12 December 2017

Black Tuesday: Microsoft issued patches for 33 vulnerabilities

Black Tuesday: Microsoft issued patches for 33 vulnerabilities

December was not a busy time for Microsoft this year. The company patched 32 vulnerabilities only distributed between IE/Edge browsers and ChakraCore engine, Windows operating system, Office software, Exchange and SharePoint servers. In addition, the vendor released two defense-in-depth updates for Microsoft Exchange and Microsoft Office products. The last one covered infamous DDE issue in Word processor.

A very interesting vulnerability was patched in Windows RRAS service on all supported Windows distributions.

Most of the patched vulnerabilities are buffer errors (26), as displayed on the diagram below:

24 vulnerabilities were rated as highly critical, which means they can be used to remotely compromise vulnerable system:


The table below contains a list of vulnerabilities, patched today:

Software Severity CVE/CVSS Known exploits
SB2017121215: Information disclosure in its:// protocol handler in Microsoft Windows (1)
Windows
Windows Server
Medium CVE-2017-11927
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Not available
SB2017121214: Cross-site scripting in Microsoft SharePoint Server (1)
Microsoft SharePoint Server Low CVE-2017-11936
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Not available
SB2017121213: Multiple vulnerabilities in Microsoft Office (3)
Microsoft Office
Microsoft Office for Mac
High CVE-2017-11939
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
CVE-2017-11935
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11934
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C
Not available
SB2017121212: Multiple vulnerabilities in Microsoft ChakraCore (15)
ChakraCore High CVE-2017-11916
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11919
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11905
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11894
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11930
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11918
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11914
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11912
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11911
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11910
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11909
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11908
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11895
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11893
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11889
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Not available
SB2017121211: Multiple vulnerabilities in Microsoft Internet Explorer (13)
Microsoft Internet Explorer High CVE-2017-11930
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11890
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11901
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11903
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11913
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11886
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11907
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11906
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
CVE-2017-11887
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
CVE-2017-11919
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11894
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11912
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11895
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Not available
SB2017121210: Spoofing attack in Microsoft Exchange OWA (1)
Microsoft Exchange Server Low CVE-2017-11932
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Not available
SB2017121209: Multiple RCE vulnerabilities in Microsoft Edge (14)
Microsoft Edge High CVE-2017-11889
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11893
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11895
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11908
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11909
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11910
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11911
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11912
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11914
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11918
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11888
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11894
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11905
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVE-2017-11919
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Not available
SB2017121208: Security Feature Bypass in Windows Device Guard (1)
Windows
Windows Server
Low CVE-2017-11899
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C
Not available
SB2017121206: Remote code execution in Windows RRAS Service (1)
Windows
Windows Server
High CVE-2017-11885
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Not available

Back to the list

Latest Posts

MS January patches 2.0: first zero-day in MS Word this year and 23 other bugs

MS January patches 2.0: first zero-day in MS Word this year and 23 other bugs

Microsoft released patches for 24 vulnerabilities, including zero-day in Word/Office software.
9 January 2018
Microsoft unexpectedly patched 33 vulnerabilities in Windows and its browsers

Microsoft unexpectedly patched 33 vulnerabilities in Windows and its browsers

Patch Tuesday came a bit earlier this year.
4 January 2018
Black Tuesday: Microsoft issued patches for 33 vulnerabilities

Black Tuesday: Microsoft issued patches for 33 vulnerabilities

Microsoft patched 32 vulnerabilities in their products. No zero-days this month.
12 December 2017