Patch Tuesday December is only a small flurry of updates. Total CVE count from Microsoft is 32 unique CVEs and none of these are Exploited or Disclosed at this time. Adobe has an update for Flash Player resolving one Moderate CVE. It is still rated as a Priority 2 update, which is why Microsoft has classified the Flash update for IE as Critical.
Be sure to check out all of Ivanti’s patch products:
‘Tis the season for End of Life concerns. Start your 2018 planning off right and review what products are going to EoL in 2018. Windows 10 1607 is tentatively scheduled for March 2018 and 1703 tentatively set for September 2018. Microsoft also has their “Products Reaching End of Support for 2018” post outlining all products set for EoL or transitioning from Mainstream to Extended Support.
The Office update this month includes a vulnerability in Excel that could allow Remote Code Execution. CVE-2017-11935 is a vulnerability in how Microsoft Office handles objects in memory. An attacker could create a specially crafted file to perform actions in the context of the current user. This is a case where proper privilege management would mitigate the impact if exploited. The attack could take the form of an email attachment, or as specially crafted content hosted on a website and convince a user to open the specially crafted file to exploit the vulnerability. Depending on your source open rates for phishing attempts are still around 30% and click rates at around 12% so a user targeted exploit like this is perfect for an attacker to take advantage of.
Most of the December vulnerabilities are in the Microsoft browsers this month so make the IE and Edge browser updates a high priority. The Office update is also of concern, but don’t ignore the Exchange and SharePoint updates for too long. This month’s Exchange update impacts OWA and includes 1 CVE that is more complex to exploit, but could be used in conjunction with other CVEs as a pivot to chain an attack. SharePoint also includes 1 CVE that could allow for Cross Site Scripting attack that could allow for an elevation of privilege.