|Microsoft Browser – IE and Edge||CVE-2017-11848, CVE-2017-11856, CVE-2017-11855, CVE-2017-11827, CVE-2017-11833, CVE-2017-11803, CVE-2017-11844, CVE-2017-11845, CVE-2017-11874, CVE-2017-11872, CVE-2017-11863|
|Microsoft Browser – Scripting engine||CVE-2017-11834, CVE-2017-11791, CVE-2017-11839, CVE-2017-11871, CVE-2017-11870, CVE-2017-11873, CVE-2017-11838, CVE-2017-11858, CVE-2017-11836, CVE-2017-11837, CVE-2017-11866, CVE-2017-11869, CVE-2017-11840, CVE-2017-11841, CVE-2017-11843, CVE-2017-11846, CVE-2017-11861, CVE-2017-11862|
|APSB17-33: Adobe Flash Player||CVE-2017-3112, CVE-2017-3114, CVE-2017-11213, CVE-2017-11215, CVE-2017-11225|
|Browsers – Chrome||CVE-2017-15398, CVE-2017-15399|
|Microsoft Office||CVE-2017-11878, CVE-2017-11877, CVE-2017-11882, CVE-2017-11854, CVE-2017-11884|
|Windows Kernel||CVE-2017-11847, CVE-2017-11853,CVE-2017-11851,CVE-2017-11849,CVE-2017-11842|
|ASP.NET||CVE-2017-11883, CVE-2017-11879, CVE-2017-8700|
|Microsoft Miscellaneous||CVE-2017-11830, CVE-2017-11832, CVE-2017-11835, CVE-2017-11852, CVE-2017-11831, CVE-2017-11880, CVE-2017-11768, CVE-2017-11788|
|Microsoft Project Server||CVE-2017-11876|
The November 2017 Patch Priority Index (PPI) brings together a collection of high priority vulnerabilities that should be patched as soon as possible. The PPI this month includes vulnerabilities from Microsoft, Adobe and Chrome.
Microsoft has announced two publicly disclosed vulnerabilities in its browser products. A publicly disclosed vulnerability (CVE-2017-11827) in Internet Explorer and Microsoft Edge could allow an attacker to gain access to a system with full user rights. The vulnerability exists due to the way Microsoft browsers access objects in memory.
Another publicly disclosed information disclosure vulnerability (CVE-2017-11848) exists in Internet Explorer that could allow a malicious individual to identify when a user leaves a web page.
Based on the vulnerability highlights, we recommend placing Microsoft Edge, Internet Explorer and Microsoft Scripting Engine patching at the top of your priority list for November. Following these, administrators should focus on ensuring patches are applied for Adobe Flash.
Next, users should ensure the latest patch for Chrome has been applied. The latest stable release issued on Monday, November 6, 2017, includes fixes for two vulnerabilities.
CVE-2017-15398 is a stack buffer overflow in QUIC and has been rated Critical. The patch also includes a fix for CVE-2017-15399 that resolves a Use After Free vulnerability in V8.
Up next is Microsoft Office, which includes a memory corruption vulnerability and a security feature bypass vulnerability for Excel, an Office memory corruption vulnerability, and a memory corruption vulnerability in Word.
Next, administrators should ensure that the Windows Kernel patches are applied. This month, Microsoft has fixed five vulnerabilities in the Windows Kernel, which includes four information disclosure vulnerabilities and one elevation of privilege vulnerability.
Finally this month, administrators should ensure patches are applied for the remainder of this month’s Microsoft security updates, which include:
- Device Guard,
- Microsoft Graphics,
- Windows GDI,
- Windows EOT Font Engine,
- Windows Media Player,
- Windows Search,
- .NET, and
- Microsoft Project Server.
To learn more about Tripwire’s Vulnerability and Exposure Research Team (VERT), click here.