Microsoft has released 19 security fixes for flaws in key services such as Internet Explorer (IE) and Outlook, in its latest Patch Tuesday update.
The biggest fix is for a critical vulnerability in IE known to have been targeted with an advanced watering hole attack. The attack was originally spotted by security firm FireEye and is listed as being particularly dangerous because of its advanced defence-dodging powers.
Tripwire technical manager of security research and development Tyler Reguly highlighted patches for a vulnerability in Microsoft Outlook and technical issues in Windows Schannel.dll and Hyper-V Server as also being of interest.
"The more interesting patches this month are for a unique Outlook vulnerability that could allow port-scanning, a Hyper-V vulnerability that could allow Guest operating system code execution, and an X.509 issue in Schannel.dll that could allow denial of service," he said.
Reguly said other fixes are less notable and generally relate to minor flaws in the Windows operating system's less critical services.
"Also patched this month is [Windows] Graphics Device Interface (GDI), and while the bulletin wouldn't normally merit a critical rating, the vulnerability exists in a common application programming interface (API) call that may be implemented by numerous third-party products," he said.
Senior manager of security engineering at Rapid7 Ross Barrett highlighted the absence of a permanent fix for a recently discovered zero-day vulnerability in Microsoft Office as a key concern.
"There is frustration because according to the Microsoft Security Response Center blog, this round of patches does not include a fix for the recently published, exploited in the wild Office vulnerability described in ‘Microsoft Security Advisory 2896666," he said.
Microsoft announced the Office vulnerability earlier in November and has released a temporary fix for it. The flaw is believed to have been actively targeted by hackers behind Operation Hangover.
Operation Hangover was a cyber espionage campaign uncovered in May. A full fix for the Office vulnerability is expected in Microsoft's December Patch Tuesday.
Instapaper to 'go dark' in Europe until it can work out GDPR compliance
James Robbins of ArrowXL says that AI is no longer 'tomorrow's technology'
Staff told to beware of "unusual sounds" after an employee reported mystery symptoms
Sophisticated malware comprises code previously used to attack Ukraine