Microsoft Corp. patched 85 security vulnerabilities in its monthly “Patch Tuesday” today, including a serious security flaw in its .NET framework that allows malicious attachments to hijack targeted personal computers.

The September Patch Tuesday, numbered 15063.608, offers updates for all supported versions of Windows systems and other products and includes a patch for CVE-2017-8759, the .NET framework flaw.

Discovered by researchers at FireEye Inc., the vulnerability, described as a SOAP WSDL parser code injection vulnerability, allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. Attachments were identified as the most common attack vector, with the attacker being required to persuade a user to open a malicious document or application sent to them via email.

“A remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploited this vulnerability in software using the .NET framework could take control of an affected system,” Microsoft writes on its advisory page. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Commenting on the release, Greg Wiseman, senior security researcher at Rapid 7 Inc., told SiliconANGLE that with nearly 100 patches, it was a big month for Microsoft, including Remote Code Execution fixes for Office, Edge and Internet Explorer 11 and a patch for BlueBorne, the multiple vulnerabilities recently discovered in Bluetooth devices.

Wiseman advised that administrators should prioritize rolling out .NET fixes to workstations, then any relevant Windows 10 (which bundle Edge) and IE updates, followed by the Microsoft Office and system-level patches.

Photo: frotzed/Flickr