Last updated at Tue, 14 Nov 2017 22:23:16 GMT
Web browser issues account for two thirds of this month's patched vulnerabilities, with 24 CVEs for Edge and 12 for Internet Explorer being fixed. Many of these are classified as Critical (allowing code execution without user interaction). This is no surprise, as browser bugs are typically well represented on Patch Tuesdays. On top of this are five Adobe Flash Player vulnerabilities, all of which are classified as Critical Remote Code Execution (RCE) bugs.
In fact it's quite a big month for Adobe, who have issued advisories across nine separate product lines, with 62 vulnerability fixes just for Acrobat and Reader. Most of these address critical RCE vulnerabilities. Given the prevalence of PDF documents, administrators should take a close look at whether Adobe software in their environment is up to date.
Back to Microsoft: no non-browser vulnerabilities are considered critical this month, but with a little bit of social engineering, an attacker could theoretically combine one of the Office-based RCE vulnerabilities like CVE-2017-11878 or CVE-2017-11882 with a Windows Kernel privilege escalation weakness such as CVE-2017-11847 to gain complete control over a system. Mercifully, none of the patched vulnerabilities this time around are known to be exploited in the wild.