14 DAY TRIAL // Surprising news for Microsoft watchers: this month’s Patch Tuesday rollout brings only three different updates for Windows, with the focus this time on vulnerabilities discovered in browsers.
While the December 2017 Patch Tuesday as a whole was pretty light, with only 32 vulnerabilities in Microsoft products fixed, Windows operating systems appear to no longer be at the top of the list of software getting security fixes.
No less than 19 of the fixed vulnerabilities this month were rated as critical and 24 allowed for remote code execution (RCE), which would allow attacks to get full control of an unpatched system.
There are a total of 19 critical Internet Explorer and Edge vulnerabilities that are getting fixed, and Microsoft says that users should install updates as soon as possible, as “exploitation is more likely.” On a good note, the company reveals that it’s not aware of any exploits just yet, though it’s worth knowing that with updates already available, the risk of attacks aimed at these flaws increases.
RCE vulnerability in all Windows versions
Microsoft says all Windows versions currently supported are affected by an RCE flaw in the Windows RRAS Service which could be used by a cybercriminal to get administrator rights on a target system.
“To exploit this vulnerability, an attacker would need to run a specially crafted application against an RPC server which has Routing and Remote Access enabled. Routing and Remote Access is a non-default configuration; systems without it enabled are not vulnerable,” the company states.
In this case, exploitation is less likely, though it’s worth noting that Windows 7, Windows 8.1, and Windows 10 are all affected by the vulnerability.
Microsoft has also shipped cumulative updates for Windows 10, with all versions released since July 2015 being targeted. There are only isolated reports of failed installs so far.
IT admins should keep in mind that patch deployment requires a reboot, and work needs to be saved before beginning the install.