Microsoft Corp. has patched 62 vulnerabilities in its latest “Patch Tuesday” release, including one called CVE-2017-11826, a serious flaw that allows attackers to gain remote access to computers running the Windows operating system.

Down from 81 security vulnerabilities patched in September, the new release also included patches for two other vulnerabilities that were disclosed for the first time but not previously found in the wild, CVE-2017-1777 and CVE-2017-8703. The latter is a Windows Subsystem for Linux denial-of-service vulnerability that allows an attacker to execute a specially crafted application to affect an object in memory, allowing the attacker to cause the system to become unresponsive. CVE-2017-11777 is a Microsoft Office SharePoint XSS vulnerability that allows a hacker to send a specially crafted request to an affected SharePoint server.

What was particularly notable in the release was what was missing — any update to Adobe Flash. “For the first time in ages, Adobe Flash does NOT include any security fixes,” Chris Goettl, product manager at IT solutions firm Ivanti Inc., told SiliconANGLE. “That’s right! A priority 3, feature bug fix-only release for Adobe Flash and no required update from Microsoft!”

Of the 62 vulnerabilities patched, 30 of them affected Windows directly, with 28 of the vulnerabilities labeled as critical and 33 potentially resulting in remote code execution.

Jimmy Graham, director of product management at Qualys Inc., explained that some of the patches needed to be applied before others.

“Top priority for patching should go to a vulnerability in Microsoft Office, CVE-2017-11826, which Microsoft has ranked as ‘important’ is actively being exploited in the wild,” Graham said. “Priority should also be given to CVE-2017-11771, which is a vulnerability in the Windows Search service. This is the fourth Patch Tuesday this year to feature a vulnerability in this service. As with the others, this vulnerability can be exploited remotely via SMB to take complete control of a system and can impact both servers and workstations. While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry and Petya.”

Graham added that two vulnerabilities in the Windows font library, CVE-2017-11762 and CVE-2017-11763, are worthy of attention, given that they can be exploited through a browser or malicious file. In addition, a vulnerability in DNSAPI, CVE-2017-11779, could allow a malicious DNS server to execute code on a client system.

The security patches for October’s Patch Tuesday are available from Microsoft.

Photo: Alf van Beem/Wikimedia Commons