It’s 2017 – and your Windows PC can be forced to run malware-stuffed Excel macros

手机数码 2017-11-15

Microsoft and Adobe are getting into the holiday spirit this month by gorging users and admins with a glut of security fixes.

The November of Patch Tuesday brings fixes for more than 130 bugs between the two software giants for products including IE, Edge, Office, Flash Player and Acrobat.

Microsoft's patch dump addresses a total 53 CVE-listed vulnerabilities, including three that already have been publicly detailed. Those include CVE-2017-11827
, a memory corruption flaw in Edge and IE that lets webpages achieve remote code execution, CVE-2017-8700
, a flaw in ASP.NET that lets web apps access restricted memory contents, and CVE-2017-11848
, a flaw in IE that allows webpages to track users when they leave the website.

As usual, memory corruption and scripting engine flaws in IE and Edge make up the bulk of what Microsoft considers to be the highest risk flaws.

Those include a total of 17 CVE entries (CVE-2017-11837,CVE-2017-11839, CVE-2017-11841, CVE-2017-11861, CVE-2017-11862, CVE-2017-11870, CVE-2017-11836, CVE-2017-11838, CVE-2017-11840, CVE-2017-11843, CVE-2017-11846, CVE-2017-11859, CVE-2017-11871, CVE-2017-11873) described
as browser scripting engine memory corruption holes that would allow attackers to execute arbitrary evil code on vulnerable PCs by crafting webpages that exploit the programming blunders.

Three other flaws, CVE-2017-11845
, CVE-2017-11855
, CVE-2017-11856
, concern similar remote code execution holes in other components of Edge and Internet Explorer that can be exploited by malicious webpages.

A potentially dangerous flaw in Office is not getting as much attention from Microsoft, but is catching the eyes of security experts. CVE-2017-11877
is a flaw in Excel that prevents the application from properly disabling macros in spreadsheets. While it isn't labelled "critical" by Redmond, infosec researchers believe the flaw could have particularly nasty applications for targeted social engineering attacks. Once a mark is tricked into opening a booby-trapped spreadsheet, macros within can automatically run and begin the process of spying on the user, taking over the machine, and so on.

"You may think we’ve educated users enough to stop them from opening unknown documents they didn’t expect," said
Trend Micro ZDI researcher Dustin Childs, "but the lure of 'executive_compesantion.xlsx' is hard to deny."

Also catching the attention of security experts is CVE-2017-11830
, a flaw in Device Guard that would allow payloads from an attacker to be mistakenly validated and executed under the guise of being a trusted file on Windows.

Remote code execution vulnerabilities were also addressed in Office ( CVE-2017-11884
, CVE-2017-11882
) and specifically in Excel ( CVE-2017-11878
) and Word ( CVE-2017-11854
) would allow for remote code execution when a user opens a maliciously crafted document file that triggers a memory corruption error in the software.

The Windows kernel has yet another elevation of privilege flaw ( CVE-2017-11847
) that would allow a malicious application to install, view, and alter files with kernel mode access, and four information disclosure bugs ( CVE-2017-11853
, CVE-2017-11849
, CVE-2017-11842
, CVE-2017-11851
) that let dodgy apps view the contents of restricted memory addresses.

And then there's Adobe

Elsewhere, Adobe's Flash Player has once again earned its moniker of The Internet's Screen Door as the Windows, macOS and Linux versions of the browser plugin received fixes
for five remote-code execution vulnerabilities.

The largest Adobe patch load, however, was reserved for Acrobat and Reader
this month. The PDF readers were the subject of a whopping 62 CVE entries, most of which are remote code execution flaws triggered by opening a malformed PDF file.

Remember Shockwave Player? It got an update
to fix CVE-2017-11294, a memory corruption flaw that would let a malformed Shockwave file achieve remote code execution.

Adobe also released updates for Photoshop CC
, Connect
, DNG Converter
, InDesign
, and Digital Editions
, and Experience Manager
. ®

The Joy and Pain of Buying IT - Have Your Say

The Register

责编内容by:The Register (源链)。感谢您的支持!


COM objects with PowerShell COM (Component Object Model) is a rather old technology from Microsoft. But...
minikube and WSL I develop services that run on Kubernetes. During development minikube pr...
Windows下编译freeSWITCH freeSWITCH提供的msi安装包,默认没有视频会议所需的编解码模块,想用的话,得重新编译。参考这个链接: https://freeswitc...
Google Flights on desktop has been updated to matc... Back in the summer, we reported on key changes to Google Flights ...
超越电视、电脑和手机:家庭小屏幕 2.0 时代或将到来... 编者按:本文作者 Ross Rubin 是 Reticle Research(专注于分析消费者技术影响的咨询公司)和 Backerjack(追踪众筹产品网站) ...