For its final scheduled batch of updates for 2017, Microsoft has released fixes for over 30 security vulnerabilities in its software, impacting users of the likes of Microsoft Windows, Microsoft Office, Exchange Server, Microsoft Edge, and the malware protection engine built into security products such as Windows Defender.
That fix for Microsoft’s malware protection engine is particularly interesting, as the security hole it patches was discovered by the National Cyber Security Centre (NCSC), part of the UK’s intelligence agency GCHQ.
Experts at NCSC discovered a way to exploit two critical remote code execution flaws in Microsoft’s anti-malware code that could potentially be exploited when it attempts to scan a boobytrapped file, allowing an attacker to compromise targeted systems.
The flaw was fixed in an out-of-band patch earlier this month, and Windows users should already have received an automatic update to the anti-malware engine itself, but the company was probably correct in being cautious, and including the fix again in this regular round-up of patches.
Among the other critical flaws patched this month, is a memory corruption vulnerability in the Edge browser:
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Although details of the Edge vulnerability have not been publicly disclosed, and there have not (to date) been any sightings of attacks exploiting the vulnerability, Microsoft has assessed that the chances of it being used in attacks is “more likely” than not.
And it’s not just Microsoft customers who will be ensuring that their software is up-to-date. Flash Player users would also be sensible to update their systems, after Adobe released version 18.104.22.168 for the Windows, Macintosh, Linux and Chrome OS platforms.
In a security bulletin, Adobe detailed its latest security update, that contains a single solitary bug fix and does not appear to be of anything more than moderate severity.
“The important thing is, of course, not to turn a blind eye to security updates – whichever of your software vendors they come from”
Your experience may differ, but I’ve found it quite easy in recent years to live without Adobe Flash Player on my computer. If you’re not quite ready to desert Flash entirely and uninstall it, you may want to consider enabling a browser security feature called “Click to Play.”
“Click to Play” can reduce your attack surface by telling your browser not to render potentially malicious Flash content unless it has been given the permission to run. In other words, a maliciously coded Flash file will not execute unless given the green light, rather than automatically running when you visit a poisoned webpage.
The important thing is, of course, not to turn a blind eye to security updates – whichever of your software vendors they come from. Increasingly, software can be automatically updated, reducing the window of opportunity for hackers to exploit newly-discovered flaws – although many companies still prefer to stagger the roll-out of a patch across their enterprise until they feel confident that it won’t cause more problems than it was designed to fix.
Author Graham Cluley, We Live Security