August Patch Tuesday has a lot at first glance, but this lion may be more of a lamb. There are a lot of Critical updates this month, but only two public disclosures and no known exploited. The 12 updates released by Microsoft resolve a total of 50 unique CVEs. Don’t let the 12 updates fool you, this is definitely a lighter load than the past few months. 10 of the 12 are expected as they are the OS Cumulative or Security Only Bundles and the IE Cumulative for those using the Security Bundle, and of course, Flash Player which releases nearly every Patch Tuesday. It is the last two this month that are fairly light. Office this month only covers one CVE and only for SharePoint, where previous months the Office update had affected nearly every office component across every supported version. There is a SQL update this month, which has not happened on a Patch Tuesday since November 2016.
For non-Microsoft updates, we have 4 overall from Adobe. The Flash Player update is rated as Priority 1, the other three are rated as Priority 2. The Acrobat\Reader update is a bit odd this month. 69 total CVEs resolved, 43 of which are rated as Critical CVEs yet it is still rated as a Priority 2. Compare this to the Flash update with 2 CVEs, 1 of which was Critical and the math just does not add up… Open question to Adobe on that one, but probably safer to put the Acrobat\Reader update into your Priority 1 bucket this month to be on the safe side.
Mozilla Firefox has released Firefox 55 and ESR 52. The Firefox 55 update comes with 29 CVEs fixed including 5 that are rated as Critical.
Digging into a few of the updates a little deeper:
All of the Windows OS updates this month have a public disclosure in common. CVE-2017-8633 is a vulnerability in Windows Error Reporting which could allow an Elevation of Privilege exploit. The attacker could run a specially crated application to cause an error that could allow them to elevate their privileges enough to gain access to sensitive information and system functionality. Windows 10 has an additional public disclosure (CVE-2017-8627), which is a flaw in Windows Subsystem for Linux which could allow a Denial of Service attack. By running a specially crafted file an attacker could launch a DoS attack against the local system.
The Office update this month is specific to SharePoint and resolves a single CVE. This vulnerability is a cross-site scripting vulnerability that exists when SharePoint does not properly sanitize a specially crafted web request. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint Server. This would allow the attacker to perform additional XSS attacks on affected systems and run script in the security context of the current user. The update is rated as Important due to the need for authentication and the complexity of the exploit. Running users as less than a full administrator would also mitigate the impact if the vulnerability were exploited.
The SQL update this month also resolves a single vulnerability (CVE-2017-8516), which could allow Information Disclosure. The update is rated as Important. An attacker could exploit the vulnerability in SQL Server Analysis Services if the attacker’s credentials allow access to the affected SQL server database. The updates rating is likely due to the need for DB permissions and complexity of code to be able to exploit the vulnerability.
Ivanti recommendations for this month:
Focus your immediate attention on the OS, Flash, Reader, and Browsers updates. There are a number of Critical vulnerabilities resolved here and a few Public Disclosures in the OS updates which give attackers a bit of a head start on developing an exploit. As the first half of 2017 has shown us, time is a significant variable in defending our environments against cyber threats. The quicker we can plug critical vulnerabilities the lower our overall risk will be.
More details will be shared during our monthly Patch Tuesday Webinar which will also share what to prioritize and the top issues to look out for.