Security Experts:

Microsoft Patches Over 50 Vulnerabilities

Microsoft has patched more than 50 vulnerabilities in its products, including Windows, Internet Explorer, Edge, Office, SharePoint, .NET, Exchange and HoloLens. While some of them have already been disclosed, the tech giant is not aware of any malicious attacks exploiting these flaws.

One of the weaknesses whose details have already been publicly disclosed is CVE-2017-8584, a critical remote code execution vulnerability affecting HoloLens, Microsoft’s mixed reality headset.

The security hole, caused due to how HoloLens handles objects in memory, can be exploited by sending specially crafted Wi-Fi packets to a device. Successful exploitation can allow the attacker to take control of the targeted system.

This is just one of the 19 vulnerabilities rated critical. The list also includes remote code execution vulnerabilities in Windows Search, Windows Explorer, Internet Explorer and the scripting engines used by Microsoft’s web browsers.

The Windows Search flaw (CVE-2017-8589) can be exploited by sending a specially crafted message to this service, which can allow a hacker to elevate privileges and take control of the device. Microsoft pointed out that in an enterprise environment, a remote attacker can exploit the flaw without authentication using an SMB connection.

Other flaws that have already been disclosed are CVE-2017-8587, a Windows denial-of-service (DoS) issue, and CVE-2017-8611 and CVE-2017-8602, both of which are spoofing vulnerabilities affecting web browsers.

Renato Marinho, director of research at Morphus Labs, believes there are also some “important” vulnerabilities worth mentioning. This includes privilege escalation bugs related to the Windows Common Log File System (CLFS) driver and the NT LAN Manager (NTLM) Authentication Protocol, a PowerShell remote code execution flaw, a Kerberos SNAME security feature bypass, and a remote code execution weakness affecting WordPad.

Trend Micro’s Zero Day Initiative (ZDI) pointed out that with the July 2017 Patch Tuesday fixes, Microsoft has addressed all the vulnerabilities disclosed at this year’s Pwn2Own hacking competition.

Microsoft has also updated the Flash Player libraries used by its products – Adobe patched three vulnerabilities on Tuesday with the release of version 26.0.0.137.

Related: Microsoft Issues Emergency Patch in Response to Massive Ransomware Outbreak

Related: Microsoft Patches Several Malware Protection Engine Flaws

Related: Microsoft Patches Zero-Days Exploited by Russia-Linked Hackers

Related: Microsoft Patches Windows Flaws Exploited in Attacks

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.