Microsoft fixed 81 vulnerabilities in its security update round this month, 27 of which were labelled “critical” and one zero-day which is under active attack.
CVE-2017-8759 is only rated “important”, but the .NET remote code execution flaw is listed as being exploited in the wild, allowing attackers to take control of an affected system.
“This implies a successful exploit will be executing with elevated privileges. However, since the severity is set to Important, it indicates user interaction is involved here – likely opening an Office document or PDF file,” explained Dustin Childs, of Trend Micro’s Zero Day Initiative (ZDI).
“Another vector would involve executing a malicious application as a low-privileged user. Either way, this patch should be your top priority this month since .NET is deployed just about everywhere, and it’s already being exploited – just likely in a limited fashion.”
The ZDI also flagged CVE-2017-8628, also known as “BlueBorne”, a critical Bluetooth driver spoofing vulnerability which could allow a hacker to perform a man-in-the-middle attack on vulnerable Bluetooth stacks.
It also warned users to urgently patch CVE-2017-0161, a NetBIOS RCE bug, and CVE-2017-9417, a BroadPwn vulnerability in the HoloLens headset which is rated “important” but was publicly known prior to release.
It’s joined by two previously public vulnerabilities: important-rated Device Guard bug CVE-2017-8746 – which could allow an attacker to inject malicious code into a Windows PowerShell session – and “Moderate” Microsoft Edge security feature bypass flaw CVE-2017-8723.
“For users of Microsoft’s DHCP server, priority should also be given to CVE-2017-8686, especially if using failover mode, due to another potential RCE,” explained Qualys director of product management, Jimmy Graham.
“Out of the 26 vulnerabilities that are both Critical and RCE, 22 of them impact Microsoft’s browsers. Many of these vulnerabilities involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems that use email and access the internet via a browser.”
Also on Tuesday, Adobe released patches for five critical vulnerabilities; two of which addressed Flash issues and the remainder covering RoboHelp and ColdFusion.