Microsoft had a busy month patching flaws with nearly 50 security issues fixed, many of which have a severity rating of critical” or “important” with remote code execution vulnerabilities.
The updates also included a unique Linux patch as well. “This is the first time we have seen vulnerabilities patched on the Linux subsystem under Windows, Rapid7 Senior Manager Bobby McKeown told SC Media. Since its introduction, it was only a matter of time and CVE-2017-8627 (Dos) and CVE-2017-8622 (Privilege Escalation) are the first of their kind.”
McKeown gave credit to Microsoft for patching a number of publicly disclosed vulnerabilities, including the CVE-2017-8633 privilege escalation issue with Windows Error Reporting. Other researchers noted that while it may seem like a vast number of issues where addressed it may not be as dramatic.
“There are a lot of Critical updates this month, but only two public disclosures and no known exploited,” Chris Goettl, product manager with Ivanti, told SC Media. “The 12 updates released by Microsoft resolve a total of 50 unique CVEs.”
Goettl added that the 12 updates are definitely a lighter load and that 10 of them are expected as they are the OS Cumulative or Security Only Bundles and the IE Cumulative for those using the Security Bundle. He also noted that all of the Windows OS updates this month have a public disclosure in common.
“CVE-2017-8633 is a vulnerability in Windows Error Reporting which could allow an Elevation of Privilege exploit,” Goettl said. “The attacker could run a specially crated application to cause an error that could allow them to elevate their privileges enough to gain access to sensitive information and system functionality.”
Windows 10 has an additional public disclosure (CVE-2017-8627), which is a flaw in Windows Subsystem for Linux that could allow a Denial of Service attack and could then be exploited by running a specially crafted file.