{"id":9275,"date":"2017-09-13T10:30:24","date_gmt":"2017-09-13T18:30:24","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/13\/news-3048\/"},"modified":"2017-09-13T10:30:24","modified_gmt":"2017-09-13T18:30:24","slug":"news-3048","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/09\/13\/news-3048\/","title":{"rendered":"IDG Contributor Network: September Patch Tuesday brings critical updates for Window, Edge and .NET"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/images.idgesg.net\/images\/article\/2017\/07\/windows-10-fall-creators-update-100729962-large.3x2.jpg\"\/><\/p>\n<p><strong>Credit to Author: Greg Lambert| Date: Wed, 13 Sep 2017 11:00:00 -0700<\/strong><\/p>\n<p dir=\"ltr\">September brings a relatively large patch profile for Microsoft with 76 reported vulnerabilities, three public disclosures (thank you, Google) and unfortunately one<a href=\"https:\/\/en.wikipedia.org\/wiki\/Zero-day_(computing)\" rel=\"nofollow\"> zero day exploit<\/a>. You used to be worried about browsers and Flash, now we have a publicly exploited vulnerability for augmented reality (<a href=\"https:\/\/en.wikipedia.org\/wiki\/Augmented_reality\" rel=\"nofollow\">AR<\/a>) with a fix for Microsoft\u2019s HoloLens headset.<\/p>\n<p dir=\"ltr\">For this September Patch Tuesday, Microsoft is only shipping security updates with patches to the following product groups:<\/p>\n<p dir=\"ltr\">Browsers (IE and Edge)<\/p>\n<p dir=\"ltr\">Windows Platforms (Desktop and Server)<\/p>\n<p dir=\"ltr\">Microsoft Office (including Web Apps), Skype for Business and Exchange Server<\/p>\n<p dir=\"ltr\">Adobe Flash Players<\/p>\n<p dir=\"ltr\">The .NET Development Framework<\/p>\n<p dir=\"ltr\">In addition to the critical updates for .NET, Windows and Adobe Flash Player this month, Microsoft has published a short list of known issues found at these knowledge base articles (<a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4038792\" rel=\"nofollow\">4038792<\/a>, <a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4038793\" rel=\"nofollow\">4038793<\/a>, <a href=\"https:\/\/support.microsoft.com\/help\/4011050\" rel=\"nofollow\">4011050<\/a> ). We have rated the updates to Windows, Microsoft Edge and .NET (unusually) and Adobe Player (as usual) as \u201cPatch Now\u201d updates from Microsoft.<\/p>\n<p dir=\"ltr\">For this September update from Microsoft we see a number of critical updates to IE and Edge which include:<\/p>\n<p dir=\"ltr\">Updates to Internet Explorer 11\u2019s navigation bar with search box.<\/p>\n<p dir=\"ltr\">Addressed issue in Internet Explorer where undo is broken if character conversion is canceled using IME.<\/p>\n<p dir=\"ltr\">Addressed issue in Internet Explorer where graphics render incorrectly.<\/p>\n<p dir=\"ltr\">Addressed issue in Internet Explorer where the Delete key functioned improperly.<\/p>\n<p dir=\"ltr\">Re-release of <a href=\"https:\/\/support.microsoft.com\/en-us\/help\/3170005\" rel=\"nofollow\">MS16-087- Security update for Windows print spooler components<\/a>.<\/p>\n<p dir=\"ltr\">Security updates to Microsoft Graphics Component, Windows kernel-mode drivers, Windows shell, Microsoft Uniscribe, Microsoft Windows PDF Library, Windows TPM, Windows Hyper-V, Windows kernel, Windows DHCP Server and Internet Explorer.<\/p>\n<p dir=\"ltr\">Most notable is the re-release of<a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms16-087.aspx\" rel=\"nofollow\"> MS16-087<\/a> relating to print restrictions that may lead to a remote code execution scenario. If you are unable to deploy this patch in a timely manner, you may want to review Microsoft&#8217;s instructions on mitigating this security vulnerability found<a href=\"https:\/\/support.microsoft.com\/en-us\/help\/2307161\/point-and-print-restrictions-policies-are-ignored-in-windows-vista-sp2\" rel=\"nofollow\"> here<\/a>. As this patch release for Edge includes a fix for a publicly disclosed vulnerability in the Edge Browser, add this update to your \u201cPatch Now\u201d update plan.<\/p>\n<p dir=\"ltr\">There is a long list of bug fixes in the latest build of Windows 10 (Build 15063.608) which can be found<a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4038788\/windows-10-update-kb4038788\" rel=\"nofollow\"> here<\/a>. This month\u2019s Windows 10 updates do not include any functionality changes or feature enhancements. However, there are a number of issues addressed with this latest release. For a full list of bug fixes and reported issues look<a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4038788\/windows-10-update-kb4038788\" rel=\"nofollow\"> here<\/a>. After examining the changes in this latest Windows 10 build, there are a few core changes that may cause a number of compatibility issues with Microsoft Remote Access Server (<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa373643(v=vs.85).aspx\" rel=\"nofollow\">RAS<\/a>) legacy connections. IBM Rational Composer has been highlighted in our Patch Impact Assessment. Applications that depend on this legacy protocol may have connection issues. This problem will also affect Microsoft Edge users.<\/p>\n<p dir=\"ltr\">This month\u2019s Windows update includes fixes for three publicly disclosed vulnerabilities with the following details:<\/p>\n<p dir=\"ltr\"><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2017-8746\" rel=\"nofollow\">CVE-2017-8746<\/a> describes a security bypass vulnerability in Device Guard which could lead to an code injection scenario in PowerShell.<\/p>\n<p dir=\"ltr\"><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2017-9417\" rel=\"nofollow\">CVE-2017-9417<\/a> relates to a remote code execution scenario in the Broadcom chipset in the Microsoft hololens augmented reality headset.<\/p>\n<p dir=\"ltr\"><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2017-8723\" rel=\"nofollow\">CVE-2017-8723<\/a> is a \u00a0vulnerability that affects both Windows 10 and Edge and has been reported as publicly exploited, potentially leading to a security bypass scenario in Microsoft Edge.<\/p>\n<p dir=\"ltr\">Microsoft has attempted to resolve up to 17 vulnerabilities, with three rated as critical, one rated as a \u201cdefense in depth\u201d advisory and the remaining issues rated as important. The three critical vulnerabilities are described as:<\/p>\n<p dir=\"ltr\"><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2017-8676\" rel=\"nofollow\">CVE-2017-8676<\/a>: an information disclosure vulnerability in how Office files handle GDI+ requests.<\/p>\n<p dir=\"ltr\"><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2017-8682\" rel=\"nofollow\">CVE-2017-8682<\/a>: a remote code execution vulnerability in the Win32k graphics driver.<\/p>\n<p dir=\"ltr\"><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2017-8696\" rel=\"nofollow\">CVE-2017-8696<\/a>: a remote code execution vulnerability in how Office handles graphics files and websites.<\/p>\n<p>In addition to these critical and important updates, Microsoft has published a security advisory for how Outlook handles foreign (Brazilian) fonts which can be found here<a href=\"https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/advisory\/ADV170015\" rel=\"nofollow\"> ADV170015<\/a>. Add these updates to your standard patch deployment effort.<\/p>\n<p dir=\"ltr\">Adobe attempts to resolve two (CVE-2017-1128, CVE-2017-11282) critical memory corruption vulnerabilities in Adobe Flash Player that if left un-patched could lead to a remote code execution scenario. Both of these severe vulnerabilities were reported by<a href=\"https:\/\/en.wikipedia.org\/wiki\/Project_Zero_(Google)\" rel=\"nofollow\"> Google Project Zero<\/a> and affect all Windows platforms and as well as all Google Chrome platforms. This is a high priority update for IE and Edge (as usual) and mid-level priority for Google Chrome. As usual, this is a \u201cPatch Now\u201d update from Microsoft.<\/p>\n<p dir=\"ltr\">Two important and one critical vulnerability in all supported versions of the Microsoft .NET development framework. The critical vulnerability \u00a0(CVE-2017-8658) deals with a memory handling vulnerability in the Chakra Core scripting system. Interestingly, Microsoft has actually published the changes (and corresponding change logs) on Github which can be found<a href=\"https:\/\/github.com\/Microsoft\/ChakraCore\/commit\/5c6fbc61ccc57826e0daaf07a71c2c536614c2ad\" rel=\"nofollow\"> here<\/a>. These changes to the .NET framework are relatively minor after the major update to .NET with the June release 4.7. With a publicly exploited vulnerability to patch, this .NET update should be considered a \u201cPatch Now\u201d update from Microsoft.<\/p>\n<p><strong>This article is published as part of the IDG Contributor Network. <a href=\"\/contributor-network\/signup.html\">Want to Join?<\/a><\/strong><\/p>\n<p><a href=\"https:\/\/www.computerworld.com\/article\/3224532\/microsoft-windows\/september-patch-tuesday-brings-critical-updates-for-window-edge-and-net.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/images.idgesg.net\/images\/article\/2017\/07\/windows-10-fall-creators-update-100729962-large.3x2.jpg\"\/><\/p>\n<p><strong>Credit to Author: Greg Lambert| Date: Wed, 13 Sep 2017 11:00:00 -0700<\/strong><\/p>\n<article>\n<section class=\"page\">\n<p dir=\"ltr\">September brings a relatively large patch profile for Microsoft with 76 reported vulnerabilities, three public disclosures (thank you, Google) and unfortunately one<a href=\"https:\/\/en.wikipedia.org\/wiki\/Zero-day_(computing)\" rel=\"nofollow\"> zero day exploit<\/a>. You used to be worried about browsers and Flash, now we have a publicly exploited vulnerability for augmented reality (<a href=\"https:\/\/en.wikipedia.org\/wiki\/Augmented_reality\" rel=\"nofollow\">AR<\/a>) with a fix for Microsoft\u2019s HoloLens headset.<\/p>\n<p dir=\"ltr\">For this September Patch Tuesday, Microsoft is only shipping security updates with patches to the following product groups:<\/p>\n<ul>\n<li dir=\"ltr\">\n<p dir=\"ltr\">Browsers (IE and Edge)<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3224532\/microsoft-windows\/september-patch-tuesday-brings-critical-updates-for-window-edge-and-net.html#jump\">To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11271,714,10525],"class_list":["post-9275","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-operating-systems","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9275","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9275"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9275\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9275"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9275"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9275"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}