Microsoft's November Patch Tuesday rollout included patches 53 flaws, 20 rated critical, spread across a variety of products, including Edge, Internet Explorer, Windows and Office.
While no zero days were found this month the monthly security update does include four publicly known, but not exploited, vulnerabilities. These are CVE-2017-11848, CVE-2017-11827,CVE-2017-11883,CVE-2017-8700, said Gill Langston, Qualys' director of product management. Despite the public nature of these issues Langston suggested focusing on several found in Edge and IE.
“From a prioritisation standpoint, focus on the fixes for CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11871, and CVE-2017-11873, which all address the Scripting Engine in Edge and Internet Explorer, especially on laptops, and other workstation-type systems where the logged in user may have administrative privileges. Microsoft lists exploitation as More Likely for these vulnerabilities, especially if a user is tricked into viewing a malicious site or opening an attachment,” he told SC Meida.
Dustin Childs, of The Zero Day Initiative, believes Microsoft Advisory ADV170020 that was part of the company's Defence in Depth Update series may have something to do with the revelation last week that the Dynamic Data Exchange (DDE) protocol is being targeted. The cybergang APT28 has been spotted using this method leading Microsoft issued a warning on DDE attacks on 9 November.
The advisory notes that attacks can take place via email and corrupt Word, Excel, Publisher and Outlook documents. An attack is conducted through email when an attacker sends the intended victim a specially crafted file with a name designed to entice the victim to open it. Unlike other attacks that use Word docs, with DDE the victims do not have to manually enable macros for the payload to download. Instead, infection happens automatically.
“Microsoft hasn't provided a wealth of information about this update other than saying it provides a defence-in-depth issue. I say “issue” here because they didn't assign a CVE to the bug. Microsoft claims attackers may be abusing the feature, but it's not a vulnerability per se. Hopefully, the update provided by this advisory restricts the abuse of this “feature” in some manner,” Childs said.
Langston also noted that while none of the Windows issues carried a critical rating, he did suggest focusing on CVE-2017-11830 and CVE-2017-11847, as they address a Security Feature Bypass, and a Privilege Elevation respectively.
Chris Goettl, product manager at Ivanti, recommends giving CVE-2017-11827 and CVE-2017-11848 and extra hard look as these effect IE and Edge.
“CVE-2017-11827 affects both IE and Edge. This vulnerability could be used in a phishing email or an exploiting website to convince a user to open a malicious attachment or content. Once exploited the attacker would gain equal rights to the current user. If the user is a full administrator the attacker would gain control of the affected system. The second vulnerability (CVE-2017-11848) is an information disclosure vulnerability in Internet Explorer that could allow an attacker to track the navigation of the user leaving a maliciously crafted page,” he said.