It's September 2017, and .NET lets PDFs hijack your Windows PC
Look Microsoft, we'll stop these headlines when your stuff stops getting pwned
While much of the tech world is still fixating on Apple's $1,000 face-reading iPhone, administrators are going to be busy testing and deploying this month's Patch Tuesday load.
Microsoft, Adobe, and Google have all released patches to mark the second Tuesday of the month. The updates include fixes for Flash, Edge, Internet Explorer, and Android.
Redmond's September patch dump addresses a total of 81 CVE-listed vulnerabilities, 39 of which would allow for remote code execution. Four of the flaws are already publicly known and one has been actively exploited.
The targeted bug is CVE-2017-8759, a vulnerability in .NET framework's handling of input data. Dustin Childs of Trend Micro's Zero Day Initiative notes the vulnerability is most likely to be targeted through PDF files or other malicious document attachments.
"Another vector would involve executing a malicious application as a low-privileged user," Childs explained.
"Either way, this patch should be your top priority this month since .NET is deployed just about everywhere, and it's already being exploited – just likely in a limited fashion."
Childs notes that server admins should pay special attention to CVE-2017-0161, a NetBIOS remote code execution flaw in the Windows NetBT Session Service.
"In this scenario, one guest OS could execute code on the others if NetBIOS is enabled," he explained. "Another factor in this bug is that it's a race condition. That fact significantly lowers the reliability of any exploit that may be created."
As usual, Microsoft's Edge and Internet Explorer browsers are prime locations for security vulnerabilities. Microsoft said that 22 of the critical flaws this month are found in the browsers. They include nine memory corruption vulnerabilities in the browsers themselves and 10 in the scripting engine component.
Of the three publically disclosed flaws (not including CVE-2017-8759), one is found in Windows (CVE-2017-8746, a Device Guard security code bypass), the second is present in Edge (CVE-2017-8723, a content security policy bypass), and the third is a remote code execution vulnerability in the Hololens augmented reality gear's Broadcom chipset (CVE-2017-9417).
Also patched this month were five information disclosure and one denial of service flaws in Hyper-V, as well as two cross-site scripting bugs in SharePoint. Office will receive fixes for four memory corruption flaws and two remote code execution vulnerabilities.
Adobe plugs a pair of Flash holes
This month's Flash Player update covers two CVE-listed bugs, CVE-2017-11281 and CVE-2017-11282. Both would allow remote code execution by way of a memory corruption exploit.
Adobe has also posted an update for RoboHelp for Windows to patch a cross-site scripting vulnerability (CVE-2017-3104) and a URL redirect vulnerability (CVE-2017-3105).
Four flaws patched in ColdFusion would allow for remote code execution (CVE-2017-11283, CVE-2017-11284) and information disclosure (CVE-2017-11285, CVE-2017-11286).
Android's monthly maintenance
The September update bundle for Google's mobile OS brings with it fixes for 81 bugs in various Android components, including 21 CVE-listed flaws in Qualcomm components, 10 in MediaTek, and 8 in Broadcom.
Also patched were 11 vulnerabilities in the Android kernel, five in the system, and 24 in the media framework.
None of the Android flaws have been reported as exploited in the wild. ®