Nineteen critical bug fixes in Microsoft Patch Tuesday - including a remote code execution flaw affecting HoloLens

Patch Tuesday isn't going away just yet, although Adobe may be kicking its patch habit

Microsoft has issued 19 critical bug fixes out of a total of 57-CVE-listed security flaws in its various products this month, while Adobe has chipped in with six, including one critical security flaw in its Flash Player app, running on all platforms.

Microsoft bug fixes include, quite remarkably, a patch for its HoloLens virtual reality headset, although most of the patches cover the usual Microsoft applications: Windows (of course), Internet Explorer, Microsoft Office and its Edge web browser. There are also patches to fix bugs in Exchange Server, Sharepoint and the .Net framework environment

Many of the bugs fixed this month were highlighted in the Zero-day Initiative (ZDI) Pwn2Own competition back in March, the organisation claims, which ‘purchased' the flaws on behalf of the vendors, who have produced fixes in reasonable haste.

"ZDI purchased 51 bugs affecting six different vendors over the three-day competition. Impressively, all affected vendors were able to produce patches within 120 days. It's nice to see fixes for the bugs disclosed during the contest now available to everyone. All of the vendors should be commended for their effort and hard work in making these patches available in a timely manner," claimed the organisation.

These flaws include the HoloLens remote code execution vulnerability.

"This patch covers an RCE that occurs when HoloLens improperly handles objects in memory due to specially crafted WiFi packets. Microsoft lists this as publicly known but not exploited. It's unlikely that this bug will see much use since the Hololens device isn't widely deployed, but this bug is still fascinating for a couple of different reasons," suggested ZDI.

It continued: "The device can be compromised by merely receiving WiFi packets, apparently without any form of authentication at all. On its own, that's something to really delve into, but more than that, we now live in a world where Microsoft releases security patches for augmented reality headsets."

All but four of the flaws were believed not to be public - at least until yesterday when Microsoft released its patches.

"Obviously, the patches impacting Edge, IE and Office should top deployment lists due to the ubiquitous nature of the programs," advised ZDI. "Among the Edge and IE cases are several quite simply titled ‘Scripting Engine Memory Corruption Vulnerability'.

"Some of these cases demonstrate a new class of risk emerging in connection with JavaScript: the danger of vulnerabilities in the execution engine itself. We have begun to receive reports of some vulnerabilities of this class from submitters to the ZDI program," it warned.

Other flaws affect the Windows kernel, there is a remote-code execution flaw fixed in PowerShell that could be highly exploitable if systems aren't fixed, an ASP.net information disclosure flaw, and a Microsoft .Net denial of service vulnerability.

The flaws in Microsoft Office include remote-code execution and information disclosure issues, but organisations will have to tread carefully when installing the Office-related patches as there habve been a number of issues recently with updates to Microsoft Outlook.

At the same time, Adobe has also fixed multiple flaws in its eminently pwnable Flash Player app on all platforms, which ought to be patched as a matter of urgency, as well as Adobe Connect.

These flaws in the Adobe Flash Player include a critical remote-code execution flaw, as well as a couple that are only labelled ‘important'.

The critical flaw, CVE-2017-3099, was uncovered by Jihui Lu of Tencent KeenLab. Not much detail has been published about this flaw yet, but the warning is that an attacker can exploit it to execute arbitrary code if, for example, a user runs a malicious Flash animation or applet on a compromised web page.

In total, Adobe has patched six vulnerabilities across the two products - three in each - which is a pretty small Patch Tuesday by Adobe's standards.