October 11, 2017

Microsoft on Tuesday released software updates to fix at least 62 security vulnerabilities in Windows, Office and other software. Two of those flaws were detailed publicly before yesterday’s patches were released, and one of them is already being exploited in active attacks, so attackers already have a head start.

brokenwindowsRoughly half of the flaws Microsoft addressed this week are in the code that makes up various versions of Windows, and 28 of them were labeled “critical” — meaning malware or malicious attackers could use the weaknesses to break into Windows computers remotely with no help from users.

One of the publicly disclosed Windows flaws (CVE-2017-8703) fixed in this batch is a problem with a feature only present in Windows 10 known as the Windows Subsystem for Linux, which allows Windows 10 users to run unmodified Linux binary files. Researchers at CheckPoint recently released some interesting research worth reading about how attackers might soon use this capability to bypass antivirus and other security solutions on Windows.

The bug quashed this week that’s being actively exploited resides in Microsoft Office (CVE-2017-11826), and Redmond says attackers could seize control over a vulnerable system just by convincing someone to open a booby-trapped Word file. Another Office vulnerability, (CVE-2017-11776), involves a flaw in Outlook’s ability to encrypt messages; SEC-Consult has more details on this bug.

Another critical flaw (CVE-2017-11779) addresses a scary vulnerability in the domain name system (DNS) component of Windows 8 and Windows Server 2012. According to research from Bishop Fox, the security firm credited with finding and reporting the bug, this flaw could be exploited quite easily to gain complete control over vulnerable systems if the attacker controls or compromises a local network (think Wi-Fi hotspot).

Normally, Adobe uses Microsoft’s Patch Tuesday (the second Tuesday of each month) to release its own fixes for Flash Player, Reader and other products. However, this time around the company has no security updates available. Adobe did release a new version of Flash that includes bug fixes (v. 27.0.0.159), but generally speaking only even-numbered Flash releases include security fixes.

For additional commentary on October’s bundle of updates from Microsoft, see these blogs from security vendors Ivanti and Qualys. For those looking for a straight-up list of which patches deserve priority, check out the always useful roundup from the SANS Internet Storm Center.


36 thoughts on “Microsoft’s October Patch Batch Fixes 62 Flaws

    1. Bruce Hobbs

      Yes. The news out Tuesday that Israel was watching live while the Russians ran searches through computers running Kaspersky antivirus software and found the NSA contractor who had downloaded secure data was fascinating. Especially if it holds up.

      Sadly, the more Kaspersky denies being a tool of the Russians the more believable it becomes.

      1. Erik

        Such an interesting problem. Certainly a possibility. To play Devil’s Advocate, though:

        1) Everybody who is anybody (in the nation-state world) spies on everybody else, especially anyone who is anybody. This includes purported allies – the US and Israel, for example, are infamous for working together while spying on each other. The shocked and fainty reactions when somebody – especially an adversary – gets caught are pretty silly. Russia spying on the US? Must be a day that ends in “y.”

        2) The billion-dollar question is whether Kaspersky was working with the Russian government (either voluntarily or under duress – Putin isn’t famous for asking “pretty please?”), or if the Russian government surreptitiously compromised and used their systems.

        3) Whether this actually happened, or if it’s a smear. Kaspersky AV (assuming it’s not intended as a red spy tool) is a top-notch product. The only thing intelligence agencies love more than spying is framing somebody else for spying, and it’s always interesting how leaks not originating from whistleblowers somehow always seem to target the menace du jour (for example, the Sony hack allegedly by North Korea that looked nothing like a nation-state hack – still possible, but awfully convenient). Kaspersky would easily be considered a “legitimate” economic target in a cold war, severely damaged with what amounts to a press release.

        4) If it actually happened, why now? This is something that would certainly get caught at some point, with obvious repercussions. I’ve joked earlier that using Kaspersky as a spy tool is an extremely high-value “trump card” (pun intended) – you only get to play it once, and when you’re caught you destroy an extremely valuable property. Putin may be an exceptionally scary world leader, but he’s also the guy who ran the KGB for awhile and he probably has a few dozen IQ points on his adversaries.

        5) Unless a credible whistleblower comes forward, we’ll probably never know the real story. Even truths in that world are delivered wrapped in enough lies to maximize their utility and impact. We can enjoy the speculation, though.

        1. Cog

          I don’t even think you start with questions. Kaspersky has made statements that simply are not true.

          In his most recent denial he has said that SORM laws don’t apply to his company because it is not an internet/telecom provider. How do customers get their data to Kaspersky? Everything customers submit to Kaspersky is in the hands of the Russian government right now, period.

          He has said there has been no cooperation with Kaspersky and the FSB. That has been directly contradicted by at least 4 former employees according to handful of articles over the last few years, and recent reports suggest there are more.

          He has said there are no current or former FSB officials working for Kaspersky, obviously false. Kaspersky himself has also denied working for Russian intelligence in the past, clearly false because at times he talked about that in interviews himself.

          Many people are asking questions about involvement with the Russian government. “If we were ever to do so just once, it would immediately be spotted by the industry and it would be the end of our business – and rightly so.” From Eugene Kaspersky’s latest blog post. I think we have may just seen evidence of that happening, but at the very least I think we can say Eugene Kaspersky isn’t being honest with his customers.

        2. Marty

          China = Lenovo PCs boguht from IBM

          Think the Chinese have some bugs in those machines? I do.

        3. DM

          I’d be more worried about the US monitoring of your computers, emails, paid back doors into your OS, secret hacking of your phone even when off, and its 100000 other things that have literally destroyed your privacy and ability to defend yourself in a court of law. Especially if they place stuff on your system to convict you.

          “I have nothing to hide, so who cares” is the worst idea ever. As all of this information will only EVER be used against you, and not for you….

          Get it?? look Squirrel!!! See its the Russians…

      2. vb

        “Kaspersky denies being a tool of the Russians ”

        This brings up the question: who is a tool for the US Government? We already know that the US Government is not above demanding US based software companies to insert spying tools into software or turn over the keys and let the US Government do the spying (see: Lavabit).

    2. Mahhn

      I also what to read what you discover. The summary of what I know (am led to believe) is that Russian (spooks or crims) had access to KLs cloud repository, and thus found NSA exploits that were uploaded when detected by KL cloud AV that was on his home PC when he illegally brought home work that happened to be illegal hackware, that Israel saw while they were also hacking KLs cloud service, but were so mad at the NSA for breaking a no news hacks or some kind of deal that they decided to out themselves, Russia and the NSA. I’m sure Kaspersky is feeling supper sore in the arse from all this, but might show them not guilty, but hacked all the same. Did Israel hack in after the NSA failed with Doku, for them… Crazy stuff. I want more 🙂

      1. BrianKrebs Post author

        Thanks. I don’t have any original reporting on these allegations, and unless I do I’m unlikely just to parrot what’s been reported elsewhere. I’m also not super interested in giving my spin on this. I think the truth will out eventually.

  1. Robert Preininger

    Same here … you’ve gone mano a mano with the Russians before, your thoughts on Kapersky?

    Keep fighting the good fight Brian, we all need you.

  2. clememp

    I concur on the Kaspersky situation – that would be a tremendous read!

  3. eDub

    Me three!

    What in tarnation is going on with Kaspersky, the Israelis and Russians?

    I am more than a bit skeptical about what all is making the rounds in the news…

  4. JellyToast

    Bashware only works if you have WSL enabled, which my guess is %99 of people don’t even know what bash is, let alone have it enabled. MS also recommends blocking bash.exe on machines that have device guard enabled, since there is no way to monitor linux processes with it. This definitely reads more like an ad than something to actually worry about.

  5. Hennessey

    Kaspersky… I’ve been using their anti-virus for several years. Over the weekend, I uninstalled Kaspersky and setup Windows Defender. Then I ran a full scan… I find it interesting that Windows Defender found a trojan that Kaspersky did not.

    1. Isaac

      I had a similar experience. I had been running KIS for years and it had always done a great job. However, a few months back my PC with KIS installed began acting strange (waking from hibernation in middle of night and other anomalies). I decided to run some other AV Malware software. Interestingly, the 3.1 version of Malwarebytes found a Trojan that Kaspersky had either not detected or ignored. The Trojan was categorized as a remote control type of Trojan…hmmm. I started a thread and posted my findings on KIS support forums (which are quite good) and after a few comments my thread was locked with a moderator explanation that the thread had run its usefulness. I chalked that up to it might have been because there were mentions of using alternative vendors AV s/w for use as second opinion detections. Now, with recent revelations…I am a bit more suspicious.

      I later viewed the Vice TV episode where Eugene Kaspersky was interviewed and asked about any involvement of his company with KGB. His response seemed to be almost too CANNED and stoic. In so many words it was essentially an adamant pokerfaced “No”. If it were my company and I was founder I would have elaborated a bit more…Something to the effect of a much more passionate response like: Are you crazy? No way I would jeopardize the revenue stream of my company by using our products in a cyber-snooping situation or any cyber warfare attempts. But he didn’t go there…

      So yes, Brian it would be a most fascinating read to get your insight on the alleged Kaspersky involvement situation!

    2. Mahhn

      Can you please share what it was, with as much detail as possible.

  6. Arbee

    Though it’s about neither Microsoft nor Adobe, herewith a comment about “updates” and “security”:

    KrebsOnSecurity has emphasized the value of robust passwords. Both KeePass and LastPass received favorable mention as password generators / managers. LastPass continues to work with Internet Explorer as well as with Chrome and Chrome-ish (Chrome-ish: Brave, Opera) browsers; Firefox: not so much.

    About two month ago, Firefox released v55; v56 was released at the end of September. Firefox v57, due in mid-November, will orphan the current version of LastPass, and LastPass’s promises of working updates are merely vaporware. My experience (and comments on the interwebs): Firefox and LastPass no longer play well together.

    I’ve read favorable comments about Bitwarden

    https://bitwarden.com/

    as an alternative password manager. Its strengths include Playing Well with various operating systems, browsers, and devices. Also — notably — it supports two-step authentication (2FA) with Duo, FIDO U2F, and YubiKey.

    This last consideration — 2FA with no reliance on SMS / texts to yuppie fones — seems to me to be a step in the right direction.

    Anyone here who’s tried / used Bitwarden? Comments from the commentariat?

    1. JimV

      LastPass hasn’t played well with Firefox for most of the last few years’ worth of new versions, particularly in terms of overloading the latter’s tendency toward imposing a mindboggling memory-hogging load on the OS. I thought for quite awhile that it was just due to Firefox until I submitted a query and one of the Mozilla support wizards had me take a snapshot of the FF internal memory-handling function — that revealed the culprit. The LP support forum essentially ignored the issue. If Bitwarden is a viable option, I’m certainly interested, especially if there’s an easy way to port over all of the LP-stored password information other than doing it manually site-by-site.

    2. SalSte

      Just use the ESR version of Firefox, which won’t be getting the plugin changeover that the mainline version is getting until next year. That way you’ve got time for developers to fix their existing plugins.

    3. JPTX

      LastPass Version: 4.1.66a
      Built: Tue Sep 26 2017 16:46:45 GMT-0400 (EDT)

      Currently working as expected on Firefox 56.0.1 (64-bit)

      Typically LP catches up to FF within a week or so, at most.

    4. George G

      Sadly, the new versions of Firefox do no support several add-ons that I used. Most importantly, NoScript can no longer be used with Firefox. Ditto for Adblock Plus, Download Status Bar, etc.

  7. YT

    Amazed anyone would use a Russian anti-virus/malware/whatever.

    Russia is run by a mafia, and NO Russian firm can disobey that mafia. So if they’ve ordered Kaspersky to put in some backdoor, it will be there. Otherwise, the fortunes, property, and maybe even the lives of any resisters would immediately be in jeopardy.

    1. JPTX

      What about?
      Dr Web (Russia)
      Avast/AVG, TrustPort (Czech Republic/FSU)
      Bitdefender (Romania/FSU)
      ESET (Slovakia/FSU)
      VirusBlokAda/VBA32 (Belarus/FSU) – Discovered Stuxnet
      Qihoo 360 (China)

      For sure the first & last would be suspect.

  8. Jean Val Joke

    Russia runs their networks. All ISPs in Russia are monitored unless too small to be known of.

    KAV probably does have 0 day vulns that can be exploited somewhere, but that may not be needed to do what it is alleged Russian intelligence was able to do with the phone-home-with-unknown-hash feature / ‘silent flag’ search capability that is, validly, in place to reduce pop up “yes/no” windows and reduce false positives. It is in place in a lot of AV’s in some respect, if not all.

    But since it phones home to Russia with what it finds, presumably someone who wants to listen in and has physical access or a derivative capability (or coercion, who knows) can get a look at whatever passes down the pipe. Did they also hack the search itself? It’s unclear. That would mean KAV is compromised either in code or personnel, either way compromised.

    Eugene has my respect in any case. I don’t think this is his idea.

  9. Stratocaster

    Evidently Microsoft doesn’t include Flash Player updates UNLESS they are “security” updates. And with Win10, there is no straightforward way to install the Flash Player bug-fix (what bugs precisely?) manually, although the ActiveX version is posted on the Adobe FTP site. The Flash “about” page still lists 27.0.0.130 as current for Edge/IE. Chrome includes the new Flash Player version.

  10. cda

    The update also broke 6 of 22 windows 10 installs I have…..INACCESSABLE BOOT DEVICE…..had to Reset Windows 10 …..and reinstall all apps!

  11. doug

    Brian, I’ve tried going to the Microsoft and other sites to update these patches, but it’s kind of confusing for a non IT guy. Do we have to update each CV patch, or is there a simple ‘update’ button we can push to keep our software current.

    1. BrianKrebs Post author

      Go to the Start button (bottom left corner of your screen in Windows) and type “Windows Update.” That should show you Windows Update. Open that and click check for updates if it doesn’t already show some available. Any available security updates will be listed as “important updates”. Non-security updates are generally listed as “optional updates.” Microsoft no longer allows you to pick and choose which updates to install from its monthly batches; they’re all rolled into one big update bundle (with a few exceptions, like .NET updates).

  12. JimV

    Adobe is out with an update to Flash, bringing it to v27.0.0.170 — indicating a security patch.

    1. JimV

      …and there’s now another update, which brings the Flash releases to v27.0.0.183.

Comments are closed.