Patch Tuesday December 2017

Welcome back to this month’s Microsoft Patch Tuesday. This Patch Tuesday was relatively lightweight, fixing a few issues with Windows systems. In total, 34 vulnerabilities in Windows and related software were addressed. The majority of the vulnerabilities reside in Microsoft’s web browsers, and the out-of-band update for Microsoft’s Malware Protection Engine is included in today’s patches as well.

Exchange

Exchange returns as a familiar face to be patched this round, with a vulnerability that allows for an attacker to perform script or content injection attacks. Such attacks could trick the user into disclosing sensitive information. This attack cloud be used as a pivot to chain an attack with other vulnerabilities in web services. This vulnerability is rated as Important.

Office

The usual office products require patching, hosting a handful of vulnerabilities. Excel received a fix for remote code execution, allowing an attacker to execute code with the security context of Excel. PowerPoint received a fix for an information disclosure vulnerability that could expose memory contents to an attacker, assisting them in further compromising an affected system. SharePoint received a fix for cross-site scripting, which would have allowed attackers to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the SharePoint site on behalf of the user, and inject malicious content in the browser of the user. These vulnerabilities are rated as Important.

Routing and Remote Access

Making an unusual appearance is Windows RRAS, which exists when a RPC server has Routing and Remote Access enabled. An attacker leveraging this vulnerability would be able to execute code on the target system with full user rights. Routing and Remote Access is an elective configuration, so systems without it enabled are not vulnerable. This vulnerability is rated as Important.

Windows Protocol Handler

Windows ‘its://’ protocol handler unnecessarily sends traffic to a remote site in order to determine the zone of a provided URL. This could potentially result in disclosing sensitive information to a malicious site. An attacker who tricked a user into using this protocol handler on a malicious site could use the disclosed NTLM hash to brute-force the corresponding hash password. This vulnerability is rated as Important.

Edge and Internet Explorer

As mentioned earlier, most of the patches from this Patch Tuesday are for Edge and Internet Explorer. These vulnerabilities reside in the Microsoft Scripting Engine in the browser that can exploit improper memory sanitization. The attacker would be able to execute code with the security context of the affected web browser. Microsoft rates these vulnerabilities as everything from Low to Critical.

Adobe Flash Player

As usual, Adobe has released fixes for Flash Player. The Adobe advisory describes the vulnerability as a ‘Business Logic Error’ where an unintended reset of a global settings preference file can occur. An attacker leveraging this vulnerability may be able to bypass elective security features. Adobe rates the vulnerability as Moderate, while Microsoft rates the vulnerability at Critical.