Administrators were greeted with a subdued December Patch Tuesday, a quiet end to what had been a somewhat tumultuous...
year early in 2017.
Of the 32 unique Common Vulnerabilities and Exposures (CVEs) that Microsoft addressed, just three patches were directly related to Windows operating systems. While not a critical exploit, the patch for CVE-2017-11885, which affects Windows client and server operating systems, is where administrators should focus their attention.
The patch is for a Remote Procedure Call (RPC) vulnerability for machines with the Routing and Remote Access service (RRAS) enabled. RRAS is a Windows service that allows remote workers to use a virtual private network to access internal network resources, such as files and printers.
"Anyone who has RRAS enabled is going to want to deploy the patch and check other assets to make sure RRAS is not enabled on any devices that don't use it actively to prevent the exploitation," said Gill Langston, director of product management at Qualys Inc., based in Redwood City, Calif.
The attacker triggers the exploit by running a specially crafted application against a Windows machine with RRAS enabled.
"Once the bad actor is on the endpoint, they can then install applications and run code," Langston said. "They establish a foothold in the network, then see where they can spread. The more machines you have under your control, the more ability you have to move laterally within the organization."
In addition, desktop administrators should roll out updates promptly to apply 19 critical fixes that affect the Internet Explorer and Edge browsers, Langston said.
"The big focus should be on browsers because of the scripting engine updates Microsoft seems to release every month," he said. "These are all remote-code execution type vulnerabilities, so they're all critical. That's obviously a concern because that's what people are using for browsing."
Fix released for Windows Malware Protection Engine flaw
On Dec. 6, Microsoft sent out an update to affected Windows systems for a Windows Malware Protection Engine vulnerability (CVE-2017-11937). This emergency repair closed a security hole in Microsoft's antimalware application, affecting systems on Windows 7, 8.1 and 10, and Windows Server 2016. Microsoft added this correction to the December Patch Tuesday updates.
"The fix happened behind the scenes ... but it was recommended [for] administrators using any version of the Malware Protection Engine that it's set to automatically update definitions and verify that they're on version 1.1.14405.2, which is not vulnerable to the issue," Langston said.
OSes that lack the update are susceptible to a remote-code execution exploit if the Windows Malware Protection Engine scanned a specially crafted file, which would give the attacker a range of access to the system. That includes the ability to view and delete data, and create a new account with full user rights.
Other affected Microsoft products include Exchange Server 2013 and 2016, Microsoft Forefront Endpoint Protection, Microsoft Security Essentials, Windows Defender and Windows Intune Endpoint Protection.
"Microsoft uses the Forefront engine to scan incoming email on Exchange 2013 and Exchange 2016, so they were part of this issue," Langston said.
Lessons learned from WannaCry
Microsoft in May surprised many in IT when the company released patches for unsupported Windows XP and Windows Server 2003 systems to stem the tide of WannaCry ransomware attacks. Microsoft had closed this exploit for supported Windows systems in March, but it took the unusual step of releasing updates for OSes that had reached end of life.
Many of the Windows malware threats from early 2017 spawned from exploits found in the Server Message Block (SMB) protocol, which is used to share files on the network. The fact that approximately 400,000 machines got bit by the ransomware bug showed how difficult it is for IT to keep up with patching demands.
"WannaCry woke people back up to how critical it is to focus on your patch cycles," Langston said.
More than three months elapsed between the time Microsoft first patched the SMB vulnerability in March that WannaCry exploited and when the Petya ransomware -- which used the same SMB exploit -- continued to compromise people. Some administrators might be lulled into a false sense of security from the cumulative update servicing model and delay the patching process, Langston said.
"They may delay because the next rollup will cover the updates they missed, but then that's more time those machines are unprotected," he said.
For more information about the remaining security bulletins for December Patch Tuesday, visit Microsoft's Security Update Guide.