October Patch Tuesday: 28 Critical Microsoft Vulnerabilities
Last updated on: October 27, 2022
Today Microsoft released patches covering 62 vulnerabilities as part of October’s Patch Tuesday update, with 30 of them affecting Windows. Patches covering 28 of these vulnerabilities are labeled as Critical, and 33 can result in Remote Code Execution. According to Microsoft, a vulnerability in Microsoft Office is being actively exploited in the wild.
Top priority for patching should go to a vulnerability in Microsoft Office, CVE-2017-11826, which Microsoft has ranked as “Important” and is actively being exploited in the wild.
Priority should also be given to CVE-2017-11771, which is a vulnerability in the Windows Search service. This is the fourth Patch Tuesday this year to feature a vulnerability in this service. As with the others, this vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations. While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya.
Also of note are two vulnerabilities in the Windows font library, CVE-2017-11762 and CVE-2017-11763, that can be exploited through a browser or malicious file, as well as a vulnerability in DNSAPI, CVE-2017-11779, that could allow a malicious DNS server to execute code on a client system.
A vulnerability in certain TPM chips is addressed by ADV170012. This vulnerability is in the TPM chip itself, and not in Windows, but could result in weak cryptographic keys. These keys are used for BitLocker, Biometric auth, and other areas of Windows. The updates provide a workaround for the weak keys leveraging additional logging and an option to use software-derived keys. Full remediation requires a firmware update from the device manufacturer.
As with several recent Patch Tuesdays, the majority of the vulnerabilities in this month’s release involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems that use email and access the internet via a browser.
Adobe has not released any security patches for this Patch Tuesday.
Thoughts on CVE-2017-11780, SMBv1 Remote Code Execution Vulnerability? Given previous SMBv1 attacks I would have thought for sure it would garner a mention as a top priority unless I am missing something.
Re: SMBv1 attacks. I have SMBv1 devices (IoT consumer stuff, like BR players, TV and a home-theater sound processor) around my house, but they are all on wired, private subnets (192.168…etc), I haven’t *ever* felt it safe to put MSWin computers serving files, directly on the internet — for that matter I don’t even put MSWin computers on the net but run a linux server @ home to provide outside access to my Winboxes. Interestingly all of these devices are setup to be able to access the internet, but all do so through a proxy on the linbox.
Unless I’m missing something I doubt many people would have any Win file services exposed — especially after the various Wannacry and Petya outbreaks, so I’m guessing the bug is lower priority because it’s not likely to be hitting too many exposed machines, but that’s just a guess.