December Patches: A quiet end to the year?

December Patches: A quiet end to the year?

December Patches: A quiet end to the year?

Looks like the hackers may have been too busy preparing for the holidays to develop exploits this month. December’s patch Tuesday brings us one of the lightest CVE counts of the year, with the total count from Microsoft at 34, none of which are known to be exploited.

Microsoft browsers are still the hot topic, with 18 critical CVEs referencing scripting engine vulnerabilities. Although none are known to be exploited, we would take this opportunity to stay ahead of the curve and make sure all user-facing workstations are covered. Even if most users prefer Chrome!

With less to patch than usual, now is also the time to start preparing for 2018 EOL products. Microsoft has detailed all of the products reaching end of support here, so make sure your desktop management team has a plan to migrate from any systems losing support in the new year. Most notably, Windows 10 1607 is tentatively scheduled to retire in March 2018, while version 1703 is set for September 2018.

This Month’s Top 3

CVE-2017-11927 – Microsoft Windows Information Disclosure Vulnerability

An old vulnerability addressed in 2005 is coming back into circulation again – the InfoTech Storage Format (ITS) used in CHM files. This patch resolves an information disclosure vulnerability in the Windows its:// protocol handler. According to the Zero Day Initiative, Internet Explorer uses a few different ITS protocol handlers to access components inside CHM files.  Although a patch released in 2005 “blocked” the ability to access remote content using ITS outside of the Local Machine Zone, it looks like this bug has taken over 10 years to find a way around that. Successful attackers can trick users into browsing to a malicious website or SMB destination, leak information on the user’s NTLM hash and ultimately attempt a brute-force attack to obtain the corresponding password.

The first priority here should be to patch, but followed closely by ensuring you have an adequate network intrusion detection system (NIDS) to monitor malicious activity.

CVE-2017-11899 – Microsoft Windows Security Feature Bypass Vulnerability

This is seemingly a repeat of last month’s “Device Guard Security Feature Bypass Vulnerability” whereby an untrusted file could be masked as validated. As Device Guard relies on a valid signature to determine the credibility of a file, attackers could execute malicious files as trusted, duping the unwitting target who may open it.

The Zero Day initiative notes that while both November’s and this month’s bug were uncovered by the same researcher, it is unknown if this is the result of an incomplete patch or two separate issues.

CVE-2017-11932 | Microsoft Exchange Spoofing Vulnerability

According to Microsoft, a spoofing vulnerability exists in Microsoft Exchange Server when Outlook Web Access (OWA) fails to properly handle web requests. An attacker who successfully exploited the vulnerability could perform script or content injection attacks, and attempt to trick the user into disclosing sensitive information; redirect to a malicious website that could spoof content; or be used as a pivot to chain an attack with other vulnerabilities in web services.

Like a lot of other vulnerabilities, this exploit requires user co-operation. An attacker could send a specially crafted email containing a malicious link to a user. Don’t forget, an attacker could also use a chat client to social engineer a user into clicking the malicious link, so make sure users are as vigilant with chats as are they are with email!


Although 2017 draws to a close with few desktop patches to worry about, spare a thought for the server administrators across the world who are likely sweating at the thought of updating all of their Exchange servers this month – yes, a restart is mandatory! Careful consideration and planning, as always, is key.

Our recommendation is to get your house in order sooner rather than later. Prevention is better than cure and this year has proven that the worst threats come with very little notice. So make sure you know exactly what your server estate looks like, you have network access and the right administrator privileges to patch any server at the drop of a hat. Then hopefully sit back and enjoy the holiday season…

Leave a Reply

Your email address will not be published. Required fields are marked *