Microsoft Office 0-day headlines Patch Tuesday, update now!

Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit
The second Tuesday of the month means it’s Microsoft’s formerly-known-as Patch Tuesday, currently-known-as Security Update Tuesday, and this month’s update patches 61 vulnerabilities in all, with 23 rated as Critical and 35 as Important. We always urge that you apply patches as soon as possible, but if that’s not convincing enough, read the details below of what’s out there in the wild.
The monthly advisory covers a number of Microsoft products, including:
Internet Explorer
Microsoft Edge
Microsoft Windows
Microsoft Office and Microsoft Office Services and Web Apps
Skype for Business and Lync
Chakra Core
If you can’t get to everything, or you can’t fight every battle, then what to address first? Right now there are two vulnerabilities in this month’s patch list that deserve some extra attention.
Sophos Home
Free home computer security software for all the family
Learn More
Office zero-day
A vulnerability of special interest in this month’s update is CVE-2017-11826, a remote code execution (RCE) vulnerability affecting Microsoft Office.
If an attacker can get a user to open a specially crafted Office file on a vulnerable version of Microsoft Office—perhaps by attaching it to an alluring phishing email— the attacker can run malicious code on the victim’s machine. If the user being attacked has administrative rights then the attacker has them too, giving them the power to installing applications and rights to change important data.
This vulnerability affects many versions of Microsoft Word going all the way back to the 2007 version, as well as various iterations of Office Web Apps Server, Office Word Viewer, SharePoint Enterprise Server and Word Automation Services (check out the advisory for a full list of affected products).
Microsoft says this kind of attack isn’t an if, but a when, as its exploitability assessment for this vulnerability indicates that older versions of Word and Office are already being exploited in the wild.
That said, Microsoft only rates this vulnerability as Important and not Critical because the latest versions of Word and Office are only deemed more likely to be exploited, but aren’t actually being exploited. Don’t take false comfort in that though, Microsoft’s Exploitability Index describes “Exploitation More Likely” as follows:
…exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created.
If you can only get one fix through change control today, it seems CVE-2017-11826 is the one.
Malicious DNS
Another RCE getting some attention in this update is CVE-2017-11779, a Critical-rated vulnerability that affects the Windows DNS client (DNSAPI.dll). It can be exploited by a malicious DNS server sending specially crafted responses that can trigger the execution of arbitrary code.
This vulnerability requires an attacker to have a foothold in your DNS hierarchy. If it’s successfully exploited it could potentially hand over full system control as it allows RCE at a variety of privilege levels, including admin.
网络谣言危及互联网健康发展,针对网上谣言,不仅仅需要加强言论的监控,更需要对网民进行互联网道德和素质教育,近期美英两国也有重罚那些不负责任乱讲话的网民。
网络安全人人有责公益教育短片——APT高级持续性威胁

This vulnerability affects versions of Windows 8 and 10, as well as various versions of Windows Server 2012 and 2016.
Every environment is different so we’d like to know – are there other vulnerabilities in this month’s Microsoft Security Update that you’re focusing on? We’re listening, let us know in the comments.
大多数的安全事故源于人员的疏忽,所以加强员工的信息安全意识培训,并且将安全意识有效地转化为安全行为对于降低大多数安全事故有显著作用。

猜您喜欢

通过开展“安全周”活动促进员工安全意识
网络安全公益短片小心披露您的地理位置信息
网络安全法学习课堂
新浪独家:特朗普的风水学
CONSUMERSURVEYS CHARITABLERECYCLING
网络安全宣传周动画——出差在外时注意保护信息设备