Microsoft has released security updates as part of its monthly Patch Tuesday release train, and this month, the company has patched 34 issues affecting products such as:
- Microsoft Office
- Microsoft Office Services and Web Apps
- Microsoft Exchange Server
- Microsoft Malware Protection Engine
- Internet Explorer
- Microsoft Edge
- ChakraCore
None of the security issues Microsoft fixed this month were publicly disclosed or exploited in real-world attacks before updates were released earlier today.
Of all bugs, two remote code execution bugs in the Microsoft Malware Protection Engine stand out —CVE-2017-11937 and CVE-2017-11940.
Both issues were reported by the UK National Cyber Security Centre (NCSC), a branch of the UK Government Communications Headquarters (GCHQ), the country's official intelligence and security agency.
Bleeping Computer ran an article on one of the issues last week when Microsoft shipped an out-of-band update to fix the bug, which is now also included as an update part of the December 2017 Patch Tuesday.
Adobe fixes one Flash Player bug
As it is usual, the Microsoft Patch Tuesday security updates also include Adobe Flash Player fixes. Earlier today, Adobe issued is own Patch Tuesday security bulletin, which this month, only included one solitary bugfix for Adobe Flash Player.
Adobe said Flash Player 28.0.0.126 "addresses a regression that could lead to the unintended reset of the global settings preference file." The bug is classified as a moderate severity issue, and by no means an immediate danger to users.
Below is a table listing of all the security issues fixed this month. We used PowerShell and the Microsoft API to assemble the table below, but the report is much longer. We hosted the full report on GitHub, here.
If you're not interested in all security updates and you'd like to filter updates per product, you can use Microsoft's official Security Update Guide, available here.
| Tag | CVE ID | CVE Title |
|---|---|---|
| Microsoft Office | ADV170021 | Microsoft Office Defense in Depth Update |
| Adobe Flash Player | ADV170022 | December 2017 Flash Security Update |
| Microsoft Exchange Server | ADV170023 | Microsoft Exchange Defense in Depth Update |
| Device Guard | CVE-2017-11899 | Microsoft Windows Security Feature Bypass Vulnerability |
| Microsoft Edge | CVE-2017-11888 | Microsoft Edge Memory Corruption Vulnerability |
| Microsoft Exchange Server | CVE-2017-11932 | Microsoft Exchange Spoofing Vulnerability |
| Microsoft Malware Protection Engine | CVE-2017-11940 | Microsoft Malware Protection Engine Remote Code Execution Vulnerability |
| Microsoft Malware Protection Engine | CVE-2017-11937 | Microsoft Malware Protection Engine Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2017-11939 | Microsoft Office Information Disclosure Vulnerability |
| Microsoft Office | CVE-2017-11936 | Microsoft SharePoint Elevation of Privilege Vulnerability |
| Microsoft Office | CVE-2017-11935 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2017-11934 | Microsoft PowerPoint Information Disclosure Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11886 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11905 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11907 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11916 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11894 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11887 | Scripting Engine Information Disclosure Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11919 | Scripting Engine Information Disclosure Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11903 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11901 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11908 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11906 | Scripting Engine Information Disclosure Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11890 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11889 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11895 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11893 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11909 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11914 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11918 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11930 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11913 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11910 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11911 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2017-11912 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Windows | CVE-2017-11885 | Windows RRAS Service Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2017-11927 | Microsoft Windows Information Disclosure Vulnerability |
Comments
Occasional - 6 years ago
Always helpful reminder about Patch Tuesday, from BC. Thanks for the component breakdown table, and the general review.