October 2017 security update release
Oct 10, 2017 - "Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically..."
Oct 10, 2017 - "The October security release consists of security updates for the following software:
• Internet Explorer
• Microsoft Edge
• Microsoft Windows
• Microsoft Office and Microsoft Office Services and Web Apps
• Skype for Business and Lync
• Chakra Core ...
"... Microsoft is working on a resolution and will provide an update in an upcoming release."
Security Update Summary
October 2017 Office Update Release
Oct 10, 2017 - "... This month, there are 26 security updates and 27 non-security updates. All of the security and non-security updates are listed in KB article 4043461*.
A new version of Office 2013 Click-To-Run is available: 15.0.4971.1002
A new version of Office 2010 Click-To-Run is available: 14.0.7189.5001
Last Review: Oct 10, 2017 - Rev: 10
Oct 10, 2017 - "... Our monthly series provides you with information on Microsoft's Patch Day. It features an overview of all security and non-security updates that Microsoft released since the last Patch day in September 2017. The monthly guide lists how different versions of Windows -- client and server -- and Microsoft's browsers Edge and Internet Explorer are affected. It features links to resources, direct download links for cumulative Windows updates, new and updated security advisories, and information on how to download the updates to Windows machines...
Windows 7: 20 vulnerabilities of which 5 are rated critical, 15 important
Windows 8.1: 23 vulnerabilities of which 6 are rated critical, 17 important
Windows 10 version 1607: 29 vulnerabilities, 6 critical, 23 important
Windows 10 version 1703: 29 vulnerabilities of which 6 are rated critical, 23 important ..."
(More detail at the URL above.)
Qualys analysis: https://blog.qualys....vulnerabilities
Oct 10, 2017 - "Today Microsoft released patches covering 62 vulnerabilities as part of August’s Patch Tuesday update, with 30 of them affecting Windows. Patches covering 28 of these vulnerabilities are labeled as Critical, and 33 can result in Remote Code Execution. According to Microsoft, a vulnerability in Microsoft Office is being actively exploited in the wild. Top priority for patching should go to a vulnerability in Microsoft Office, CVE-2017-11826, which Microsoft has ranked as “Important” is actively being exploited in the wild.
Priority should also be given to CVE-2017-11771, which is a vulnerability in the Windows Search service. This is the fourth Patch Tuesday this year to feature a vulnerability in this service. As with the others, this vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations. While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya.
Also of note are two vulnerabilities in the Windows font library, CVE-2017-11762 and CVE-2017-11763, that can be exploited through a browser or malicious file, as well as a vulnerability in DNSAPI, CVE-2017-11779, that could allow a malicious DNS server to execute code on a client system.
A vulnerability in certain TPM chips is addressed by ADV170012. This vulnerability is in the TPM chip itself, and not in Windows, but could result in weak cryptographic keys. These keys are used for BitLocker, Biometric auth, and other areas of Windows. The updates provide a workaround for the weak keys leveraging additional logging and an option to use software-derived keys. Full remediation requires a firmware update from the device manufacturer.
As with several of the last Patch Tuesdays, the majority of the vulnerabilities in this month’s release involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems that use email and access the internet via a browser..."
Oct 10, 2017