This month Microsoft released patches for 81 vulnerabilities with 27 of them rated Critical, 52 rated Important and 2 rated Moderate.

Based in the potential impact and the likelihood of being exploited the most concerning vulnerabilities this month are CVE-2017-8759 (zero-day .NET) and CVE-2017-11281 (Adobe Flash). See “Notable CVEs” for more information. There are a few known issues this month listed below under “Known Issues Heads Up!” Information on a Bluetooth vulnerability known as “BlueBorne” was released this month – see “Notable News” below.

Denied patches:

We have denied 2 patches – KB4011039 and KB4011089. We will release them next month if the issues are corrected.

Affected software include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Adobe Flash Player
  • Skype for Business and Lync
  • .NET Framework
  • Microsoft Exchange Server

Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance

Monthly Rollup/Security Only/Windows 10/Server 2016 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup

  • KB4038777 – Windows 7, Windows Server 2008 R2
  • KB4038792 – Windows 8.1, Windows Server 2012 R2
  • KB4038799 – Windows Server 2012

Security Only Update

  • KB4038779 – Windows 7, Windows Server 2008 R2
  • KB4038793 – Windows 8.1, Windows Server 2012 R2
  • KB4038779 – Windows Server 2012

Cumulative update for Windows 10

  • KB4038781 – Original release version 1507 (OS Build 10240)
  • KB4038783 – Version 1511 (OS Build 10586)
  • KB4038782 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB4038788 – Version 1703 “Creators Update” (OS Build 15063)

Note: Server 2016 uses the same KB as Windows 10 Version 1607

Cumulative Security Update for Internet Explorer 9/10/11

  • KB4036586 – This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

.NET Framework
Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7

  • KB4041086 – Windows Server 2008
  • KB4041083 – Windows 7, Windows Server 2008 R2
  • KB4041085 – Windows 8.1, Windows Server 2012 R2
  • KB4041084 – Windows Server 2012

Security Only Update for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7

  • KB4041093 – Windows Server 2008
  • KB4041090 – Windows 7, Windows Server 2008 R2
  • KB4041092 – Windows 8.1, Windows Server 2012 R2
  • KB4041090 – Windows Server 2012

Denied Patches

KB4011039 Critical non-security update affecting Word and Outlook 2016

Symptom:1) If you merge vertical cells in a table, the cell content disappears, and you can’t select the merged cell. 2) If you open an existing document that has a table with merged cells, the cells are displayed as blank.

Workaround: We anticipate releasing the fix for these issues in the next monthly update that’s tentatively scheduled for October 3, 2017

September 5, 2017, update for Word 2016 (KB4011039)
https://support.microsoft.com/en-us/help/4011039/september-5-2017-update-for-word-2016-kb4011039

KB4011089 Non-rated security update for Outlook 2010

Symptom: Patch disables the VBScript print function in custom forms.

Description of the security update for Outlook 2010: September 12, 2017
https://support.microsoft.com/en-us/help/4011089/descriptionofthesecurityupdateforoutlook2010september12-2017

Known Issues Heads Up!

KB4038792 and KB4038793 – Microsoft initially listed these on this month’s Release Notes as having known issues but has since removed the warning. Links for each show “Microsoft is not currently aware of any issues with this update.”

KB4011050 – After this update is installed, black borders may appear around rows or cells in Excel spreadsheets when you enter text. To fix this issue, install September 12, 2017, update for Excel 2016 (KB4011165).

Description of the security update for Excel 2016: September 12, 2017
https://support.microsoft.com/en-us/help/4011050/descriptionofthesecurityupdateforexcel2016september12-2017

September 12, 2017, update for Excel 2016 (KB4011165)
https://support.microsoft.com/en-us/help/4011165/september-12-2017-update-for-excel-2016-kb4011165

KB4038788 – This is an issue with the August’s Windows 10 (1703) cumulative update but reported in the notes for September
Installing KB4034674 may change Czech and Arabic languages to English for Microsoft Edge and other applications. Microsoft is working on a resolution and will provide an update in an upcoming release.

https://support.microsoft.com/en-us/help/4038788/windows-10-update-kb4038788

Notable CVEs

CVE-2017-8759 The zero-day is a remote code execution vulnerability that affects the .NET Framework.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759

CVE-2017-0161 Microsoft also patched a critical NetBIOS remote code execution vulnerability (CVE-2017-0161). The flaw exists in NetBT Session Services when NetBT fails to maintain certain sequencing requirements, Microsoft said. “To exploit the vulnerability, an attacker needs to be able to send specially crafted NetBT Session Service packets to an impacted system,” according to the bulletin.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0161

CVE-2017-11281 and CVE-2017-11282 Memory corruption vulnerabilities that could lead to code execution
Adobe Flash Player (KB4038806)
https://support.microsoft.com/en-us/help/4038806/security-update-for-adobe-flash-player-sep-12-2017
https://helpx.adobe.com/security/products/flash-player/apsb17-28.html

CVE-2017-9417 Remote code execution that affects the HoloLens Broadcom chipset
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-9417

CVE-2017-8746 Device Guard bypass that allows attackers to inject malicious code in PowerShell sessions
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8746

CVE-2017-8723 Content security policy bypass in Microsoft Edge
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8723

Notable News

“BlueBorne” The biggest thing we knew nothing about until September 12th.
The vulnerabilities disclosed by Armis affect all devices running on Android, Linux, Windows, and pre-version 10 of iOS operating systems, regardless of the Bluetooth version in use. That’s potentially over five billion BlueTooth-enabled devices. Affected vendors were contacted last Spring and have release patches behind the scenes. Microsoft patched this in July.

CVE-2017-8628 Microsoft Bluetooth Driver Spoofing Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628

The IoT Attack Vector “BlueBorne” Exposes Almost Every Connected Device

Blueborne