Today’s VERT Alert addresses the Microsoft December 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-756 on Wednesday, December 13th.
In-The-Wild & Disclosed CVEs
This month, no Microsoft vulnerabilities have been publicly disclosed or are being actively exploited. There are, however, a couple of vulnerabilities that are worthy of discussion.
CVE -2017-11885
One of the more interesting vulnerabilities this month is the Windows RRAS Service Remote Code Execution Vulnerability. The vulnerability only affects systems running the service, which is not uncommon in small businesses. The service breaks down into two distinct services – Routing (providing software routing not unlike a typical hardware router) and Remote Access (providing VPN functionality in a Windows environment). While Microsoft has deemed this ‘Exploitation Less Likely,’ environments with RRAS deployed should take note of this vulnerability. Microsoft has rated this as a 2 on the Exploitability Index (Exploitation Less Likely).
CVE-2017-11937
Last week, Microsoft released this CVE as an OOB update. The Microsoft Malware Protection Engine (MMPE) will automatically update within 48 hours and many people will already have this update applied. The following day a second CVE was dropped – CVE-2017-11940 – with an identical description. Microsoft has rated this as a 2 on the Exploitability Index (Exploitation Less Likely).
Other Information
In addition to the Microsoft vulnerabilities included in the December Security Guidance, a number of security advisories were also published.
Microsoft Office Defense in Depth Update [ADV170021]
Microsoft has released an update to Word that allows users to enable/disable the Dynamic Update Exchange protocol (DDE).
December 2017 Flash Security Update [ADV170022]
Microsoft has released updates for Adobe Flash. These correspond with Adobe Update APSB17-42. This includes a fix for CVE-2017-11305.
