It's 2017 – and your Windows PC can be forced to run malware-stuffed Excel macros

Not enough? How about a few dozen PDF remote code holes?


Microsoft and Adobe are getting into the holiday spirit this month by gorging users and admins with a glut of security fixes.

The November of Patch Tuesday brings fixes for more than 130 bugs between the two software giants for products including IE, Edge, Office, Flash Player and Acrobat.

Microsoft's patch dump addresses a total 53 CVE-listed vulnerabilities, including three that already have been publicly detailed. Those include CVE-2017-11827, a memory corruption flaw in Edge and IE that lets webpages achieve remote code execution, CVE-2017-8700, a flaw in ASP.NET that lets web apps access restricted memory contents, and CVE-2017-11848, a flaw in IE that allows webpages to track users when they leave the website.

As usual, memory corruption and scripting engine flaws in IE and Edge make up the bulk of what Microsoft considers to be the highest risk flaws.

Those include a total of 17 CVE entries (CVE-2017-11837,CVE-2017-11839, CVE-2017-11841, CVE-2017-11861, CVE-2017-11862, CVE-2017-11870, CVE-2017-11836, CVE-2017-11838, CVE-2017-11840, CVE-2017-11843, CVE-2017-11846, CVE-2017-11859, CVE-2017-11871, CVE-2017-11873) described as browser scripting engine memory corruption holes that would allow attackers to execute arbitrary evil code on vulnerable PCs by crafting webpages that exploit the programming blunders.

Three other flaws, CVE-2017-11845, CVE-2017-11855, CVE-2017-11856, concern similar remote code execution holes in other components of Edge and Internet Explorer that can be exploited by malicious webpages.

A potentially dangerous flaw in Office is not getting as much attention from Microsoft, but is catching the eyes of security experts. CVE-2017-11877 is a flaw in Excel that prevents the application from properly disabling macros in spreadsheets. While it isn't labelled "critical" by Redmond, infosec researchers believe the flaw could have particularly nasty applications for targeted social engineering attacks. Once a mark is tricked into opening a booby-trapped spreadsheet, macros within can automatically run and begin the process of spying on the user, taking over the machine, and so on.

"You may think we’ve educated users enough to stop them from opening unknown documents they didn’t expect," said Trend Micro ZDI researcher Dustin Childs, "but the lure of 'executive_compesantion.xlsx' is hard to deny."

Also catching the attention of security experts is CVE-2017-11830, a flaw in Device Guard that would allow payloads from an attacker to be mistakenly validated and executed under the guise of being a trusted file on Windows.

Remote code execution vulnerabilities were also addressed in Office (CVE-2017-11884, CVE-2017-11882) and specifically in Excel (CVE-2017-11878) and Word (CVE-2017-11854) would allow for remote code execution when a user opens a maliciously crafted document file that triggers a memory corruption error in the software.

The Windows kernel has yet another elevation of privilege flaw (CVE-2017-11847) that would allow a malicious application to install, view, and alter files with kernel mode access, and four information disclosure bugs (CVE-2017-11853, CVE-2017-11849, CVE-2017-11842, CVE-2017-11851) that let dodgy apps view the contents of restricted memory addresses.

And then there's Adobe

Elsewhere, Adobe's Flash Player has once again earned its moniker of The Internet's Screen Door as the Windows, macOS and Linux versions of the browser plugin received fixes for five remote-code execution vulnerabilities.

The largest Adobe patch load, however, was reserved for Acrobat and Reader this month. The PDF readers were the subject of a whopping 62 CVE entries, most of which are remote code execution flaws triggered by opening a malformed PDF file.

Remember Shockwave Player? It got an update to fix CVE-2017-11294, a memory corruption flaw that would let a malformed Shockwave file achieve remote code execution.

Adobe also released updates for Photoshop CC, Connect, DNG Converter, InDesign, and Digital Editions, and Experience Manager. ®

Similar topics


Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022