Microsoft has released fixes for 25 critical flaws, including one that’s likely to be used in malware.
Microsoft’s August update addresses a total of 48 flaws, more than half of which are critical remote code execution flaws. The bugs impact Microsoft’s Edge and Internet Explorer, Windows PDF, Windows Search, Sharepoint, and Microsoft’s new Windows Subsystem for Linux. There are also updates for Adobe’s Flash Player plugin in Microsoft's browsers.
Trend Micro’s ZDI though reckons a Windows Search flaw, tagged as CVE-2017-8620, is “by far the most critical bug” this month, in part due to its similarity to a past Search flaw that was attacked. The bug will be attractive to malware authors for its wormable potential.
“An attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer,” Trend Micro notes, adding that admins should disable the SMBv1 file-sharing protocol.
Microsoft notes the attacker could send specially crafted messages to the Windows Search service to exploit the bug, but says it is not currently being exploited. It affects all supported versions of Windows and Windows Server.
Two other “important” bugs have been made public, including a denial of service flaw affecting its new Windows Subsystem for Linux for Windows 10, and an elevation of privilege flaw in Windows Error Reporting.
Google and Microsoft will update Flash in their respective browsers.
Mozilla on Tuesday also released Firefox 55 which includes fixes for 28 browser flaws, several of which are critical.
This is the first version of Firefox that makes the Flash plugin click-to-run. Over the next month Mozilla is also rolling a feature that lets users set the browser to remember which sites the plugin should be allowed to run. For security reason, it also maintains a blocklist of sites that can't use any plugins.
Mozilla, Microsoft, Google, Facebook, and Apple announced Flash retirement roadmaps last month as Adobe announced it would stop supporting it by the end of 2020.