Microsoft Office 0-day headlines Patch Tuesday, update now!


The second Tuesday of the month means it’s Microsoft’s formerly-known-as Patch Tuesday, currently-known-as Security Update Tuesday, and this month’s update patches 61 vulnerabilities in all, with 23 rated as Critical and 35 as Important. We always urge that you apply patches as soon as possible, but if that’s not convincing enough, read the details below of what’s out there in the wild.

The monthly advisory covers a number of Microsoft products, including:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Skype for Business and Lync
  • Chakra Core

If you can’t get to everything, or you can’t fight every battle, then what to address first? Right now there are two vulnerabilities in this month’s patch list that deserve some extra attention.

Office zero-day

A vulnerability of special interest in this month’s update is CVE-2017-11826, a remote code execution (RCE) vulnerability affecting Microsoft Office.

If an attacker can get a user to open a specially crafted Office file on a vulnerable version of Microsoft Office—perhaps by attaching it to an alluring phishing email— the attacker can run malicious code on the victim’s machine. If the user being attacked has administrative rights then the attacker has them too, giving them the power to installing applications and rights to change important data.

This vulnerability affects many versions of Microsoft Word going all the way back to the 2007 version, as well as various iterations of Office Web Apps Server, Office Word Viewer, SharePoint Enterprise Server and Word Automation Services (check out the advisory for a full list of affected products).

Microsoft says this kind of attack isn’t an if, but a when, as its exploitability assessment for this vulnerability indicates that older versions of Word and Office are already being exploited in the wild.

That said, Microsoft only rates this vulnerability as Important and not Critical because the latest versions of Word and Office are only deemed more likely to be exploited, but aren’t actually being exploited. Don’t take false comfort in that though, Microsoft’s Exploitability Index describes “Exploitation More Likely” as follows:

…exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created.

The CVE-2017-11826 exploit is stopped by Sophos Intercept X and the payloads seen in the wild were detected proactively by Sophos as Troj/DocDrop-JK and Mal/Generic-S.

Malicious DNS

Another RCE getting some attention in this update is CVE-2017-11779, a Critical-rated vulnerability that affects the Windows DNS client (DNSAPI.dll). It can be exploited by a malicious DNS server sending specially crafted responses that can trigger the execution of arbitrary code.

This vulnerability requires an attacker to have a foothold in your DNS hierarchy. If it’s successfully exploited it could potentially hand over full system control as it allows RCE at a variety of privilege levels, including admin.

This vulnerability affects versions of Windows 8 and 10, as well as various versions of Windows Server 2012 and 2016.

Every environment is different so we’d like to know – are there other vulnerabilities in this month’s Microsoft Security Update that you’re focusing on? We’re listening, let us know in the comments.