Overall, Patch Tuesday addressed 12 Critical-rated vulnerabilities and 10 rated as Important, of which two were disclosed via Trend Micro’s Zero Day Initiative. In addition to the MMPE vulnerability updates, some of the other noteworthy fixes include:
- CVE-2017-11899: A security feature bypass that exists when Device Guard incorrectly validates an untrusted file. An attacker successfully exploiting this vulnerability could make untrusted files appear to be trusted once, causing Device Guard to allow a malicious file to execute.
- CVE-2017-11927: An information disclosure vulnerability that exists when the Windows its:// protocol handler unnecessarily sends traffic to a remote site to determine the zone of a provided URL. Attackers exploiting this vulnerability can use various tactics such as phishing to lure users into browsing a malicious website or to an SMB or UNC path destination. A successful attack can potentially lead to the disclosure of sensitive information to a malicious site.
REF: http://blog.trendmicro.com/trendlabs-security-intelligence/december-patch-tuesday-yearender-includes-updates-mmpe-vulnerabilities/
沒有留言:
張貼留言