MICROSOFT'S LATEST PATCH TUESDAY includes fixes for 48 vulnerabilities across six products. However, this has been overshadowed by Adobe which has patched 67 flaws, 43 of which are labelled 'critical'.
At the top of Microsoft's fix list is one for a Windows Search remote code execution flaw that could be exploited by the same security flaw in SMBv1 used in the explosive propagation of May's WannaCry ransomware. Saying that, any organisation that hasn't already rigorously applied the security fix for the SMBv1 flaw probably deserves everything that's coming to it.
However, many of the Microsoft fixes are for flaws labelled as either 'critical or 'important', meaning they should be applied as a matter of priority.
Complicating matters, according to Bobby McKeown, senior manager of engineering at Rapid7, are a number of revisions that will require the installation of particular prior patches. "[There were] a few revisions to CVE-2017-0071, CVE-2017-0228 and CVE-2017-0299 that will require the installation of July (CVE-2017-0071) and August (CVE-2017-0228 and CVE-2017-0299) patches to ensure users are fully protected," said McKeown.
The other Microsoft products receiving a slew of fixes are the web browsers Internet Explorer and Edge (obviously), SharePoint, and Microsoft's SQL Server database.
Top priority should go to CVE-2017-8620 which is a vulnerability in Windows' search service. This can be exploited remotely via SMB and take complete control of a system, impacting both servers and workstations," said Jimmy Graham, director of product management at Qualys.
Graham added: "A large part of this release surrounds vulnerabilities involving the Scripting Engine which can impact both browsers and Microsoft Office. This should be considered a priority for workstation-type systems."
However, there is one particular outstanding issue that Microsoft hasn't fixed, suggested Rapid7's McKeown: "We were waiting to see if Microsoft would release any patches for the recently disclosed SMBLoris vulnerability, but Microsoft hasn't taken any action to address this in this round of patches."
This can no doubt be expected next month.
In terms of Adobe, it wasn't Flash that was the focus of the company's security efforts this month, but Acrobat Reader. Adobe's wedge of patches addresses only two acknowledged security flaws with Flash with the rest focusing on Acrobat and Acrobat Reader.
"It covers 43 'critical' and 24 'important' CVEs," advised Trend Micro's Zero Day Initiative (ZDI), a program that rewards security researchers for responsible disclosure, in a blog post.
"A total of 57 of these unique CVEs were due to 65 separate bug submissions to the ZDI program. The patch mostly addresses use-after-free and memory corruption issues that could allow a remote attacker to execute their code on a target system if they can convince a user to open a maliciously crafted file." µ
More wise words from Mountain View
Firm failed to say that launch prices were only an 'introductory offer'
We think we all have an airbag problem
Give us a break