9 replies to this topic

[AplusWebMaster]

FYI...

November 2017 security update release
- https://blogs.techne...update-release/
Nov 14, 2017 - "Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically..."

> https://portal.msrc....e5-000d3a32fc99
Nov 14, 2017 - "The November security release consists of security updates for the following software:
    Internet Explorer
    Microsoft Edge
    Microsoft Windows
    Microsoft Office and Microsoft Office Services and Web Apps
    ASP.NET Core and .NET Core
    Chakra Core ...

Known Issues:
- https://support.micr...s/help/4048954/
- https://support.micr...s/help/4048953/
- https://support.micr...us/help/4048955
- https://support.micr...s/help/4048952/
- https://support.micr...us/help/4048956
- https://support.micr...us/help/4048958
- https://support.micr...us/help/4048961
- https://support.micr...us/help/4048957
- https://support.micr...us/help/4048960

Security Update Summary
> https://portal.msrc....curity-guidance
___

- https://www.askwoody...-black-tuesday/
"... Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it..."
___

- https://www.us-cert....ecurity-Updates
Nov 14, 2017
___

ghacks.net: https://www.ghacks.n...r-2017-release/
Nov 14, 2017 - "Microsoft released security updates for Microsoft Windows, Microsoft Office, and other company products on the November 2017 Patch Day...
Executive Summary:
    Microsoft released security updates for all supported versions of Windows (client and server), and Internet Explorer, Microsoft Edge, Microsoft Office, .Net Core and ASP.NET Core, and Chakra Core.
    No critical updates for Windows, but for IE 11 and Microsoft Edge.
    Lots of known issues. <<
Operating System Distribution:
    Windows 7: 12 vulnerabilities of which 12 are rated important
    Windows 8.1: 11 vulnerabilities of which 11 are rated important
    Windows 10 version 1607: 12 vulnerabilities of which 12 are rated important
    Windows 10 version 1703: 12 vulnerabilities of which 12 are rated important
    Windows 10 version 1709: 9 vulnerabilities of which 9 are rated important
Windows Server products:
    Windows Server 2008: 11 vulnerabilities of which 11 are rated important
    Windows Server 2008 R2: 12 vulnerabilities of which 12 are rated important
    Windows Server 2012 and 2012 R2: 11 vulnerabilities of which 11 are rated important.
    Windows Server 2016: 12 vulnerabilities of which 12 are rated important
Other Microsoft Products
    Internet Explorer 11: 13 vulnerabilities, 8 critical, 4 important, 1 moderate
    Microsoft Edge: 24 vulnerabilities, 16 critical, 8 important ..."

Qualys analysis: https://blog.qualys....ve-adobe-update
Nov 14, 2017 - "This November Patch Tuesday is moderate in volume, and in severity.  Microsoft released patches to address -53- unique vulnerabilities, with 25 focused on Remote Code Execution fixes. Windows OS gets 14 patches, while the lion’s share is focused on Browsers, Microsoft Office, and Adobe. According to Microsoft, there do not appear to be any actively attacked vulnerabilities in the wild in this patch release.
Interestingly enough, none of the Windows OS patches are listed as Critical this month, but we do recommend focusing on CVE-2017-11830 and CVE-2017-11847, as they address a Security Feature Bypass, and a Privilege Elevation respectively. It should also be noted that CVE-2017-11848,CVE-2017-11827,CVE-2017-11883,CVE-2017-8700 have public exploits, but they do not appear to be used in any active campaigns.
From a prioritization standpoint, focus on the fixes for CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11871, and CVE-2017-11873, which all address the Scripting Engine in Edge and Internet Explorer, especially on laptops, and other workstation-type systems where the logged in user may have administrative privileges. Microsoft lists exploitation as More Likely for these vulnerabilities, especially if a user is tricked into viewing a malicious site or opening an attachment. While Microsoft lists the fix for CVE-2017-11882 as Important, there may be POC code for this vulnerability, so it is recommended that you give the Office updates attention this month as well. It should also be noted that last Patch Tuesday, Microsoft quietly released the fix for CVE-2017-13080, widely known as the KRACK vulnerability in WPA2 wireless protocol, but did not make it known until a week later, when the vulnerability was publicly disclosed. Therefore, it is recommended you ensure last month’s security patches are fully addressed. Alternatively, you can install this month’s Monthly Rollups, as they should include this fix.
Adobe has also released patches for 9 advisories, fixing a stunning -62- CVEs for Acrobat and Reader alone, so ensure that you are updating Adobe across your environment to stay protected."
 

Edited by AplusWebMaster, 14 November 2017 - 03:21 PM.

[AplusWebMaster]

FYI...

Additional information - MS released patches:
- https://www.security....com/id/1039780
- https://www.security....com/id/1039781
- https://www.security....com/id/1039782
- https://www.security....com/id/1039783
- https://www.security....com/id/1039787

- https://www.security....com/id/1039788
- https://www.security....com/id/1039789
- https://www.security....com/id/1039790
- https://www.security....com/id/1039792
- https://www.security....com/id/1039793

- https://www.security....com/id/1039794
- https://www.security....com/id/1039795
- https://www.security....com/id/1039796
- https://www.security....com/id/1039797
- https://www.security....com/id/1039801
___

November 2017 Office Update Release
- https://blogs.techne...update-release/
Nov 14, 2017 - "... This month, there are -23- security updates and 43 non-security updates. All of the security and non-security updates are listed in KB article 4051890*.
* https://support.micr...icrosoft-office
Last Review: Nov 14, 2017 - Rev: 10

A new version of Office 2013 Click-To-Run is available: 15.0.4981.1001

A new version of Office 2010 Click-To-Run is available: 14.0.7190.5001
___

> https://www.computer...henanigans.html
Nov 15, 2017 - "... It’s a messy month. With no “critical” Windows updates, as long as you don’t use IE or Edge, there’s no huge pressure to apply the updates just yet..."
 

Edited by AplusWebMaster, 15 November 2017 - 03:01 PM.

[AplusWebMaster]

FYI...

Patch alert...
... Patch Tuesday problems roll out, with a new acknowledgment from Microsoft about a dot matrix printer bug, continued reports of Win10 1703-to-1709 upgrades, one unconfirmed report of a forced 1607-to-1709 upgrade, and a memory violation error with CDPUserSvc...
> https://www.computer...s-continue.html
Nov 17, 2017

> https://www.askwoody...h-tuesday-crop/
Nov 17, 2017

> https://www.ghacks.n...r-2017-updates/
Nov 17, 2017

... Nov patch bugs... see the URLs above...

i.e.: Nov 14, 2017—KB4048957 (Monthly Rollup)
> https://support.micr...pdate-kb4048957
"... After installing this update, some Epson SIDM and Dot Matrix printers cannot print on x86 and x64-based systems.
Microsoft and Epson have determined the cause of the issue and are working on a solution. This problem is not related to the printer driver, so installing current or older print drivers will not resolve the issue.
Microsoft will provide an update in an upcoming release."
Article ID: 4048957 - Last Review: Nov 17, 2017 - Rev: 19
Applies to: Windows Server 2008 R2 Standard, Windows 7 Service Pack 1
 

Edited by AplusWebMaster, 18 November 2017 - 11:10 AM.

[AplusWebMaster]

FYI...

Windows ASLR Vulnerability
> https://www.us-cert....R-Vulnerability
Nov 20, 2017 - "... released information on a vulnerability in Windows Address Space Layout Randomization (ASLR) that affects Windows 8, Windows 8.1, and Windows 10. A remote attacker could exploit this vulnerability to take control of an affected system..."

Windows 8 and later fail to properly randomize every application if system-wide mandatory ASLR is enabled via EMET or Windows Defender Exploit Guard
- https://www.kb.cert.org/vuls/id/817544
19 Nov 2017 - "Overview: Microsoft Windows 8 introduced a change in how system-wide mandatory ASLR is implemented. This change requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy. Tools that enable system-wide ASLR without also setting bottom-up ASLR will fail to properly randomize executables that do not opt in to ASLR.
Description: Address Space Layout Randomization (ASLR)
Starting with Windows Vista, a feature called ASLR was introduced to Windows that helps prevent code-reuse attacks. By loading executable modules at non-predictable addresses, Windows can help to mitigate attacks that rely on code being at predictable locations. Return-oriented programming (ROP) is an exploit technique that relies on code that is loaded to a predictable or discoverable location. One weakness with the implementation of ASLR is that it requires that the code is linked with the /DYNAMICBASE flag to opt in to ASLR.
Mandatory ASLR and Windows 8: Both EMET and Windows Defender Exploit Guard can enable mandatory ASLR for code that isn't linked with the /DYNAMICBASE flag. This can be done on a per-application or system-wide basis. Before Windows 8, system-wide mandatory ASLR was implemented using the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages registry value. By settings this value to 0xFFFFFFFF, Windows will automatically relocate code that has a relocation table, and the new location of the code will be different across reboots of the same system or between different systems. Starting with Windows 8, system-wide mandatory ASLR is implemented differently than with prior versions of Windows. With Windows 8 and newer, system-wide mandatory ASLR is implemented via the HKLM\System\CurrentControlSet\Control\Session Manager\Kernel\MitigationOptions binary registry value. The other change introduced with Windows 8 is that system-wide ASLR must have system-wide bottom-up ASLR enabled to supply entropy to mandatory ASLR.
The Problem: Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR. Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of "On by default" does not reflect the underlying registry value (unset). This causes programs without /DYNAMICBASE to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems.
Impact: Windows 8 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier.
Solution: The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround:
Enable system-wide bottom-up ASLR on systems that have system-wide mandatory ASLR
To enable both bottom-up ASLR and mandatory ASLR on a system-wide basis on a Windows 8 or newer system, the following registry value should be imported:
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
    "MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00

Note that importing this registry value will overwrite any existing system-wide mitigations specified by this registry value. The bottom-up ASLR setting specifically is the second 01 in the binary string, while the mandatory ASLR setting is the first 01. Also note that in the past, enabling system-wide mandatory ASLR could cause problems if older AMD/ATI video card drivers are in use. This issue was addressed in the Catalyst 12.6 drivers released in June, 2012."

> https://www.kb.cert.org/vuls/id/458153

> https://support.amd.com/en-us/download
___

> https://www.bleeping...res-how-to-fix/
Nov 17, 2017 - "... Optionally, Bleeping Computer has created an ASLR-fix registry fix file that users only need to download and double-click."
> https://download.ble...eg/ASLR-fix.reg
 

Edited by AplusWebMaster, 20 November 2017 - 04:50 PM.

[AplusWebMaster]

FYI...

November 21, 2017—KB4055038
- https://support.micr...-2017-kb4055038
Nov 21, 2017 - "Summary: This update addresses an issue that prevents some Epson SIDM (Dot Matrix) and TM (POS) printers from printing on x86-based and x64-based systems..."
Last Review: Nov 21, 2017 - Rev: 9
Applies to:
Windows 8.1, Windows 7 Service Pack 1, Windows Server 2012 Standard, Windows Server 2012 R2 Standard, Windows Server 2008 R2 Service Pack 1
___

November 14, 2017—KB4048957 (Monthly Rollup)
- https://support.micr...pdate-kb4048957
"... After installing this update, some Epson SIDM (Dot Matrix) and TM (POS) printers cannot print on x86 and x64-based systems. This issue has been resolved in KB4055038."
Last Review: Nov 22, 2017 - Rev: 24
Applies to:
Windows Server 2008 R2 Standard, Windows 7 Service Pack 1

> See: "Known issues in this update..."
___

Also:

November 14, 2017—KB4048954
(OS Build 15063.726 and 15063.728)
Windows 10 Version 1703
- https://support.micr...pdate-kb4048954
Last Review: Nov 22, 2017 - Rev: 31
Applies to:
Windows 10, Windows 10 Version 1703

> See: "Known issues in this update..."
___

DDEAuto Attacks Could Leave You at Risk
- https://windowssecre...ve-you-at-risk/
Nov 21, 2017 - "Office has long been used as a means to infiltrate our systems a means by which attackers get into our systems. Every month Office is patched for remote code execution attacks.
Microsoft patches what vulnerabilities it can. Take the November Office updates that fixed issues with older obsolete components in Office 2016 that impacted ODBC drivers. But as pointed out in this research blog post*, mitigation in addition to patching is probably wise.
* https://embedi.com/b...idnt-know-about
The view that mitigation may be better than patching is reinforced with the disclosure of another Office vulnerability that won’t be patched. It can’t be patched, as it impacts functionality of your system. You have to make the determination of how much at risk you want to be. Called the DDEAuto attacks** allows the execution of malicious code on an email without the use of attachments or macros. These macro-less attacks have been used in various attacks[3] such as malware campaigns such as Vortex ransomware and Hancitor.
** https://community.so...kb/en-us/127711
3] https://www.endgame....-cause-analysis
In the example noted in the Sophos blog, an attack can come from in the form of a calendar invite instead of an email. The attachment is in the form of a RTF – or rich text format – and is often not in the form of a traditional attachment. So what can one do if you want to protect yourself from these attacks? Stop opening emails? Don’t open Excel or Word documents? An admirable protection scheme but not realistic to most computer users — and especially not to small businesses.
Defining DDE
Microsoft has long built into its Office products the means to exchange data between applications and other platforms. Dynamic Data Exchange or DDE is one such method."
 

Edited by AplusWebMaster, 23 November 2017 - 09:04 AM.

[AplusWebMaster]

FYI...

MS Nov 2017 patch status: ... One patch disappears, another yanked
... all sorts of Windows patch inanities await. The Epson dot matrix bug in this month’s security patches was fixed for older versions of Windows, but .NET patch KB 4049016 and others got pulled
- https://www.computer...her-yanked.html
Nov 27, 2017 - "... make sure Automatic Update is turned off... over the long weekend we discovered how Microsoft tests and fixes dot matrix printers, and how it stumbles over its own .Net patching regimen..."
___

November 27, 2017 — KB4051034 (Preview of Monthly Rollup)
- https://support.micr...pdate-kb4051034
Last Review: Nov 27, 2017 - Rev. 16
Applies to
Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

See: "Known issues in this update..."
___

November 27, 2017 — KB4050946 (Preview of Monthly Rollup)
- https://support.micr...pdate-kb4050946
Article ID: 4050946 - Last Review: Nov 27, 2017 - Rev: 16
Applies to
Windows Server 2012 R2 Standard, Windows 8.1

See: "Known issues in this update..."
___

Description of Software Update Services and Windows Server Update Services changes in content for 2017
- https://support.micr...ices-changes-in
Article ID: 894199 - Last Review: Nov 27, 2017 - Rev: 139
 

Edited by AplusWebMaster, 27 November 2017 - 04:03 PM.

[AplusWebMaster]

FYI...

MS Patch Alert: November’s forced upgrades, broken printers and more
   This month’s security patches brought forced upgrades, broken Epson printers, a vanishing patch, yanked .NET patches that underscore confusion inside Microsoft itself, blocked cumulative updates, and a self-induced memory violation error
- https://www.computer...s-and-more.html
Nov 28, 2017

See details at the URL above...
 

[AplusWebMaster]

FYI...

Get November Windows and Office updates installed — carefully
 ... We’ve been through a mess of patches, re-patches, pulled patches and forced upgrades. But in the past few days, it looks as if things have calmed down a bit. I suggest that you get your machine brought up to speed, and let’s see what December shall bring
- https://www.computer...-carefully.html
Nov 30, 2017
(-Many- details at the URL above.)

> https://www.askwoody...to-get-patched/
Nov 30, 2017 - "Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems."

Fixes or workarounds for recent Office installation or activation issues
> https://support.offi...8c-cd74884f292f
Last updated: November 2017
___

CVE-2017-11882 | Microsoft Office Memory Corruption Vulnerability
Security Vulnerability
- https://portal.msrc..../CVE-2017-11882
Published: 11/14/2017 | Last Updated : 11/29/2017
> https://portal.msrc....-11882#ID0EMGAC
Workarounds: Disable Equation Editor 3.0
For instructions on disabling the Equation Editor, see Microsoft Knowledge Base Article 4055535:

How to disable Equation Editor 3.0
>> https://support.micr...tion-editor-3-0
Last Review: Nov 21, 2017 - Rev: 56
Applies to
Microsoft Office Professional 2016, Microsoft Office Standard 2016, Microsoft Office 2013 Service Pack 1, Microsoft Office 2010 Service Pack 2, Microsoft Office Standard 2007, Microsoft Office Professional 2007
___

Win10 V1709 - November 30, 2017—KB4051963 (OS Build 16299.98)
- https://support.micr...pdate-kb4051963
Nov 30, 2017
Last Review: Nov 30, 2017 - Rev: 25
Applies to
Windows 10, Windows 10 version 1709

See: "Known issues in this update..."
___

- https://windowssecre...709-has-issues/
Nov 30, 2017
 

Edited by AplusWebMaster, 01 December 2017 - 06:25 AM.

[AplusWebMaster]

FYI...

Update for Win7 broken, throwing error 80248015
... Microsoft -forgot- to change an expiration date, and now all attempts to run Windows Update in Win7 are failing with the bogus message 'Windows Update cannot currently check for updates, because the service is not running'
- https://www.computer...r-80248015.html
Dec 4, 2017

> https://answers.micr...e?auth=1&page=4
12/4/2017 - "... This is an issue that only microsoft can solve by issuing a new expiry date for the Windows Update program. Any manual fix attempt (aside a possible patch distributed by ms to update the expiry date) will just risk damaging your windows installation..."
___

>> https://www.askwoody...ce-not-running/
December 4, 2017 at 2:36 pm

Also see:
- http://borncity.com/...rch-dec-4-2017/
2017-12-04 - "Microsoft has successfully killed Windows Update search in Windows 7 SP1. Since December 4, 2017 Windows Update search stalls with 0x80248015. Here are a few details and some workarounds..."
___

> https://www.bleeping...how-to-fix-it-/
Dec 4, 2017

> https://www.ghacks.n...-are-not-alone/
Dec 4, 2017

> https://answers.micr...e?auth=1&page=8
Dec 5, 2017
 

Edited by AplusWebMaster, 05 December 2017 - 06:21 AM.

[AplusWebMaster]

FYI...

MS Malware Protection Engine - Remote Code Execution Vuln
> https://portal.msrc..../CVE-2017-11937
12/06/2017 Critical - "... First version of the Microsoft Malware Protection Engine with this vulnerability addressed: Version 1.1.14405.2 ..."

> https://portal.msrc....uidance/summary
12/06/2017

- https://www.security....com/id/1039972
CVE Reference: https://nvd.nist.gov.../CVE-2017-11937
Dec 7 2017
Impact: Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.1.14306.0 ...
Impact: A remote user can create content that, when scanned by the target Microsoft Malware Protection Engine, will execute arbitrary code with LocalSystem privileges on the target system.
Solution: The vendor has issued a fix (1.1.14405.2)...

Microsoft Issues Fix for Microsoft Exchange Server
> https://www.security....com/id/1039973
Dec 7 2017

Microsoft Issues Fix for Microsoft Forefront Endpoint Protection
> https://www.security....com/id/1039974
Dec 7 2017

Microsoft Issues Fix for Microsoft Windows Defender
> https://www.security....com/id/1039975
Dec 7 2017

> https://support.micr...ent-information
___

- https://www.us-cert....otection-Engine
Dec 7, 2017
 

Edited by AplusWebMaster, 08 December 2017 - 06:31 AM.