Microsoft has released fixes for 25 critical flaws, including one that’s likely to be used in malware.
Microsoft’s August update addresses a total of 48 flaws, more than half of which are critical remote code execution flaws. The bugs impact Microsoft’s Edge and Internet Explorer, Windows PDF, Windows Search, Sharepoint, and Microsoft’s new Windows Subsystem for Linux. There are also updates for Adobe’s Flash Player plugin in Microsoft's browsers.
Microsoft’s JavaScript browser engine for Edge, known as Chakra, got a lot attention in this update. Cisco's Talos unit notes 17 of the 25 critical vulnerabilities affect the JavaScript engine, which can be exploited if a user visits a page with malicious JavaScript code. Six of them were reported by Google's Project Zero researchers.
Trend Micro’s ZDI though reckons a Windows Search flaw, tagged as CVE-2017-8620, is “by far the most critical bug” this month, in part due to its similarity to a past Search flaw that was attacked. The bug will be attractive to malware authors for its wormable potential.
“An attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer,” Trend Micro notes, adding that admins should disable the SMBv1 file-sharing protocol.
Microsoft notes the attacker could send specially crafted messages to the Windows Search service to exploit the bug, but says it is not currently being exploited. It affects all supported versions of Windows and Windows Server.
Two other “important” bugs have been made public, including a denial of service flaw affecting its new Windows Subsystem for Linux for Windows 10, and an elevation of privilege flaw in Windows Error Reporting.
Adobe’s Tuesday patches address critical flaws affecting Flash Player and its Acrobat Reader products. The Flash update fixes two bugs, while the Reader update fixes 68 flaws.
Google and Microsoft will update Flash in their respective browsers.
Mozilla on Tuesday also released Firefox 55 which includes fixes for 28 browser flaws, several of which are critical.
This is the first version of Firefox that makes the Flash plugin click-to-run. Over the next month Mozilla is also rolling a feature that lets users set the browser to remember which sites the plugin should be allowed to run. For security reason, it also maintains a blocklist of sites that can't use any plugins.
Mozilla, Microsoft, Google, Facebook, and Apple announced Flash retirement roadmaps last month as Adobe announced it would stop supporting it by the end of 2020.