Another banner Patch Tuesday, with a Word zero-day and several bugs
Credit to Author: Woody Leonhard| Date: Tue, 10 Oct 2017 13:28:00 -0700
It’s going to be a banner patching month. I count 151 separate security patches and 48 Knowledge Base articles, as well as the odd Security Advisory.
The Windows patch Release Notes point to four known bugs:
The cumulative update for Win10 Creators Update, version 1703 — which sports dozens of fixes — has a couple of problems: Systems with support enabled for USB Type-C Connector System Software Interface (UCSI) may experience a blue screen or stop responding with a black screen when a system shutdown is initiated, and it may change Czech and Arabic languages to English for Microsoft Edge and other applications.
The cumulative update for Win10 Anniversary Update, version 1607, has a handful of problems: Downloading updates using express installation files may fail, after installing a delta update package; the KB numbers appear twice under Installed Updates; and package users may see an error dialog that indicates that an application exception has occurred when closing some applications.
The cumulative update for the original version of Win10, usually called 1507, has a similar problem: Package users may see an error dialog that indicates that an application exception has occurred when closing some applications. Apparently this fix is only for the LTSC version.
The Monthly Rollup for Win7 also has an acknowledged bug: an error dialog that indicates that an application exception has occurred when closing some applications.
Martin Brinkmann has his usual exhaustive list on ghacks:
Windows 7: 20 vulnerabilities of which 5 are rated critical, 15 important
Windows 8.1: 23 vulnerabilities of which 6 are rated critical, 17 important
Windows 10 version 1607: 29 vulnerabilities, 6 critical, 23 important
Windows 10 version 1703: 29 vulnerabilities of which 6 are rated critical, 23 important
SANS Internet Storm Center has released its list — as has the Zero Day Initiative.
There are some worrisome exposures that we’ll be following closely:
CVE-2017-11779 — a major problem with DNS security, but it’s only a problem if your DNS server has been overtaken. Nick Freeman at Bishop Fox notes:
if an attacker controls your DNS server (e.g., through a man-in-the-middle attack or a malicious coffee-shop hotspot) — they can gain access to your system. This doesn’t only affect web browsers — your computer makes DNS queries in the background all the time, and any query can be responded to in order to trigger this issue.
Sounds grisly, but Microsoft says the flaw hasn’t been exploited, and rates it as “Exploitation less likely.” If somebody can hijack your DNS server, you’re in a world of hurt anyway.
CVE-2017-11826 — a known, and exploited, zero-day attack in Word, discovered by Qihoo 360. It’s another attack that relies on disguising an RTF file as a Word DOC or DOCX, then using the good services of Word (or its Viewer) to pounce on your machine. The Microsoft security advisory says it’s been fixed this month in all versions of Word, the Word Viewer and the Office Compatibility Pack.
Finally, Security Advisory ADV170012 — Vulnerability in TPM could allow Security Feature Bypass contains this little gotcha:
WARNING: Do NOT apply the TPM firmware update prior to applying the Windows operating system mitigation update. Doing so will render your system unable to determine if your system is affected. You will need this information to conduct full remedation.
ZDI goes on to explain:
The patch provided by Microsoft is only a temporary measure though, and here’s where it gets truly complicated. The TPM manufacturers need to produce a firmware update to completely resolve this, as the bug itself is present in the TPM firmware — not in Windows itself. This patch is one of several designed to offer a workaround by generating software-based keys whenever possible. Even after a vendor’s firmware update is applied, you’ll need to re-generate new keys to replace the previously generated weak ones.
This is just a stop-gap measure and still requires manual intervention. When the actual firmware updates roll out from TPM vendors, the process will need to happen all over again — except this time, new TPM firmware needs to be installed on every affected device.
Sounds like it’s going to be a woolly month.
As Computerworld‘s Gregg Keizer notes, today marks the last update for the Windows 10 Fall Update (later called the November Update), version 1511. Those of you on the Long Term Servicing Channel (formerly the Long Term Servicing Branch) need not fear — 1511 will be supported forever, or at least until Oct. 14, 2025. But those of you who don’t have LTSC and its requisite Volume License with Software Assurance better move beyond 1511. Pro tip: If you’re on 1511, move to 1703 before Oct. 17, after which it’ll be much harder to avoid 1709.
Note that Microsoft has, in the past, released truly critical security patches for versions of Windows that are beyond end of life. Which is an interesting philosophical observation.
Today also memorializes the demise of Office 2007. No, you don’t need to run out and buy Office 2016 or rent Office 365. But you do need to be aware that Office 2007 is going to sprout security holes — and you won’t be getting any patches, unless Redmond relents and figures that fixing the elderly branches of the Office ecosystem is worth the time and effort.
Hit a problematic patch? Holler on the AskWoody Lounge.