UPDATED 23:47 EST / SEPTEMBER 12 2017

INFRA

Microsoft patches 85 vulnerabilities including serious .NET framework flaw

Microsoft Corp. patched 85 security vulnerabilities in its monthly “Patch Tuesday” today, including a serious security flaw in its .NET framework that allows malicious attachments to hijack targeted personal computers.

The September Patch Tuesday, numbered 15063.608, offers updates for all supported versions of Windows systems and other products and includes a patch for CVE-2017-8759, the .NET framework flaw.

Discovered by researchers at FireEye Inc., the vulnerability, described as a SOAP WSDL parser code injection vulnerability, allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. Attachments were identified as the most common attack vector, with the attacker being required to persuade a user to open a malicious document or application sent to them via email.

“A remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploited this vulnerability in software using the .NET framework could take control of an affected system,” Microsoft writes on its advisory page. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Commenting on the release, Greg Wiseman, senior security researcher at Rapid 7 Inc., told SiliconANGLE that with nearly 100 patches, it was a big month for Microsoft, including Remote Code Execution fixes for Office, Edge and Internet Explorer 11 and a patch for BlueBorne, the multiple vulnerabilities recently discovered in Bluetooth devices.

Wiseman advised that administrators should prioritize rolling out .NET fixes to workstations, then any relevant Windows 10 (which bundle Edge) and IE updates, followed by the Microsoft Office and system-level patches.

Photo: frotzed/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU