Microsoft’s Patch Tuesday for this month includes 53 updates. There are four Zero-Days fixed, although no known exploits for these exist in the wild.
- CVE-2017-8700 (ASP.NET Core information disclosure)
- CVE-2017-11827 (Microsoft browser memory corruption)
- CVE-2017-11848 (Internet Explorer information disclosure)
- CVE-2017-11883 (ASP.NET Core denial of service)
The Dot.Net fixes always present some challenges for business customers.
There are two Security Advisories also:
- CVE-2017-11830 vulnerability in Windows Defender Device Guard allows attackers to bypass the application and execute commands remotely.
- CVE-2017-1187 vulnerability allows hackers to get past Microsoft Excel’s protection against macro execution.
The rest of the patches have to do with non-security updates to Office 2007 through Office 2016.
Note that there are vulnerabilities that have been fixed with Microsoft Excel that allow Remote Code Execution (RCE) through specially crafted Excel files. As usual, I suggest that you do not open Office files sent from strangers That email with the juicy attachment “Executive_Compensation.xlsx” has been proven to be irresistible. The Click-To-Run versions of Office 2016 (Office 365) Excel are not affected.
Not to be outdone by Microsoft, Adobe has fixed about 77 bugs across all of it’s products. This includes the usual Flash Player but all all variants of it’s PDF Viewers. Even the old Shockwave Player gets an update. If you have an Adobe product on your system, you must manually update it now. These are Remote Code Execution (RCE) vulnerabilities.
References
Bleeping Computer has a nice article here.
Manage Engine‘s review of these updates is here.
Adobe‘s Security Bulletin is here.