

Microsoft Corp. patched 85 security vulnerabilities in its monthly “Patch Tuesday” today, including a serious security flaw in its .NET framework that allows malicious attachments to hijack targeted personal computers.
The September Patch Tuesday, numbered 15063.608, offers updates for all supported versions of Windows systems and other products and includes a patch for CVE-2017-8759, the .NET framework flaw.
Discovered by researchers at FireEye Inc., the vulnerability, described as a SOAP WSDL parser code injection vulnerability, allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. Attachments were identified as the most common attack vector, with the attacker being required to persuade a user to open a malicious document or application sent to them via email.
“A remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploited this vulnerability in software using the .NET framework could take control of an affected system,” Microsoft writes on its advisory page. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
Commenting on the release, Greg Wiseman, senior security researcher at Rapid 7 Inc., told SiliconANGLE that with nearly 100 patches, it was a big month for Microsoft, including Remote Code Execution fixes for Office, Edge and Internet Explorer 11 and a patch for BlueBorne, the multiple vulnerabilities recently discovered in Bluetooth devices.
Wiseman advised that administrators should prioritize rolling out .NET fixes to workstations, then any relevant Windows 10 (which bundle Edge) and IE updates, followed by the Microsoft Office and system-level patches.
Support our open free content by sharing and engaging with our content and community.
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.