It’s the second Tuesday of the month, and you know
what that means… Yep, it’s time for another bundle of essential security
updates from Microsoft.
For its final scheduled batch of updates for 2017,
Microsoft has released fixes for over 30 security vulnerabilities in its
software, impacting users of the likes of Microsoft Windows, Microsoft Office,
Exchange Server, Microsoft Edge, and the malware protection engine built into
security products such as Windows Defender.
That fix for Microsoft’s malware protection engine
is particularly interesting, as the security hole it patches was discovered by
the National Cyber Security Centre (NCSC), part of the UK’s intelligence agency
GCHQ.
Experts at NCSC discovered a way to exploit two
critical remote code execution flaws in Microsoft’s anti-malware code that
could potentially be exploited when it attempts to scan a boobytrapped file,
allowing an attacker to compromise targeted systems.
The flaw was fixed in an out-of-band patch earlier this month, and
Windows users should already have received an automatic update to the
anti-malware engine itself, but the company was probably correct in being
cautious, and including the fix again in this regular round-up of patches.
Among the other critical flaws patched this month,
is a memory corruption vulnerability
in the Edge browser:
“An attacker who successfully exploited the
vulnerability could gain the same user rights as the current user. If the
current user is logged on with administrative user rights, an attacker could
take control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user rights.”
Although details of the Edge vulnerability have not
been publicly disclosed, and there has not (to date) been any sightings of
attacks exploiting the vulnerability, Microsoft has assessed that the chances
of it being used in attacks is “more likely” than not.
And it’s not just Microsoft customers who will be ensuring
that their software is up-to-date. Flash Player users would also be sensible to
update their systems, after Adobe released version 28.0.0.126 for the Windows,
Macintosh, Linux and Chrome OS platforms.
In a security bulletin,
Adobe detailed its latest security update, that contains a single solitary bug
fix and does not appear to be of anything more than moderate severity.
“The important thing is, of
course, not to turn a blind eye to security updates – whichever of your
software vendors they come from”
Your experience may differ, but I’ve found it quite
easy in recent years to live without Adobe Flash Player on my computer. If
you’re not quite ready to desert Flash entirely and uninstall it, you may want
to consider enabling a browser security feature called “Click to Play.”
“Click to Play” can reduce your attack surface by
telling your browser not to render potentially malicious Flash content unless
it has been given the permission to run. In other words, a maliciously coded
Flash file will not execute unless given the green light, rather than
automatically running when you visit a poisoned webpage.
The important thing is, of course, not to turn a
blind eye to security updates – whichever of your software vendors they come
from. Increasingly, software can be automatically updated, reducing the window
of opportunity for hackers to exploit newly-discovered flaws – although many
companies still prefer to stagger the roll-out of a patch across their
enterprise until they feel confident that it won’t cause more problems than it
was designed to fix.