14 DAY TRIAL // Microsoft’s November 2017 Patch Tuesday rollout brought fixes aimed at a total of 53 security vulnerabilities, out of which no less than 23 allowed for Remote Code Execution.
What’s important, however, is that this month brought no critical updates for Windows, though there are four different vulnerabilities that have public exploits.
Browsers received particular attention this month, with both Internet Explorer and Microsoft Edge getting important security fixes, but the software giant says no attacks have been reported so far.
First and foremost, there’s CVE-2017-11882, which Microsoft lists as an Important vulnerability, but admits it Proof of Concept code could be available, meaning that Office users should deploy the patch as soon as possible.
Then, there’s a scripting engine flaw in both Microsoft Edge and Internet Explorer, and this could allow attackers to obtain the same rights as the logged-in user when a malicious website is loaded in one of the two browsers. Such flaws are documented in CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11871, and CVE-2017-11873.
Cumulative updates for Windows 10
Gill Langston of Qualys recommends IT admins to pay particular attention to Windows updates fixing CVE-2017-11830 and CVE-2017-11847, as they appear to be the two Windows vulnerabilities that are worth prioritizing because they address security feature bypass and privilege elevation flaws, respectively. Again, both patches are listed as Important.
Windows 10 systems have also received a bunch of cumulative updates depending on the version they’re running, and all these security vulnerabilities should be fixed after installing them. Windows 10 Fall Creators Update, which is currently being rolled out to devices across the world, has thus experienced the first Patch Tuesday, with the installation of cumulative updates running smoothly and no issues reported whatsoever.
As usual, it’s worth mentioning that these updates require reboots, and in large networks where mass deployment is necessary, work needs to be saved before beginning the install. Also, there are no reports of botched updates so far.