Microsoft's Patch Tuesday Update Is Big, Fixing Serious Office Flaws And Windows DNS Vulnerability
Every second Tuesday of every month Microsoft releases a batch of security updates to keep Windows and its core services in tiptop shape. Dubbed Patch Tuesday, yesterday's release for October was a pretty big one in the grand scheme of things (though not as big as the one this past June), containing fixes for dozens vulnerabilities, among them an "important" zero-day flaw in Microsoft Office that hackers have already exploited.
The issue in Office relates to memory corruption and affects all supported versions of the productivity suite. By exploiting the security hole, an attacker could send a malicious Office file to a victim and, if opened, would give the attacker the same rights as the user. A person with less system privileges would be less impacted, but if a user with full admin rights opened the file, it would open the door for an attacker to wreak havoc on a system or network.
Microsoft also issued a fix for a Windows DNS vulnerability that could allow a remote attacker to gain access to a system and execute malicious code on Windows clients or Windows Server installations. The issue affects PCs running Windows 8.1 and Windows 10, along with Windows Server 2012 through 2016.
Another flaw that is fixed by the recent Patch Tuesday roll out is a cross-site scripting (XSS) vulnerability present in Microsoft SharePoint Server, affecting SharePoint Enterprise Server 2013 Service Pack 1 and SharePoint Enterprise Server 2016. An attacker can exploit the vulnerability by sending a maliciously crafted request to an affected SharePoint system.
"The attacks could allow the attacker to read content that the attacker is not authorised to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user," Microsoft explains.
One word of caution—there have been reports of the recent Patch Tuesday 'breaking' machines. There is a thread on Reddit where users complain of receiving a Blue Screen of Death (BSoD) error after applying the updates, which is compounded by not being able to boot into Safe Mode. There is a also a fix listed in the thread.
The issue in Office relates to memory corruption and affects all supported versions of the productivity suite. By exploiting the security hole, an attacker could send a malicious Office file to a victim and, if opened, would give the attacker the same rights as the user. A person with less system privileges would be less impacted, but if a user with full admin rights opened the file, it would open the door for an attacker to wreak havoc on a system or network.
Microsoft also issued a fix for a Windows DNS vulnerability that could allow a remote attacker to gain access to a system and execute malicious code on Windows clients or Windows Server installations. The issue affects PCs running Windows 8.1 and Windows 10, along with Windows Server 2012 through 2016.
Another flaw that is fixed by the recent Patch Tuesday roll out is a cross-site scripting (XSS) vulnerability present in Microsoft SharePoint Server, affecting SharePoint Enterprise Server 2013 Service Pack 1 and SharePoint Enterprise Server 2016. An attacker can exploit the vulnerability by sending a maliciously crafted request to an affected SharePoint system.
"The attacks could allow the attacker to read content that the attacker is not authorised to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user," Microsoft explains.
One word of caution—there have been reports of the recent Patch Tuesday 'breaking' machines. There is a thread on Reddit where users complain of receiving a Blue Screen of Death (BSoD) error after applying the updates, which is compounded by not being able to boot into Safe Mode. There is a also a fix listed in the thread.
