Microsoft’s December Patch Tuesday release contained 34 vulnerabilities with 22 of these being rated critical and affecting the company’s browser products.
This month’s release included two critical issues (CVE-2017-11937 and CVE-2017-11940) in the company’s Malware Protection Engine that were fixed last week in an out-of-band patch and another for the single Flash Player issue covered by Adobe today.
All of the critical-rated vulnerabilities could lead to remote code execution if left unpatched, but Microsoft reported none of them are currently being exploited in the wild.
Greg Wiseman, Rapid7’s senior security researcher, noted that the browser issues in the security bulletin should be of particular interest because it can be an easy matter for cybercriminals to exploit.
“It doesn’t take sophisticated social engineering tactics to convince most users to visit a malicious web page, or a legitimate, but compromised, website (as in a watering hole attack). If the user is browsing with an unpatched version of Internet Explorer or Edge, an attacker could execute arbitrary code. If the user has administrative rights, it’s game over and the attacker could take full control of the system,” Wiseman said.
Chris Goettl, product manager for Ivanti, noted that while the browser notifications should have priority there are other problems that should not be overlooked.
“The Office update is also of concern, but don’t ignore the Exchange and SharePoint updates for too long. This month’s Exchange update impacts OWA and includes 1 CVE that is more complex to exploit, but could be used in conjunction with other CVEs as a pivot to chain an attack. SharePoint also includes 1 CVE that could allow for Cross Site Scripting attack that could allow for an elevation of privilege,” he said.
Wiseman also pointed out that Exchange Server received an important fix for (CVE-2017-11932), which he described as “a spoofing vulnerability that could allow script or content injection attacks, potentially leading to sensitive information disclosure or redirection to a malicious website.”
Also on the back end, (CVE-2017-11885) affects servers with Routing and Remote Access enabled, he said, adding that this is typically a small subset of systems in most environments, such servers would be excellent pivot points allowing an attacker to move laterally within a network.