• Home
  • News
  • Reviews
  • Digital technology
  • Cloud
  • Data analytics
  • Digital leaders
  • IoT
  • Opinion
  • Events
  • Resources
  • Data Strategy Spotlight
  • Newsletters
  • Sign in
  • Events
    • Follow V3 Events

      Sign up to receive email alerts about our events

      Sign up
  • Resources
    • V3resources 120x194
      Network Security Forensics For GDPR Compliance

      An effective network security forensics strategy can assist an organization in providing key compliance-related details as part of any post-incident GDPR investigation.

      Download
      V3resources 120x194
      10 ways to increase productivity with managed Office 365

      For businesses large and small, relying on a cloud-based collaboration and productivity suite such as Microsoft Office 365 is becoming the norm. Enhancing productivity in your organisation is vital to get ahead in 2017 - and using Office 365 can help, if it's used right...

      Download
      Find resources
      Search by title or subject area
      View all resources
  • Data Strategy Spotlight
  • Sign in
  •  
    •  

      You are currently accessing V3 .co.uk via your Enterprise account.

      Personalise your on site experience

      Download and use the apps

      Access your subscription from outside of the office

      Get relevant news and insight straight to your inbox

      • Sign in
     
      • Newsletters
      • Account details
      • Contact support
      • Sign out
     
  • Follow us
    • RSS
    • Twitter
    • Newsletters
    • Facebook
    • YouTube
  • Register
  • News
  • Reviews
  • Digital technology
  • Cloud
  • Data analytics
  • Digital leaders
  • IoT
  • Opinion
 
  •  

    You are currently accessing V3 .co.uk via your Enterprise account.

    Personalise your on site experience

    Download and use the apps

    Access your subscription from outside of the office

    Get relevant news and insight straight to your inbox

    • Sign in
 
    • Newsletters
    • Account details
    • Contact support
    • Sign out
 
V3.co.uk
  • Security

Microsoft Patch Tuesday weighs in at 53 while Adobe rushes out 83 patches to fix scores of 'critical' security flaws

Let's be careful out there!

Microsoft Patch Tuesday weighs in at 53 while Adobe rushes out 83 patches to fix scores of 'critical' security flaws
The briefing at the start of every episode of Hill Street Blues - always concluding with 'Let's be careful out there'
  • Graeme Burton
  • @graemeburton
  • 15 November 2017
  • Tweet  
  • Facebook  
  •  
  •  
  • Send to  
0 Comments

Microsoft and Adobe have released more than 100 patches between them to address dozens of security flaws, many of them rated ‘critical', in the latest Patch Tuesday.

Microsoft's 53 patches address 20 rated critical covering its browsers Edge and Internet Explorer, as well as Office and, obviously, various iterations of the Windows operating system. There aren't, however, any zero-day security flaws that require an urgent patch, but four of them are publicly known, but not yet exploited.

Chris Goettl, manager of product management - security at Ivanti, provider of LanDesk, described Microsoft's Patch Tuesday action as "fairly tame".

He continued: "[There are] 47 total unique vulnerabilities resolved across 11 updates. Two of these have been publicly disclosed, which means enough information has been released to the public to allow a threat actor to create an exploit or at least giving them a jump start on where to begin.

Goettl highlighted two particular vulnerabilities affecting both Internet Explorer and Edge, CVE-2017-11827 and CVE-2017-11848. 

"CVE-2017-11827 affects both IE and Edge. This vulnerability could be used in user targeted attacks, like a phishing email or exploiting a website, then convincing a user to open a malicious attachment or content.

"Once exploited the attacker would gain equal rights to the current user. If the user is a full administrator the attacker would gain control of the affected system.

"The second vulnerability (CVE-2017-11848) is an information disclosure vulnerability in Internet Explorer that could allow an attacker to track the navigation of the user leaving a maliciously crafted page," he warned.

Indeed, Greg Wiseman, a senior security researcher at security company Rapid7, pointed out that web browser issues account for two-thirds of Microsoft's patched vulnerabilities this month, with Edge out-scoring Internet Explorer two-to-one (24 to IE's 12).

He added: "No non-browser vulnerabilities are considered critical this month, but with a little bit of social engineering, an attacker could theoretically combine one of the Office-based RCE vulnerabilities, like CVE-2017-11878 or CVE-2017-11882, with a Windows kernel privilege escalation weakness, such as CVE-2017-11847, to gain complete control over a system.

"Thankfully, none of the patched vulnerabilities this time around are known to be exploited in the wild."

At least, not yet.

Adobe, meanwhile, offered up a treat of 83 patches, including five critical ones for the usually utterly secure Flash player. All five of these security flaws enable remote code execution in Adobe Flash if left unpatched.

Adobe's trove of patches also fix 62 security flaws in Acrobat and Acrobat Reader, including fixes for a plethora of remote code execution security flaws.

But that's not all!

A number of other items of Adobe software also require urgent fixes, including Photoshop, Adobe Digital Editions, Shockwave, InDesign and Connect. All have at least one flaw rated critical, so if you're running anything made by Adobe you basically need to get it patched as a matter of urgency.

Goettl also warned shoppers to be vigilante during the run-up to Christmas following the recent discovery of the KRACK vulnerability in the WPA Wifi security protocol.

"Pretty much any Wifi using the WPA or WPA2 encryption can be exploited. This means an attacker could eavesdrop on your connection and gain access to sensitive information, including username and password, credit card information, or any other personally identifiable information being transmitted over the Wifi unencrypted.

"This vulnerability was resolved in last month's Microsoft update, so be sure you have pushed out the October operating system updates.

"Also, your phones, routers, hotspots, even Wifi-enabled Internet of Things devices are likely exposed to this vulnerability [as well as] all the public Wifi networks you connect should be considered vulnerable as well.

"If you are going to do some online shopping from your phone, you may want to do it from the cellular network.

"If you do connect to a Wifi network that could be exposed make sure you only transact on sites that are encrypted (URL starts with [HTTPS://]HTTPS://) or as soon as you connect, establish a VPN connection to secure any transactions or data traffic you may be using."

In other words, let's be careful out there.

Further reading

  • Security
Patch Tuesday sees Microsoft issue fixes for 82 security flaws, including one exploited by FinFisher spyware
  • 13 Sep 2017
  • Security
Patch Tuesday: SAP publishes 27 Security Notes, including one with a 'severity rating' of 9.4
  • 12 Apr 2017
  • Security
Microsoft's March Patch Tuesday fixes nine critical security vulnerabilities
  • 15 Mar 2017
  • Operating Systems
Google security group slams Microsoft for Patch Tuesday delay
  • 20 Feb 2017
  • Operating Systems
Microsoft delays February's Patch Tuesday release
  • 15 Feb 2017
  • Security
Microsoft issues smallest ever Patch Tuesday security release
  • 11 Jan 2017
  • Tweet  
  • Facebook  
  •  
  •  
  • Send to  
  • Topics
  • Security
  • Microsoft
  • Adobe
  • Patch Tuesday
  • Internet Explorer
  • Edge
  • Chris Goettl
  • Greg Wiseman
  • Windows

V3 Latest

TSMC starts high volume production of 7nm chips
TSMC starts high volume production of 7nm chips

Claims to have "the most competitive logic density" in the industry

  • Components
  • 25 April 2018
Dell unveils Precision 5530 2-in-1 mobile workstation with Radeon Pro WX Vega M GL graphics
Dell unveils Precision 5530 2-in-1 mobile workstation with Radeon Pro WX Vega M GL graphics

Dell's high-end mobile workstations upgraded with Intel Coffee Lake CPUs

  • Hardware
  • 25 April 2018
Europol coordinates close down of 'world's biggest' DDoS-for-hire service
Europol coordinates close down of 'world's biggest' DDoS-for-hire service

Webstresser admins were also arrested in the UK, Croatia, Canada and Serbia

  • Security
  • 25 April 2018
Almost 90 per cent of UK websites suffer from 'serious' security flaws
Almost 90 per cent of UK websites suffer from 'serious' security flaws

Security firm claims that 117,638 sites out of 135,035 analysed contain serious security flaws

  • Security
  • 25 April 2018
Back to Top

Most read

Oracle: Java SE 8 business users must buy a licence from January next year
Oracle: Java SE 8 business users must buy a licence from January next year
British security start-up launches lip-sync authentication technology
British security start-up launches lip-sync authentication technology
AI could improve global stability from around 2040, claims US thinktank RAND Corporation
AI could improve global stability from around 2040, claims US thinktank RAND Corporation
Almost 90 per cent of UK websites suffer from 'serious' security flaws
Almost 90 per cent of UK websites suffer from 'serious' security flaws
How NoSQL database technology and IoT sensors are being put to work saving endangered elephants and tigers
How NoSQL database technology and IoT sensors are being put to work saving endangered elephants and tigers
  • Contact
  • Marketing solutions
  • Enterprise IT Events
  • About
  • Terms & conditions
  • Privacy policy
  • RSS
  • Twitter
  • Newsletters
  • Facebook
  • YouTube

© Incisive Business Media (IP) Limited, Published by Incisive Business Media Limited, New London House, 172 Drury Lane, London WC2B 5QR, registered in England and Wales with company registration numbers 09177174 & 09178013

Digital publisher of the year
Digital publisher of the year 2010, 2013, 2016 & 2017