Dec 12, 2017 - "Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically..."
Release Notes - December 2017 Security Updates
Dec 12, 2017 - "The December security release consists of security updates for the following software:
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Exchange Server
- Microsoft Malware Protection Engine..."
Security Update Summary
December 2017 Office Update Release
Dec 12, 2017 - "... This month, there are -9- security updates and 30 non-security updates. All of the security and non-security updates are listed in KB article 4055454*.
A new version of Office 2013 Click-To-Run is available: 15.0.4989.1000
A new version of Office 2010 Click-To-Run is available: 14.0.7191.5000 ..."
Last Updated: Dec 12, 2017
ADV170022 | December 2017 Flash Security Update
"... Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it..."
Dec 12, 2017 - "... Executive Summary:
Microsoft released security updates for all versions of Windows the company supports (client and server).
No critical updates for Windows, but for IE and Edge.
Other Microsoft products with security updates are: Microsoft Office, Microsoft Exchange Server, Microsoft Edge and Internet Explorer.
Operating System Distribution:
Windows 7: 2 vulnerabilities of which 2 are rated important
Windows 8.1: 2 vulnerabilities of which 2 are rated important
Windows 10 version 1607: 3 vulnerabilities of which 3 are rated important
Windows 10 version 1703: 3 vulnerabilities of which 3 are rated important
Windows 10 version 1709: 3 vulnerabilities of which 3 are rated important
Windows Server products:
Windows Server 2008: 2 vulnerabilities of which 2 are rated important
Windows Server 2008 R2: 2 vulnerabilities of which 2 are rated important
Windows Server 2012 and 2012 R2: 2 vulnerabilities of which 2 are rated important
Windows Server 2016: 3 vulnerabilities of which 3 are rated important
Other Microsoft Products:
Internet Explorer 11: 13 vulnerabilities, 9 critical, 4 important
Microsoft Edge: 13 vulnerabilities, 12 critical, 1 important..."
Qualys analysis: https://blog.qualys....end-to-the-year
Dec 12, 2017 - "This December Patch Tuesday is considerably lighter than last month’s patch releases. While only three of the fixes were for Windows operating system, the majority of the vulnerabilities to pay attention to are Browser/Scripting Engine based. For an overview, we show fixes for 32 unique CVEs addressed, with 19 Critical, and 24 addressing remote code execution at varying severity levels. No active exploits are listed by Microsoft again this month. From a prioritization standpoint, again we turn our focus to the browsers and the Scripting Engine Memory Corruption Vulnerabilities. We recommend prioritizing patching for user facing workstations to address the 19 Critical Internet Explorer and Edge updates released today by Microsoft, as they are listed as “Exploitation More Likely”. There are no known exploits as of yet, but this is an opportunity to remain ahead of any future exploits that may be released.
There is one Windows OS vulnerability that should be reviewed, and that is the fix for CVE-2017-1885, which is a Remote Code Execution using RPC on systems that have RRAS enabled. Make sure you are patching systems that are using RRAS, and ensure it is not enabled on systems that do not require it, as disabling RRAS will protect against the vulnerability. For that reason it is listed as Exploitation less likely, but should get your attention after patching the browsers. Additionally, we recommend you take some time to review ADV170021, a Defense-in-Depth update that has configuration options to allow you to exert more control over DDE behaviors, in light of the recent DDE exploits that have been publicized. Note that this configuration change would be made after installing the update referenced in the advisory.
It should also be noted that on December 7, Microsoft released an out-of-band emergency patch for CVE-2017-11937 and CVE-2017-11940, which was a flaw in the Microsoft Malware Protection engine that could allow an attacker to create a specially crafted file that would be scanned by the Malware Protection engine, allowing for code execution on the endpoint. The patch was automatically ingested by the affected engines via definition updates, so no action should be required. As a precautionary measure, if you are using Microsoft’s Malware Protection engine in Defender, Security Essentials, Forefront Endpoint Protection, or the engines in Exchange 2013 or 2016, ensure that your updates are being applied automatically, and that you are on at least Version 1.1.14405.2 of the Malware Protection Engine.
From the Adobe side, there was only one Flash update, APSB17-42 listed as a “Business Logic Error”. So all in all, a rather quiet end to a busy year in vulnerabilities..."
Dec 12, 2017
Edited by AplusWebMaster, 13 December 2017 - 05:26 AM.