Skip to content ↓ | Skip to navigation ↓

BULLETIN

CVE

Microsoft Browser – IE and Edge CVE-2017-11848, CVE-2017-11856, CVE-2017-11855, CVE-2017-11827, CVE-2017-11833, CVE-2017-11803, CVE-2017-11844, CVE-2017-11845, CVE-2017-11874, CVE-2017-11872, CVE-2017-11863
Microsoft Browser – Scripting engine CVE-2017-11834, CVE-2017-11791, CVE-2017-11839, CVE-2017-11871, CVE-2017-11870, CVE-2017-11873, CVE-2017-11838, CVE-2017-11858, CVE-2017-11836, CVE-2017-11837, CVE-2017-11866, CVE-2017-11869, CVE-2017-11840, CVE-2017-11841, CVE-2017-11843, CVE-2017-11846, CVE-2017-11861, CVE-2017-11862
APSB17-33: Adobe Flash Player CVE-2017-3112, CVE-2017-3114, CVE-2017-11213, CVE-2017-11215, CVE-2017-11225
Browsers – Chrome CVE-2017-15398, CVE-2017-15399
Microsoft Office CVE-2017-11878, CVE-2017-11877, CVE-2017-11882, CVE-2017-11854, CVE-2017-11884
Windows Kernel CVE-2017-11847, CVE-2017-11853,CVE-2017-11851,CVE-2017-11849,CVE-2017-11842
ASP.NET CVE-2017-11883, CVE-2017-11879, CVE-2017-8700
.NET Core CVE-2017-11770
Microsofts Graphics CVE-2017-11850
Microsoft Miscellaneous CVE-2017-11830, CVE-2017-11832, CVE-2017-11835, CVE-2017-11852, CVE-2017-11831, CVE-2017-11880, CVE-2017-11768, CVE-2017-11788
Microsoft Project Server CVE-2017-11876

 

The November 2017 Patch Priority Index (PPI) brings together a collection of high priority vulnerabilities that should be patched as soon as possible. The PPI this month includes vulnerabilities from Microsoft, Adobe and Chrome.

Vulnerability Highlights

Microsoft has announced two publicly disclosed vulnerabilities in its browser products. A publicly disclosed vulnerability (CVE-2017-11827) in Internet Explorer and Microsoft Edge could allow an attacker to gain access to a system with full user rights. The vulnerability exists due to the way Microsoft browsers access objects in memory.

Another publicly disclosed information disclosure vulnerability (CVE-2017-11848) exists in Internet Explorer that could allow a malicious individual to identify when a user leaves a web page.

Based on the vulnerability highlights, we recommend placing Microsoft Edge, Internet Explorer and Microsoft Scripting Engine patching at the top of your priority list for November. Following these, administrators should focus on ensuring patches are applied for Adobe Flash.

Next, users should ensure the latest patch for Chrome has been applied. The latest stable release issued on Monday, November 6, 2017, includes fixes for two vulnerabilities.

CVE-2017-15398 is a stack buffer overflow in QUIC and has been rated Critical. The patch also includes a fix for CVE-2017-15399 that resolves a Use After Free vulnerability in V8.

Up next is Microsoft Office, which includes a memory corruption vulnerability and a security feature bypass vulnerability for Excel, an Office memory corruption vulnerability, and a memory corruption vulnerability in Word.

Next, administrators should ensure that the Windows Kernel patches are applied. This month, Microsoft has fixed five vulnerabilities in the Windows Kernel, which includes four information disclosure vulnerabilities and one elevation of privilege vulnerability.

Finally this month, administrators should ensure patches are applied for the remainder of this month’s Microsoft security updates, which include:

  • Device Guard,
  • Microsoft Graphics,
  • Windows GDI,
  • Windows EOT Font Engine,
  • Windows Media Player,
  • Windows Search,
  • ASP.NET,
  • .NET, and
  • Microsoft Project Server.

To learn more about Tripwire’s Vulnerability and Exposure Research Team (VERT), click here.

<!-- -->