Today’s VERT Alert addresses the Microsoft
December 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-756 on Wednesday, December 13th.
In-The-Wild & Disclosed CVEs
This month, no Microsoft vulnerabilities have been publicly disclosed or are being actively exploited. There are, however, a couple of vulnerabilities that are worthy of discussion.
One of the more interesting vulnerabilities this month is the Windows RRAS Service Remote Code Execution Vulnerability. The vulnerability only affects systems running the service, which is not uncommon in small businesses. The service breaks down into two distinct services – Routing (providing software routing not unlike a typical hardware router) and Remote Access (providing VPN functionality in a Windows environment). While Microsoft has deemed this ‘Exploitation Less Likely,’ environments with RRAS deployed should take note of this vulnerability.
Microsoft has rated this as a 2 on the
Exploitability Index (Exploitation Less Likely).
Last week, Microsoft released this CVE as an OOB update. The Microsoft Malware Protection Engine (MMPE) will automatically update within 48 hours and many people will already have this update applied. The following day a second CVE was dropped –
CVE-2017-11940 – with an identical description.
Microsoft has rated this as a 2 on the
Exploitability Index (Exploitation Less Likely).
Other Information
In addition to the Microsoft vulnerabilities included in the December Security Guidance, a number of security advisories were also published.
Microsoft has released an update to Word that allows users to enable/disable the Dynamic Update Exchange protocol (DDE).
Microsoft has released updates for Adobe Flash. These correspond with Adobe Update
APSB17-42. This includes a fix for CVE-2017-11305.