Microsoft November update patches 20 critical vulnerabilities

Microsoft’s Patch Tuesday has come once again, and as is often the case, vital fixes for various vulnerabilities were released. In total there were 53 vulnerabilities, and of these exploits, 20 of them were rated “critical” on the Common Vulnerability Scoring System (CVSS) scale. In general, the primary issue found among the patched vulnerabilities was that of remote code execution — and it’s not the first time Microsoft has patched this kind of vulnerability. There were other issues as well, however, and some of the most critical will be extrapolated on. Here’s a closer look at what’s in the Microsoft November update.

A chunk of noteworthy exploits (CVE-2017-11848, CVE-2017-11827, CVE-2017-11883 and CVE-2017-8700) were identified as being particularly dangerous by various security researchers. While the vulnerabilities in question have not been shown to be utilized in the wild, at least currently, there is still a great risk.

CVE-2017-11848 is exploitable due to an “information disclosure vulnerability” that exists within Internet Explorer. The vulnerability is able to be seized upon by hackers to closely monitor the web activity of their potential victims. As a result of this, a threat actor can “host a specially crafted website” and also force “compromised” websites to “contain specially crafted content that could exploit the vulnerability.” This would allow for logging sensitive data of various users.

CVE-2017-11827 is a remote code execution vulnerability that exploits how Microsoft browsers access objects in memory. The situation created by this vulnerability allows for hackers to utilize code to hijack user privileges. If the user is in administrative mode, the hacker can seize full control (just another reason for users to avoid logging in as admins on a regular basis).

CVE-2017-11883 is a denial-of-service vulnerability that can be executed remotely without any authentication. The DoS attack would specifically target web requests that are improperly dealt with by ASP.NET Core. All the hacker would have to do is craft packets and send them to the .NET Core application.

CVE-2017-8700 also involves ASP.NET Core, specifically, “an information disclosure vulnerability... that allows bypassing Cross-origin Resource Sharing (CORS) configurations.” The vulnerability allows an attacker to access content that is usually protected via restrictions in web applications.

These are only four of the 20 most critical vulnerabilities addressed in the Microsoft November update, but the hope is that common themes (especially remote access and sensitive data stealing) are recognized as reasons to patch. The sheer number of remote code execution vulnerabilities is alarming and a call to action for implementing these patches as soon as possible. For a full rundown of many of the critical vulnerabilities, Kaspersky Lab’s Threatpost has a thorough article on the subject.

Get to patching!

Photo credit: Flickr / KestelMultimedia

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Android Q beta: Everything businesses and IT admins need to know

A new Android operating system — Android Q — has been unveiled in beta version, and it has a lot…

12 mins ago

Google adds better protection against man-in-the-middle attacks

Google is ramping up its security protections to better ward off man-in-the-middle attacks, which have caused extreme damage over the…

2 hours ago

‘Sea Turtle’ DNS hijacking attacks believed to be state-sponsored

A DNS hijacking campaign hitting governments and agencies in the Middle East and North Africa is believed to be the…

4 days ago

Top 9 cybersecurity startups to keep an eye on in 2019

Cybersecurity is one of the most heavily invested areas every year. Here are nine cybersecurity startups that are attracting the…

4 days ago

Is faxing still a viable mode of business communication? Oh, yeah!

Think the annoying squelch of a fax machine is an extinct sound from the past? Think again. For many businesses,…

4 days ago

Static IP address vs. dynamic IP address: Which is better for business?

While most businesses and home users can do quite well with a dynamic IP address, there are times you should…

5 days ago