Qualys Blog


September Patch Tuesday: 27 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches

Today Microsoft released a fairly large batch of patches covering 81 vulnerabilities as part of September’s Patch Tuesday update, with 38 of them impacting Windows. Patches covering 27 of these vulnerabilities are labeled as Critical, and 39 can result in Remote Code Execution (RCE).  According to Microsoft, one critical vulnerability impacting HoloLens has a public exploit, and there are active malware campaigns exploiting a .NET vulnerability. Microsoft has also patched the BlueBorne vulnerability that could allow an attacker to perform a man-in-the-middle attack against a Windows system.

Top priority for patching should go to CVE-2017-0161, an RCE vulnerability in NetBIOS that impacts both servers and workstations. For users of Microsoft’s DHCP server, priority should also be given to CVE-2017-8686, especially if using failover mode, due to another potential RCE.

A .NET vulnerability, CVE-2017-8759, which Microsoft has ranked as “Important” is actively being exploited in the wild to spread malware.

The Bluetooth attack vector known as BlueBorne includes a Windows vulnerability, CVE-2017-8628, which is included in this patch release and is also ranked as “Important.” This vulnerability can allow an attacker to man-in-the-middle the network connectivity of a Windows system over Bluetooth.

Out of the 26 vulnerabilities that are both Critical and RCE, 22 of them impact Microsoft’s browsers. Many of these vulnerabilities involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems that use email and access the internet via a browser.

Adobe has also released patches covering 5 critical vulnerabilities, 2 of which are for Flash. The other patches are for Adobe ColdFusion and RoboHelp.

Leave a Reply