Patch Tuesday patches are out

Two detailed reports: Tuesday’s report on Computerworld Woody on Windows, and a Wednesday morning update. There’s a whole lot going on.

Of course, we’re at MS-DEFCON 2, so you shouldn’t install any of these.

I count 151 separate security patches, and 48 Knowledge Base articles. Nothing unexpected.

The Release Notes point to four known bugs:

The cumulative update for Win10 Creators Update, version 1703 – which sports dozens of fixes — has a couple of problems: Systems with support enabled for USB Type-C Connector System Software Interface (UCSI) may experience a blue screen or stop responding with a black screen when a system shutdown is initiated, and it may change Czech and Arabic languages to English for Microsoft Edge and other applications.

The cumulative update for Win10 Anniversary Update, version 1607, has a handful of problems: downloading updates using express installation files may fail, after installing a delta update package, the KB numbers appear twice under Installed Updates, package users may see an error dialog that indicates that an application exception has occurred when closing some applications. 

The cumulative update for the original version of Win10, usually called 1507, has a similar problem: package users may see an error dialog that indicates that an application exception has occurred when closing some applications. Apparently this fix is only for the LTSC version.

The Monthly Rollup for Win7 also has an acknowledged bug: an error dialog that indicates that an application exception has occurred when closing some applications.

Anybody see any other bugs?

NOTE: There may be a big flaw in DNS being patched this month. CVE-2017-11779 Kelly Jackson Higgins on the DarkReading site has some details. From the definitive post by Nick Freeman at Bishop Fox:

if an attacker controls your DNS server (e.g., through a man-in-the-middle attack or a malicious coffee-shop hotspot) – they can gain access to your system. This doesn’t only affect web browsers – your computer makes DNS queries in the background all the time, and any query can be responded to in order to trigger this issue.

With all that doom and gloom, Microsoft says the flaw hasn’t been exploited, and rates it as “Exploitation Less Likely.”

UPDATE: Martin Brinkmann has his usual exhaustive list on ghacks:

• Windows 7: 20 vulnerabilities of which 5 are rated critical, 15 important
• Windows 8.1: 23 vulnerabilities of which 6 are rated critical, 17 important
• Windows 10 version 1607: 29 vulnerabilities, 6 critical, 23 important
• Windows 10 version 1703: 29 vulnerabilities of which 6 are rated critical, 23 important

I stand in awe of Brinkmann’s ability to turn this around so quickly!

ANOTHER UPDATE: Looks like several of the Office patches are to fix CVE-2017-11826, a bug in Word discovered by Qihoo 360. Catalin Cimpanu at Bleeping Computer has details. Apparently there’s an exploit already in the wild, dating back to August.

There’s a long list of related fixes in KB 4011217, Description of the security update for SharePoint Enterprise Server 2016: October 10, 2017

The Office update list is out: 27 non-security patches, 26 security patches, including key end-of-life patches for Word 2007, Word Viewer, and the Office Compatibility Pack.

Adobe has told Brian Krebs that they have no security updates today.