update-kb4054517
- Cumulative update for Windows 10 Version 1703 to build 15063.786. For more information, see https://support.microsoft.com/en-us/help/4053580/windows-10-update-kb4053580
- Cumulative update for Windows 10 Version 1607 to build 14393.1944. For more information, see https://support.microsoft.com/en-us/help/4053579/windows-10-update-kb4053579
- Cumulative update for Windows 10 Version 1511 to build 10586.1295. For more information, see https://support.microsoft.com/en-us/help/4053578/windows-10-update-kb4053578
- Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012. For more information, see https://support.microsoft.com/help/4054523
- Cumulative security update for Internet Explorer. For more information, see https://support.microsoft.com/en-us/help/4052978/cumulative-security-update-for-internet-explorer
The above address security issues in the Microsoft Scripting Engine, Microsoft Edge, and Windows Server.
Microsoft Office updates
- Office 2016 security update was released December 12 to address vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. For more information, see https://support.microsoft.com/en-us/help/4011095/descriptionofthesecurityupdateforoffice2016december12-2017
- SharePoint Server 2016 security update to address elevation of privileges vulnerability . For more information, see https://support.microsoft.com/en-us/help/4011576/descriptionofthesecurityupdateforsharepointserver2016december12-2017
The following are some of critical vulnerabilities addressed by these patches:
- Scripting Engine Memory Corruption Vulnerabilities in IE and Edge. These are remote code execution vulnerability that exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
- Microsoft Malware Protection Engine Remote Code Execution Vulnerability. A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. Impacts Windows Defender running on Windows 7, 8.1, 8.1 RT, 10, Server 2016, Exchange 2013 and 2016, Security Essentials, and Forefront, System Center and Intune Endpoint Protection.
Those of us who attempt to summarize each month’s updates for readers continue to struggle since Microsoft discontinued the security bulletins that contained that information in easily accessed format and moved everything to the Security Update Guide portal that provides a deluge of unwieldy information. Thus we’re limited now in these articles to summarizing and discussing a selection of the large number of line items that appear in the Guide.
You can view or download the full Excel spreadsheet for all of the updates released on Patch Tuesday by entering the date range (December 12, 2017 to December 12, 2017) in the Guide interface. You can then sort and filter the data in different ways (although not, as far as I can tell, in a way that will provide us with anything close to the same formatted info as the gone-but-not-forgotten security bulletins).
Wishing all of our readers a happy holiday and an attack-free and malware-free season as we enter the last days of this year. Here’s hoping for fewer vulnerabilities and easier patching in 2018.