Patching in October: Trick or treat?

Patching in October: Trick or treat?

Patching in October: Trick or treat?

October’s security updates are now released, but are they tricks or treats? Well, it depends on how prepared your platform is!

Microsoft released a fairly large number of security patches this month, 62 in total spanning across Windows, Skype for Business, Edge and most notably, Office. Four of these were publicly known before patches were released, and one is known to be exploited. Surprisingly, Adobe have given us a break this month with no security updates released.

The vulnerabilities we found particularly interesting this month are below…

CVE-2017-11826 – Microsoft Office Memory Corruption Vulnerability

As the only CVE flagged as being under attack, we are zoning in on this critical Microsoft Word vulnerability. According to Microsoft, a remote code execution vulnerability exists in Office when the software fails to properly handle objects in memory. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user.

This is where firms with relaxed administrator controls are going to be caught out. If you haven’t been paying attention to our previous blogs, let this be a gentle reminder to review and control the admin rights across your PCs!

Exploitation of this vulnerability does require the user to open a specially crafted office document. So if your users really do need those admin rights, make sure they are on high alert for suspicious emails and cryptic attachments!

CVE-2017-14491: Heap overflow in the code responsible for building DNS replies

Although we usually stick to Windows based vulnerabilities, we couldn’t skip this Linux based exposure given it’s relevance and criticality to our customers.

Dnsmasq provides functionality for serving DNS, DHCP, router advertisements and network boot. It is widely used on the open internet but also internally in private networks. According to Red Hat, this is the worst vulnerability released recently, and the only one that affects all versions of dnsmasq. To trigger the flaw, an attacker would need to control a malicious domain and send DNS requests to dnsmasq that would cause it to cache replies from that domain.  According to Arista, by carefully constructing DNS requests and responses, an attacker could create a denial of service or an out of memory situation.

Although only released on 2nd October, Options has confirmed 100% coverage against this vulnerability on all of our affected devices globally.

CVE-2017-11771 | Windows Search Remote Code Execution Vulnerability

According to Microsoft, a remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploits this vulnerability could take control of the affected system. By taking control, an attacker could copy, delete or modify sensitive files, install programs or create new users with full user rights.

Although this vulnerability was not publicly known, nor exploited, our contacts at Microsoft have advised that exploitation is more than likely.

Conclusion

With Halloween just around the corner, we’re following the rules to ensure everything scary is kept away from our platform!

Our desktop and server management team has already started patching, but we are taking (necessary) extra precautions by reviewing our administrator groups and monitoring our mail gateways to catch malicious mails before they get to the user.

As patching only covers us for the known vulnerabilities, taking these steps (and more) helps us drastically reduce the damage done if anything is exposed, provided vendors haven’t already addressed them.

Leave a Reply

Your email address will not be published. Required fields are marked *