No big surprises from Microsoft this month, with 70% of the 34 vulnerabilities addressed being web browser defects. Most of these are Critical Remote Code Execution (RCE) vulnerabilities, so administrators should prioritize patching client workstations. It doesn't take sophisticated social engineering tactics to convince most users to visit a malicious web page, or a legitimate but compromised website (as in a watering hole attack). If the user is browsing with an unpatched version of Internet Explorer or Edge, an attacker could execute arbitrary code. If the user has administrative rights, it's game over and the attacker could take full control of the system.

Two of this month's vulnerabilities were actually patched last week; CVE-2017-11937 and CVE-2017-11940 are Critical RCE vulnerabilities in Microsoft's Malware Protection Engine (MPE). Fixes for the MPE may come out at any time, as they are delivered via the same update mechanism as malware signatures (which are updated multiple times per day).

These MPE vulnerabilities also affect Exchange Server, so back-end administrators do have some work to do this month. Exchange Server is also getting a fix for CVE-2017-11932, a spoofing vulnerability that could allow script or content injection attacks, potentially leading to sensitive information disclosure or redirection to a malicious website. Also on the back end, CVE-2017-11885 affects servers with Routing and Remote Access enabled. Although this is typically a small subset of systems in most environments, such servers would be excellent pivot points, allowing an attacker to move laterally within a network.

Office is also getting a smattering of fixes this month, due to information disclosure bugs in PowerPoint and Outlook, a privilege escalation in SharePoint 2016, and an Important rated RCE in Excel 2016. Microsoft has also released defense-in-depth updates for Office and Exchange.

All told, it's a relatively light month compared to what we've seen throughout most of the year. Even the token Flash Player advisory just contains a single CVE, the "Moderate" impact of which is the unintended reset of the global settings preference file. But browsers remain a significant attack vector, and it's only a matter of time before we see exploits developed against some of the vulnerabilities that were patched today.