Microsoft’s October Patch Tuesday Fixes 62 Vulnerabilities, including an Office Zero-Day

Microsoft’s Patch Tuesday for October addresses 62 vulnerabilities, 27 of which are critical and 35 important in terms of severity; many of these flaws can lead to remote code execution (RCE). Microsoft’s fixes are patches for features in the Windows operating system (OS) and Microsoft Office (including Office Web Apps), Skype for Business, Edge, Internet Explorer (including the Chakra Core browser engine), Exchange Server, and .NET development framework, among others. As per Microsoft’s previous advisories, this month’s Patch Tuesday also marks the end of support and patches/updates for Office 2007 and Outlook 2007.

Of note is Microsoft’s fix for CVE-2017-11826, a memory corruption vulnerability in Microsoft Office that was publicly disclosed and reported to be actively exploited in the wild. If successfully exploited, it can enable attackers to take over the system via RCE. According to Microsoft, if the hijacked system/user has administration rights, the attacker can install programs, modify data, or create accounts with full privileges.

Source: TrendLabs