Here in the U.S., it has has been a wild and wooly month, with a one-two hurricane punch that has millions of people on the Texas coast, in Florida, and in the Caribbean islands struggling to recover from the damage and destruction brought by Harvey and Irma. From an IT perspective, the storms were eye openers for many network admins responsible for disaster recovery planning and preparation, as some organizations found their server rooms or data centers destroyed by wind and water.

And that’s not all. Wildfires continue to burn in the western part of the country, and many have lost their homes there, as well. It’s a tough time for a lot of people, and my sympathies are with everyone who has been impacted, directly or indirectly, by these natural disasters.    

For the rest of us, the job goes on. Autumn is bringing cooler weather to many areas, children have returned to school, and the holidays loom just ahead of us. It’s a busy time, but it’s as important as ever to stay diligent about keeping systems updated to stay ahead of the hackers and attackers. The recent data breach of the Equifax credit reporting bureau that exposed the personal information of 143 million Americans is a grim reminder that the bad guys never seem to take a break.

Let’s take a look now at some of this month’s updates and the issues they address.

Security Advisories

The following advisories were released this month:

  • ADV170013 regarding the Adobe Flash update that addresses CVE-2017-11281 and CVE-2017-11282
  • ADV170015 regarding Microsoft Office Defense in Depth Update.

Products Updated

The security updates apply to a number of different Microsoft products and services, including Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, Skype for Business and Lync, .NET Framework, and Microsoft Exchange Server. Also included is the usual update for Adobe Flash Player running on Windows operating systems.

A quick glance at the Security Update Guide shows that since last month’s Patch Tuesday releases on August 8, there have been a total of 1161 update line items. Don’t panic, though; the Guide (which is still a source of frustration for many) lists a separate item for a patch of the same vulnerability on each individual version of Windows.

A better measure of the scope of this month’s updates is the number of individual vulnerabilities that are addressed by the fixes. There are 84 separate CVEs (Common Vulnerabilities and Exposures) addressed by this month’s patches.

Vulnerabilities Addressed

This month’s slate of updates fixes 25 vulnerabilities in Window 10, two of which are rated critical. Windows 8.1 gets patches for twenty-six vulnerabilities, with four of them rated critical, and Windows 7 has the lowest number of vulnerabilities patched – twenty-two; three of these are rated critical.

On the server side, we’re seeing the largest number of issues in the newest version of the OS. Windows Server 2016 has twenty-eight vulnerabilities patched but the good news is that only two of those are critical. Server 2012 and 2012 R2 get patches for twenty-six vulnerabilities, with four rated critical, and Server 2008 R2 comes in with twenty-three vulnerabilities, three of which are rated critical.

Newer apparently doesn’t mean more secure, at least in the web browser space (on the other hand, you could argue that the older browser has been around longer to accumulate more past patches). At any rate, Microsoft Edge comes in at twenty-eight vulnerabilities this month, but the really concerning part is that nineteen of those are considered critical. By comparison, Internet Explorer 11 only sees patches for seven vulnerabilities, but again a large proportion – five – are rated critical.

Microsoft Exchange Server 2013 and 2016 get a fix for an important information disclosure vulnerability that stems from an input sanitization issue.

Let’s look at some of the critical vulnerabilities that are addressed:

  • CVE-2017-0161 is a NetBIOS remote code execution issue that affects all of the currently supported Windows operating systems: Windows 7, 8.1, RT 8.1, and 10, and Server 2008 R2, 2012, 2012 R2, and 2016.
  • CVE-2017-8682 is a remote code execution vulnerability in the Win32K graphics component when the Windows font library doesn’t handle specially crafted embedded fonts properly.
  • CVE-2017-8686 is a remote code execution vulnerability in the Windows DHCP Server component of Windows. It affects Server 2012, 2012 R2, and 2016. This includes server core installations.
  • CVE-2017-8676 is a critical information disclosure vulnerability in the Windows Graphic Device Interface (GDI) that affects all currently supported Windows client and server operating systems, and also Microsoft Office 2007 and 2010, Office for Mac 2011 and 2016, Skype for Business and Microsoft Lync.
  • CVE-2017-8696 is a remote code execution vulnerability in the Microsoft graphics component that is due to the way Windows Uniscribe handles objects in memory.
  • CVE-2017-8728 is a remote code execution vulnerability that occurs when the Windows PDF library doesn’t handle objects in memory properly.
  • CVE-2017-8729 is another scripting engine memory corruption vulnerability in Microsoft edge.
  • CVE-2017-8731 is another Microsoft edge memory corruption vulnerability.
  • CVE-2017-8734 is another memory corruption vulnerability in Microsoft Edge.
  • CVE-2017-8737 is another Microsoft pdf remote code execution vulnerability.
  • CVE-2017-8738 is a remote code execution vulnerability in the way the scripting engine handles objects in memory in Microsoft Edge.
  • CVE-2017-8740 is another scripting engine remote code vulnerability in Microsoft Edge.
  • CVE-2017-8747 is a remote code execution vulnerability due to memory corruption in Internet Explorer.
  • CVE-2017-8741 is another scripting engine remote code vulnerability in Microsoft Edge.
  • CVE-2017-8748 is a remote code execution vulnerability that is due to the way the Microsoft browsers’ (both IE and Edge) JavaScript engines render content when handling objects in memory.
  • CVE-2017-11764 is a critical remote code execution vulnerability in Microsoft Edge that is due to the way the scripting engine handles objects in memory (memory corruption issue).
  • CVE-2017-11766 is another memory corruption issue in Microsoft Edge.

The above represents some, but not all, of the critical vulnerabilities that Microsoft patched in the September security updates. Some of these updates are the cumulative rollups for the operating systems and some are individual patches for various software products. These include:

  • KB4038788 – Windows 10 update, version 1703, build 15063.608, which addresses numerous issues and includes security updates to Microsoft Graphics Component, Windows kernel-mode drivers, Windows shell, Microsoft Uniscribe, Microsoft Edge, Device Guard, Windows TPM, Internet Explorer, Microsoft Scripting Engine, Windows Hyper-V, Windows kernel, and Windows Virtualization that address vulnerabilities listed above.
  • KB4038792 – Windows 8.1 and Server 2012 R2 monthly rollup, which includes security updates to Microsoft Graphics Component, Windows kernel-mode drivers, Windows shell, Microsoft Uniscribe, Microsoft Windows PDF Library, Windows TPM, Windows Hyper-V, Windows kernel, Windows DHCP Server, and Internet Explorer that address vulnerabilities listed above.
  • KB4038777 – Windows 7 SP1 and Windows Server 2008 R2 SP1 monthly rollup, which includes security updates to Microsoft Graphics Component, Windows kernel-mode drivers, Windows shell, Windows Hyper-V, Windows kernel, Windows Virtualization, and Internet Explorer that address vulnerabilities discussed above.
  • Security update for Office 2016 – resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file (CVE-2017-8630).

Also included are the cumulative security updates for Internet Explorer and Edge, a number of individual updates for Windows Server, security and quality rollups for the .NET Framework,  

Summary

Those of us who attempt to summarize each month’s updates for readers continue to struggle since Microsoft discontinued the security bulletins that contained that information in easily accessed format and moved everything to the Security Update Guide portal that provides a deluge of unwieldy information. Thus we’re limited now in these articles to summarizing and discussing a selection of the large number of line items that appear in the Guide.

You can view or download the full Excel spreadsheet for all of the updates released on Patch Tuesday by entering the date range (September 12, 2017 to September 12, 2017) in the Guide interface. You can then sort and filter the data in different ways (although not, as far as I can tell, in a way that will provide us with anything close to the same formatted info as the gone-but-not-forgotten security bulletins).