November in the U.S. marks the beginning of the long holiday season, as well as (in most states) the end of Daylight Saving Time, which suddenly shortens our days and plunges us into an early darkness. Of course the highlight of this month is Thanksgiving, when we traditionally stuff ourselves with turkey and dressing and at least for a little while, focus on being grateful for all the good things in our lives.

In the IT industry, we have a lot for which we should be thankful. Despite changes brought about by companies moving to the cloud, IT professionals who have upgraded and adapted their skills to the new paradigm are still among the ranks of the relatively well-paid, and in many ways the job is getting easier as more of the mundane tasks are automated – leaving us with time to spend on more interesting and challenging aspects of our work.

One chore that will never go away, even as it does become more automated, is that of ensuring that systems and software are updated with the latest security fixes. Hackers will always be probing for vulnerabilities that can be exploited. While there is now software that can automate their efforts, as well, on both sides the human factor is still important.

The era of the machine that runs itself is upon us, but even when it has been fully realized, it makes sense to be aware of what’s going on, what the threats are, and how they’re being addressed. Microsoft’s updates on this Patch Tuesday address a number of critical and important vulnerabilities in Windows client and server operating systems and OS components, the web browsers, and Office applications.

Let’s take a closer look at these releases:

Security Advisories

The following security advisories were released on Patch Tuesday this month:

  • ADV170019 – Adobe Flash Security Updates. Applies to Flash installed on Windows 8.1, 8.1 RT, and 10, and Windows Server 2012, 2012 R2 and 2016. The update fixes five critical vulnerabilities that include out-of-bounds read and use-after-free issues, all of which can be exploited to accomplish remote code execution. The advisory includes mitigations and workarounds for those who can’t install the updates. For more information, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170019
  • ADV1170020 – Microsoft Defense in Depth Update. Applies to Office 2010, Office Web Apps 2010 and 2013, Word 2007, 2010, 2013, 2013 RT, and 2016, Word 2016 for Mac, Office Word Viewer, SharePoint Enterprise Server 2016, and Word Automation Services. The advisory gives little information other than the fact that this measure provides enhanced security. For more information, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170020

Products Updated

  • 12 vulnerabilities were fixed in Windows 10 versions 1607 and 1703, with 9 patched in version 1709.
  • 11 vulnerabilties were fixed in Windows 8.1
  • 12 vulnerabilities were fixed in Windows 7
  • 12 vulnerabilities were fixed in Windows Server 2016 and in Server 2008 R2
  • 11 vulnerabilities were fixed in Windows Server 2016, 2012, 2012 R2 and 2008

Happily, none of the vulnerabilities in Windows are rated as critical. There are, however, patches issued for critical vulnerabilities in the web browsers.

Cumulative Updates/Rollups

  • Windows 8.1 and Server 2012 R2 Security Rollup contains Security updates to Microsoft Windows Search Component, Windows Media Player, Microsoft Graphics Component, Windows kernel-mode drivers, and the Windows kernel. For more information, see https://support.microsoft.com/en-us/help/4048961/windows-81-update-kb4048961
  • Windows 7 SP1 and Windows Server 2008 R2 SP1 Monthly Rollup and Security-only Rollup contain the same fixes as above. For more information, see https://support.microsoft.com/en-us/help/4048960/windows-7-update-kb4048960
  • Windows 8.1 and Server 2012 R2 Monthly Rollup contains the same security fixes as above, plus addresses the following issues: virtual smart card doesn’t assess the Trusted Platform Module (TPM) vulnerability correctly, applications based on the Microsoft JET Database Engine (Microsoft Access 2007 and older or non-Microsoft applications) fail when creating or opening Microsoft Excel .xls files, a crash in Internet Explorer that was seen in machines that used large font-size settings, and an issue that caused SharePoint Online sites to stop working in Internet Explorer. For more information, see  https://support.microsoft.com/en-us/help/4048958/windows-81-update-kb4048958
  • Windows 10 Version 1709 contains Security updates to Microsoft Scripting Engine, Microsoft Edge, Microsoft Graphics Component, Windows kernel, Internet Explorer, and Windows Media Player. It also addresses issues with the Mixed Reality Portal, a black screen issue when switching between windowed and full screen modes in DirectX games, a compatibility issue in Game DVR playback using Android and iOS devices, a keyboard issue, an issue with USB devices and head-mounted displays, an issue with virtual smart cards and the TPM, a GetStorageJob issue, an issue with applications based on the JET database engine, an issue with the Start menu missing application tiles, and an issue with Edge’s inability to create a WARP support process. For more information, see https://support.microsoft.com/en-us/help/4048955/windows-10-update-kb4048955
  • Windows 10 Version 1703 contains Security updates to Internet Explorer, Microsoft Scripting Engine, Microsoft Edge, Windows kernel, Windows kernel-mode drivers, Microsoft Graphics Component, the Microsoft Windows Search Component, and Windows Media Player. It also addresses an issue where applications based on the Microsoft JET Database Engine (Microsoft Access 2007 and older or non-Microsoft applications) fail when creating or opening Microsoft Excel .xls files, an issue where the RDP Connection from a Windows 10 1703 client to Windows Server 2008 R2 fails with the error: “An internal error occurred,” an issue where, after an OS upgrade, setting an offline schedule in the Sync Center applet of Control Panel fails, an issue where RemoteApp and Desktop Connection settings fail to apply when you set them using Group Policy or a script, an issue where the virtual smart card doesn’t assess the Trusted Platform Module (TPM) vulnerability correctly, an issue where opening Microsoft Office files from a file server that has Windows Information Protection enabled fails with the error: “Sorry we couldn’t open document xxxx,” and an issue where, when using the FDVDenyWriteAccess policy, Windows will continue to prevent a drive from being made writable even after BitLocker encryption completes.

    Also addressed are the following issues:
    • Surface Hub devices cannot connect to Azure Active Directory to log on when they are behind a proxy server.
    • Attempting to clean temporary files on the Windows Phone results in the error code “E_FAIL”.
    • Functional keys stop working on Microsoft Designer Keyboards.
    • Modern applications built using JavaScript may fail to initialize.
    • GetWindowLong may fail when called on a window whose thread isn’t processing Windows messages.
    • After installing KB4038788 and rebooting, a black screen appears with only a cursor, and you must reboot in order to log in successfully.
    • In Internet Explorer an intranet site was being treated as an internet site.
    • Memory leak in Microsoft Edge caused by the startup of an internal process.
    • HTML dialogs in Windows PE systems.
    • Scrolling sometimes causes Microsoft Edge to stop responding.
    • A crash in Internet Explorer in machines that used large font-size settings.
    • PDF download progress bar stops when opening a PDF file from a cloud-backed web services site.

For more information, see https://support.microsoft.com/en-us/help/4048954/windows-10-update-kb4048954

  • Windows 10 Version 1607 and Windows Server 2016 updates address the issue with applications based on the Microsoft JET Database Engine, the issue with attempting to clean temporary files on the Windows Phone, the issue with the launch of HTML dialogs in Windows PE systems, the crash in Internet Explorer in machines that used large font-size settings, as well as  the security updates to Internet Explorer, Microsoft Scripting Engine, Microsoft Edge, Windows kernel, Device Guard, Windows kernel-mode drivers, Microsoft Graphics Component, the Microsoft Windows Search Component, and Windows Media Player. For more information, see https://support.microsoft.com/en-us/help/4048953/windows-10-update-kb4048953

Updates are also released for Window 10 Version 1511 and 1507.  For more information, see https://support.microsoft.com/en-us/help/4048952/windows-10-update-kb4048952 and https://support.microsoft.com/en-us/help/4048956/windows-10-update-kb4048956

Vulnerabilities Addressed

The following are critical vulnerabilities addressed by these patches:

  • Adobe Flash Player vulnerabilities referenced in the advisory above.
  • Multiple Scripting Engine Memory Corruption vulnerabilities in Edge that can be exploited to accomplish remote code execution.
  • Multiple Scripting Engine Memory Corruption vulnerabilities in Internet Explorer that can be exploited to accomplish remote code execution.

The remaining vulnerabilities addressed by this month’s patches are rated important, moderate, or low severity.

Summary

Those of us who attempt to summarize each month’s updates for readers continue to struggle since Microsoft discontinued the security bulletins that contained that information in easily accessed format and moved everything to the Security Update Guide portal that provides a deluge of unwieldy information. Thus we’re limited now in these articles to summarizing and discussing a selection of the large number of line items that appear in the Guide.

You can view or download the full Excel spreadsheet for all of the updates released on Patch Tuesday by entering the date range (November 14, 2017 to November 14, 2017) in the Guide interface. You can then sort and filter the data in different ways (although not, as far as I can tell, in a way that will provide us with anything close to the same formatted info as the gone-but-not-forgotten security bulletins).