Time to Patch Your Windows Machines as Microsoft Fixes a Critical DNS Bug and Zero-Day Security Issue in Office
In its Patch Tuesday, Microsoft has sent out fixes for over 62 security vulnerabilities earlier today, affecting Windows, Skype, Internet Explorer, Microsoft Edge, and other Redmond products and services. The monthly update for Windows 10 also addresses a critical security issue that allows an attacker to send malformed DNS responses to Windows machines and gain complete access to the target machine. The release also fixes zero-day flaw in Office that has been exploited in targeted attacks.
Patch your Windows machines right away as zero-day flaws spotted in targeted attacks
Today's update brings fixes to three critical security bugs in the Windows DNS client that affect Windows 8, Windows 10, and Windows Server 2012 and 2016. Tracked as CVE-2017-11779, the issue covers multiple memory corruption vulnerabilities in the Windows DNS client and affects the DNSAPI.dll that is the core Windows file that makes DNS requests and receives responses from DNS server.
Nick Freeman, the Bishop Fox researcher responsible for the discovery, wrote that Microsoft's implementation of the NSEC3 (Next Secure Record version 3) feature for DNSSEC is the culprit behind this bug. "It wouldn't surprise me at all if other [OEMs' DNSSEC] implementations" had vulnerabilities as well.
This means that if an attacker controls your DNS server (e.g., through a Man-in-the-Middle attack or a malicious coffee-shop hotspot) – they can gain access to your system. This doesn’t only affect web browsers – your computer makes DNS queries in the background all the time, and any query can be responded to in order to trigger this issue.
This remote code execution vulnerability in Windows DNSAPI could be exploited by accidentally connecting to a malicious DNS server. An attacker could get full control of the targeted Windows machine. However, to exploit this bug, attackers either have to be on the same network as the victim or they need to trick users into using a malicious DNS servers as a default. The security researchers have published a video detailing the bug:
Microsoft Office zero-day remote code execution vulnerability under attack
Reported by Chnese security firm, Qihoo 360, Microsoft has also fixed an Office zero-day bug that has been exploited in targeted attacks. Tracked as CVE-2017-11826, the problem is caused by a memory corruption issue allowing a remote attacker to execute arbitrary code by getting the targeted user to open a specially crafted file. This enables attackers to infect machines using a booby-trapped Microsoft Office documents, allowing malicious code to run with the same rights as the logged-in user. The zero-day affects all supported versions of Microsoft Office.
"If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." Microsoft
The security firm reports having first spotted these attacks in August with hackers using phishing techniques to trick the targeted users to open the malicious documents. The final payload was a Trojan designed to steal sensitive information from infected machines.
Other notable security vulnerabilities being fixed by today's releases include CVE-2017-11762 and CVE-2017-11763 in the Windows font library that allow attacker to take control of the affected system by exploiting a remote code execution flaw.
"A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." Microsoft.
So yes, a LOT of issues that could potentially be exploited by hackers now that the details are out in the public. You can get the latest security updates from Windows Update or download them from here. Please note that today is the last time Microsoft is sending security updates to Windows 10 version 1511 (aka November Update).