Microsoft released the latest "Patch Tuesday" updates, which fix some serious vulnerabilities in Windows, as well as in some of its flagship products such as Office, Skype, Internet Explorer and Edge.
As perhaps expected by now, Internet Explorer still has bugs. The new set of bugs allow for remote code execution against IE users who visit a web page that’s been developed specifically for Internet Explorer. An attacker could use the vulnerability to get the same user rights as the user who visits the site.
This means that if a user is logged in as Administrator, which includes most Windows users, the attacker could take full control of the system. The attacker could install new apps, delete data, and even create new Administrators accounts. However, if the user is on a Limited account, then an attacker wouldn’t be able to do too much to the system without the user knowing about it.
Edge is Microsoft’s new and more secure browser, thanks to its sandboxing architecture, but it’s still far from invulnerable. The latest bug also allows remote code execution, and an attacker would gain the same user rights as the current users. Limited account users should be less impacted by the bug than those with administrative rights.
Office is one of Microsoft’s most attacked programs because of its legacy code, but also because it’s used by hundreds of millions of people around the world who often share many Word and Excel documents with each other. The potential for attacks increases through document sharing, as the attackers could load them up with malware and then send them to unsuspecting Office users.
Microsoft also patched some security vulnerabilities in Windows’ graphics software, which affected Windows, Office, Skype for Business, and its Lync enterprise messenger. The vulnerability allows for remote code execution against users who visit a specially crafted web page or open a specially crafted document.
Windows Kernel-Mode Drivers
One of the bugs affected the Windows kernel-mode drivers and allowed for escalation of privileges. An attacker would need to have already gained access to the system, for instance, through one of the above vulnerabilities. If the user was operating a Limited account, then the attacker could use the kernel-mode driver bug to gain administrative privileges, as well.
Two security researchers have already reported multiple Secure Boot vulnerabilities to Microsoft. The bugs would allow an attacker to bypass Windows security features. The company seems to have fixed one of these bugs for this Patch Tuesday, but according to the researchers who found these vulnerabilities, not all of them have been patched in this update. Therefore, Secure Boot remains vulnerable for now.
Some other vulnerabilities, which got fixed in this update, allowed escalation of privileges on systems that were connected to the same domain. Another vulnerability could allow bad actors to attack users that would open specially crafted PDF files and then take full control of their system. A bug was also found in the ActiveSyncProvider, which could allow information disclosure when Universal Outlook fails to establish a secure connection.
RC4 No More
As part of the cumulative updates for Internet Explorer and Edge, Microsoft also removed support for the old and insecure RC4 cipher. Microsoft has already been recommending websites to disable support for RC4 for the past three years, after multiple practical attacks against it were proven to work.
For the websites that must absolutely still support RC4, Microsoft offers an option to enable it through Windows’ Internet Options and by changing some registry settings. However, the company strongly recommended against following that path. The current best practice is for websites to support TLS 1.2 and beyond, and use the AES-GCM mode for encrypted connections.