It's 2017 – and your Windows PC can be forced to run malware-stuffed Excel macros
Not enough? How about a few dozen PDF remote code holes?
Microsoft and Adobe are getting into the holiday spirit this month by gorging users and admins with a glut of security fixes.
The November of Patch Tuesday brings fixes for more than 130 bugs between the two software giants for products including IE, Edge, Office, Flash Player and Acrobat.
Microsoft's patch dump addresses a total 53 CVE-listed vulnerabilities, including three that already have been publicly detailed. Those include CVE-2017-11827, a memory corruption flaw in Edge and IE that lets webpages achieve remote code execution, CVE-2017-8700, a flaw in ASP.NET that lets web apps access restricted memory contents, and CVE-2017-11848, a flaw in IE that allows webpages to track users when they leave the website.
As usual, memory corruption and scripting engine flaws in IE and Edge make up the bulk of what Microsoft considers to be the highest risk flaws.
Those include a total of 17 CVE entries (CVE-2017-11837,CVE-2017-11839, CVE-2017-11841, CVE-2017-11861, CVE-2017-11862, CVE-2017-11870, CVE-2017-11836, CVE-2017-11838, CVE-2017-11840, CVE-2017-11843, CVE-2017-11846, CVE-2017-11859, CVE-2017-11871, CVE-2017-11873) described as browser scripting engine memory corruption holes that would allow attackers to execute arbitrary evil code on vulnerable PCs by crafting webpages that exploit the programming blunders.
Three other flaws, CVE-2017-11845, CVE-2017-11855, CVE-2017-11856, concern similar remote code execution holes in other components of Edge and Internet Explorer that can be exploited by malicious webpages.
A potentially dangerous flaw in Office is not getting as much attention from Microsoft, but is catching the eyes of security experts. CVE-2017-11877 is a flaw in Excel that prevents the application from properly disabling macros in spreadsheets. While it isn't labelled "critical" by Redmond, infosec researchers believe the flaw could have particularly nasty applications for targeted social engineering attacks. Once a mark is tricked into opening a booby-trapped spreadsheet, macros within can automatically run and begin the process of spying on the user, taking over the machine, and so on.
"You may think we’ve educated users enough to stop them from opening unknown documents they didn’t expect," said Trend Micro ZDI researcher Dustin Childs, "but the lure of 'executive_compesantion.xlsx' is hard to deny."
Also catching the attention of security experts is CVE-2017-11830, a flaw in Device Guard that would allow payloads from an attacker to be mistakenly validated and executed under the guise of being a trusted file on Windows.
Remote code execution vulnerabilities were also addressed in Office (CVE-2017-11884, CVE-2017-11882) and specifically in Excel (CVE-2017-11878) and Word (CVE-2017-11854) would allow for remote code execution when a user opens a maliciously crafted document file that triggers a memory corruption error in the software.
The Windows kernel has yet another elevation of privilege flaw (CVE-2017-11847) that would allow a malicious application to install, view, and alter files with kernel mode access, and four information disclosure bugs (CVE-2017-11853, CVE-2017-11849, CVE-2017-11842, CVE-2017-11851) that let dodgy apps view the contents of restricted memory addresses.
And then there's Adobe
Elsewhere, Adobe's Flash Player has once again earned its moniker of The Internet's Screen Door as the Windows, macOS and Linux versions of the browser plugin received fixes for five remote-code execution vulnerabilities.
The largest Adobe patch load, however, was reserved for Acrobat and Reader this month. The PDF readers were the subject of a whopping 62 CVE entries, most of which are remote code execution flaws triggered by opening a malformed PDF file.
Remember Shockwave Player? It got an update to fix CVE-2017-11294, a memory corruption flaw that would let a malformed Shockwave file achieve remote code execution.