Microsoft releases six Security Bulletins today, three of them “critical” remote code execution, to fix almost thirty CVE-enumerated vulnerabilities. None of them are known to be publicly exploited, and only a couple are known to be publicly discussed. So, this round yet again demonstrates Microsoft’s continued commitment to proactive security software maintenance. A dozen of these CVE were reported by researchers working with HP’s Zero Day initiative, and a kernel memory corruption vulnerability credited to md5 “dbc282f4f2f7d2466fa0078bf8034d99”.
Patches go out this month for vulnerable Microsoft software that could be used as an attack vector:
- Internet Explorer
- Windows system components
- VBScript and JScript engines through Internet Explorer
- VBScript and JScript engines through embedded ActiveX objects opened in Microsoft Office documents
- Microsoft Edge
- Windows “Shell” (related to Toolbar processing) on standard Windows workstations and laptops, and tablets
- Microsoft Excel (for Windows and Mac)
- Microsoft SharePoint
- Office Web Apps
- Excel Viewer
- Microsoft Office Compatibility Pack
- Windows Boot Configuration Data (BCD) parser effecting Windows Vista and all more recent OS
- Windows File System Components
While the urgency does not seem to be quite as high as past months, please update your Microsoft software asap.
As of today, HP’s Zero Day initiative maintains over 300 upcoming advisories. Of course, the usual suspects are in there like Adobe, Apple, Oracle, and Microsoft, but it’s most interesting that the bulk of them are unrelated to these names. Microsoft is not at the top of the list, regardless of the prevalence and complexity of their software. Instead, upcoming serious advisories mostly cover bugs in IoT, embedded, SCADA and ICS related software from Advantech, Tibbo, Schneider Electric, Proface, Unitronics, and Ecava.