patch flaw vulnerability
patch flaw vulnerability

Microsoft's July Patch Tuesday news covered 55 flaws with 19 being rated critical with all the latter issues leading to remote code execution if left unpatched.

The products covered in the July release were: Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, .NET Framework, Adobe Flash Player and Microsoft Exchange Server. The advisory also covered several issues involving Adobe Flash Player.

One of the more interesting problems fixed is CVE-2017-8584. This vulnerability exists when Microsoft's HoloLens, described by Microsoft self-contained, holographic computer, is hit with a specially crafted Wi-Fi packet. If access is gained an attacker could install programs; view, change, or delete data; or create new accounts with full user rights, Microsoft said.

This flaw impressed Bobby Kuzma, security researcher at Core Security, Neat. A RCE in the new-fangled Augmented Reality gadget. We are truly living in the future.”

Several critically rated patches were also issued for IE 11, including CVE-2017-8607 that covers a scripting engine memory corruption vulnerability.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” Microsoft said.

Microsoft Office was also updated to fix several critical problems, including CVE-2017-8570 which covers a remote code execution vulnerability that exists when the software fails to properly handle objects in memory.

“An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user,” the company said,

However, to exploit this vulnerability the user must open a specially crafted file with an affected version of Microsoft Office software.