Adobe, Microsoft Release Final Patch Tuesday Updates of 2017
Both Adobe and Microsoft released security updates on Tuesday to address vulnerabilities in Flash, Microsoft Edge, Windows, Internet Explorer, and other platforms.
Adobe wrapped up its 2017 patching cycle with a whimper on Tuesday, fixing just one vulnerability in its Flash Player software.
The fix resolves a moderate business logic error, CVE-2017-11305, in Flash that could lead to the unintended reset of the global settings preference file. The update, part of the company’s usual Patch Tuesday raft of patches, brings Flash from version 22.214.171.124 to 126.96.36.199 on Flash Player Desktop Runtime for Windows, Mac, and Linux, along with Flash Player for Google Chrome and Microsoft Edge, and Internet Explorer 11.
This month’s update marks a significant shift from last month’s, which resolved 86 vulnerabilities, 70 critical, across nine different product lines. Flash, in addition to Photoshop CC, Connect, Acrobat and Reader, DNG Converter, InDesign CC, Digital Editions, Shockwave Player, and Adobe Experience Manager all received updates.
Microsoft, which also releases security patches on the second Tuesday of the month, addressed 34 vulnerabilities across Internet Explorer, Edge, Windows, Office, Office Services and Web Apps, Exchange Server, ChakraCore, and its Malware Protection Engine, this week.
None of the vulnerabilities patched this month were either publicly disclosed or found being actively exploited in the wild.
The update includes two fixes for previously identified flaws in the company's Windows Defender product. The bugs, CVE-2017-11937 and CVE-2017-11940, could allow remote code execution when Microsoft's Malware Protection Engine fails to properly scan specially crafted files. The bugs were brought to Microsoft's attention by the National Cyber Security Centre (NCSC), a division of the UK's Government Communications Headquarters (GCHQ) and first fixed in an emergency, out-of-band update last week.
Another bug fixed on Tuesday, a flaw in Azure AD Connect software in hybrid deployments, could have allowed a malicious administrator to gain unauthorized, privileged access to a customer's on-premises AD. Microsoft released guidance on securing AD DS accounts and a PowerShell script to help admins implement permission changes. Researchers with Preempt Security, a San Francisco-based software security firm, found the issue after reviewing a customer's network and determining 85 percent of users had "unnecessary administrative privilege."
Barring another out-of-band update, it's assumed both updates will be the last either company issues this year; the first Patch Tuesday of 2018 falls on January 9.