Last updated at Tue, 12 Sep 2017 21:59:08 GMT
It's a big month, with Microsoft patching 85 separate vulnerabilities including the two Adobe Flash Player Remote Code Execution (RCE) fixes bundled with the Edge and Internet Explorer 11 updates. Continuing recent trends, the bulk of Critical RCE vulnerabilities are client-side, primarily in Edge, IE, and Office. Microsoft has also released patches for today's branded public disclosure, "BlueBorne", which is a collection of vulnerabilities affecting the Bluetooth stacks from multiple vendors. The Microsoft-specific issue is CVE-2017-8628, a spoofing vulnerability that could allow a man-in-the-middle attack when in physical proximity to an affected system.
In terms of exploitability, CVE-2017-8759 (a flaw in the way the .NET framework processes untrusted input) is the most urgent as it is known to already be exploited in the wild. Any attacker able to persuade a user to open a maliciously crafted document or application will be able to take control of affected systems with the same privileges as the user. Among the Office vulnerabilities, CVE-2017-8742, CVE-2017-8743, and CVE-2017-8744 are memory corruption vulnerabilities that could lead to RCE which Microsoft has classified as being likely to be exploited.
Administrators should prioritize rolling out .NET fixes to workstations, then any relevant Windows 10 (which bundle Edge) and IE updates, followed by the Microsoft Office and system-level patches.
As usual, there are also server-side patches that need to be applied. SharePoint sees a fix for a XSS vulnerability (CVE-2017-8629) as well as for two RCE vulnerabilities that also apply to Office Online Server (CVE-2017-8631) and CVE-2017-8743). Exchange Server also gets some love with fixes for CVE-2017-11761 and CVE-2017-8758 (Information Disclosure and Privilege Escalation, respectively). Of course, standard Windows Server systems are also getting critical fixes, such as that for CVE-2017-0161, an RCE in NetBIOS Over TCP/IP (NetBT).