It’s Patch Tuesday time again. Microsoft released a total of 12 new security bulletins this month, fixing a combined total of 49 separate vulnerabilities. There are eight ranked as Important, and four rated as Critical—including cumulative updates for Internet Explorer and the newer Microsoft Edge browser.
“November sees a mix of remote code execution and elevation of privilege vulnerabilities enabling an attacker to gain the same rights as the user when the victim opens specially-crafted content, such as a web page, journal file or document containing embedded fonts,” explains Adam Nowak, active lead engineer with Rapid7. “These vulnerabilities affect Internet Explorer (7 and onwards), Edge, and Windows (Vista and onwards).”
As Nowak points out, the theme this month seems to be remote code execution. Perhaps it’s related to a common function or feature used across different Microsoft applications, but there are remote code execution vulnerabilities in Edge, Internet Explorer, Lync, Office, Office for Mac, Office Web Apps, Skype for Business, SharePoint Server, and all supported versions of the Microsoft Windows operating system.
Chris Goettl, product manager with Shavlik, warns, “Four of the bulletins are resolving a vulnerability that has been publicly disclosed. This means that these four bulletins are a higher risk of exploit. For these, expect that in as few as two to four weeks there could be working code exploits taking advantage of these vulnerabilities.”
In a blog post detailing the Microsoft security bulletins, Qualys CTO Wolfgang Kandek compares the cumulative updates for Internet Explorer and the Edge browser and notes the difference in security. “Edge is clearly more secure than Internet Explorer and a solid choice as your Internet Browser if your users can run all their business applications with it.”
The apparent strength of Edge is of particular importance since we depend so heavily on the cloud and Web browsers for so many facets of computing. Kandek also notes that the Center for Internet Security (CIS) revised the list of 20 Critical Security Controls and added a dedicated browser / email control as priority 7—ranked ahead of normal malware defenses at priority 8.
Adobe also released a security update for Flash Player today that addresses 17 different flaws. Goettl says to consider this update a top priority, and also stresses, “Keep in mind that with Flash Player comes additional updates. You should expect plug-in updates for Internet Explorer, FireFox and Chrome today as well. You must update the Player instance and all browser plug-ins to be fully protected from these 17 vulnerabilities.”
Nowak says, “Users should be wary of untrusted sources as maliciously-crafted content could allow an attacker to remotely execute code and gain the same rights as the user. Your best protection against these threats is to patch as quickly as possible.”