October 2017 – Microsoft Patch Tuesday

October is when we first start to get the first taste of autumn in the air here in north central Texas, and it’s a welcome relief after a typical hot summer (albeit a much wetter one than usual). In the U.S., this month ushers in the holiday season that begins with Halloween ghosts and goblins – but that comes later. First IT pros have to get through another Patch Tuesday, and are hoping it won’t be a scary one.

It usually takes a few days after updates are released before we know for sure whether there are any tricks, but we do have a small treat this month: fewer total patches than usual.  The patches address a total of 29 unique vulnerabilities, across Windows client and server operating systems, the Internet Explorer 11 and Edge web browsers, and the ChakraCore scripting engine.  

Let’s take a closer look at these releases:

Security Advisories

The following security advisory was released on Patch Tuesday this month:

ADV170012 – Vulnerability in TPM. This pertains to a firmware vulnerability in certain Trusted Platform Module chipsets that can negatively impact the strength of the cryptographic keys. Note that this is not a software vulnerability; it’s an issue with specific TPM firmware, but it impacts some Windows client and server systems with TPM modules, so Microsoft has issued updates that work around the problem. Hardware vendors may also release TPM updates for their firmware to address the problem.

For details regarding this update and how to identify affected software, please read the full security advisory here.

Products Updated

• Windows 7 updates address twenty vulnerabilities.
• Windows 8.1 updates address twenty-three vulnerabilities.
• Windows 10 updates address twenty-nine vulnerabilities.
• Windows Server 2008 R2 updates address eighteen vulnerabilities.
• Windows Server 2012/2012 R2 updates address twenty-three vulnerabilities.
• Windows Server 2016 updates address twenty-nine vulnerabilities.

Cumulative Updates

• Windows 10 v1703 – KB4041676

• Windows 10 v1607 – KB4041691

• Windows 10 v1511 – KB4041689

• Windows 8.1 – KB4041687

• Windows 7 – KB4041681

• Windows Server 2016 – KB4041691

• Windows Server 2012 – KB4041687

• Windows Server 2008R2 – KB4041678

Vulnerabilities Addressed

All of the vulnerabilities addressed in this month’s updates are remote code execution issues with the exception of one security feature bypass.

The following are critical vulnerabilities addressed by these patches:

• CVE-2017-11762 | This is a Microsoft Graphics Remote Code Execution Vulnerability caused by improper handling of embedded fonts by the Windows font library, that can be exploited by a web-based or file-sharing attack.
• CVE-2017-11763 | This is another Microsoft Graphics Remote Code Execution Vulnerability.
• CVE-2017-11767 | This is a Scripting Engine Memory Corruption Vulnerability caused by the way that the ChakraCore scripting engine handles objects in memory, which could be exploited by an attacker to execute arbitrary code in the context of the current user.
• CVE-2017-11771 | This is a Windows Search Remote Code Execution Vulnerability caused by the way Windows Search handles objects in memory that can be exploited by sending specially crafted messages to the Windows Search service, potentially allowing an attacker to take control of the system.
• CVE-2017-11779 | This is a Windows DNSAPI Remote Code Execution Vulnerability that occurs when the Windows Domain Name System DNSAPI.dll doesn’t handle DNS responses properly and could be exploited by sending corrupt DNS responses from a malicious DNS server to enable the attacker to run arbitrary code in the context of the local system account.
• CVE-2017-11792 | This is a Scripting Engine Memory Corruption Vulnerability caused by the way the scripting engine in Microsoft Edge handles objects in memory, which could be exploited through a malicious or compromised web site to enable the attacker to gain the same user rights as the current user.
• CVE-2017-11793 | This is a Scripting Engine Memory Corruption Vulnerability caused by the way the scripting engine in Microsoft Internet Explorer handles objects in memory, which could be exploited through a malicious or compromised web site to enable the attacker to gain the same user rights as the current user.
• CVE-2017-11796 | This is another Scripting Engine Memory Corruption Vulnerability in Microsoft Edge.
• CVE-2017-11797 | Scripting Engine Information Disclosure Vulnerability in the ChakraCore scripting engine caused by the way it handles objects in memory, which could be exploited to allow the attacker to run arbitrary code in the context of the current user.
• CVE-2017-11798 | This is another Scripting Engine Memory Corruption Vulnerability in Microsoft Edge.
• CVE-2017-11799 and CVE-2017-11800  | These are other Scripting Engine Memory Corruption Vulnerabilities in Microsoft Edge.
• CVE-2017-11801 | This is another Scripting Engine Memory Corruption Vulnerability in the ChakraCore scripting engine.
• CVE-2017-11802, CVE-2017-11804, CVE-2017-11805, CVE-2017-11806, CVE-2017-11807, CVE-2017-11808 | These are other Scripting Engine Memory Corruption Vulnerabilities in Microsoft Edge.
• CVE-2017-11809 | This is a Scripting Engine Memory Corruption Vulnerability in Microsoft web browsers.
• CVE-2017-11810 | This is another Scripting Engine Memory Corruption Vulnerability in Internet Explorer.
• CVE-2017-11811 and CVE-2017-11812 | These are other Scripting Engine Memory Corruption Vulnerabilities in Microsoft Edge.
• CVE-2017-11813 | This is an Internet Explorer Memory Corruption Vulnerability whereby an attacker could execute arbitrary code in the context of the current user.
• CVE-2017-11819 | This is a Windows Shell Remote Code Execution Vulnerability caused by the way Microsoft browsers access objects in memory, whereby an attacker could execute arbitrary code in the context of the current user.
• CVE-2017-11821 | This is a Scripting Engine Memory Corruption Vulnerability in Microsoft Edge.
• CVE-2017-11822 | This is another Internet Explorer Memory Corruption Vulnerability whereby an attacker could execute arbitrary code in the context of the current user.
• CVE-2017-8727 | This is a Windows Shell Memory Corruption Vulnerability that occurs when Internet Explorer improperly accesses objects in memory via the Microsoft Windows Text Services Framework, and whereby an attacker could execute arbitrary code in the context of the current user.

Summary

Those of us who attempt to summarize each month’s updates for readers continue to struggle since Microsoft discontinued the security bulletins that contained that information in easily accessed format and moved everything to the Security Update Guide portal that provides a deluge of unwieldy information. Thus we’re limited now in these articles to summarizing and discussing a selection of the large number of line items that appear in the Guide.

You can view or download the full Excel spreadsheet for all of the updates released on Patch Tuesday by entering the date range (October 10, 2017 to October 10, 2017) in the Guide interface. You can then sort and filter the data in different ways (although not, as far as I can tell, in a way that will provide us with anything close to the same formatted info as the gone-but-not-forgotten security bulletins).