一、漏洞描述
本次安全公告显示微软修补了34个漏洞,其中共有21个漏洞被评为严重,另外13个被评为高危。 受影响产品有Internet Explorer,Microsoft Edge,Microsoft Windows,Microsoft Office,SharePoint和Exchange。
除了解决这33个漏洞之外,微软还发布了Microsoft Office更新,通过禁用动态数据交换(DDE)协议来提高安全性。该更新适用于所有受支持的Office版本,ADV170021对其有详细介绍。若您无法安装此更新,建议您咨询有助于减轻DDE开发尝试的解决方法。
本次安全公告中,微软还发布了两个修补程序(CVE-2017-11937和CVE-2017-11940)。这两个程序用于修复英国国家网络安全中心在上周研究发现的远程代码执行漏洞-Microsoft恶意软件保护引擎(MPE)。
具体公告见下文。
影响范围
十二月发布的漏洞公告涉及以下微软产品:@b@Internet Explorer@b@Microsoft Edge@b@Microsoft Windows@b@Microsoft Office and Microsoft Office Services and Web Apps@b@Microsoft Exchange Server@b@ChakraCore@b@Microsoft Malware Protection Engine
严重漏洞
CVE-2017-11886 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11888 - Microsoft Edge Memory Corruption Vulnerability@b@CVE-2017-11889 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11890 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11893 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11894 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11895 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11901 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11903 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11905 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11907 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11908 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11909 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11910 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11911 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11912 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11914 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11918 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11930 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11937 - Microsoft Malware Protection Engine Remote Code Execution Vulnerability@b@CVE-2017-11940 - Microsoft Malware Protection Engine Remote Code Execution Vulnerability
高危漏洞
CVE-2017-11885 - Windows RRAS Service Remote Code Execution Vulnerability@b@CVE-2017-11887 - Scripting Engine Information Disclosure Vulnerability@b@CVE-2017-11899 - Microsoft Windows Security Feature Bypass Vulnerability@b@CVE-2017-11906 - Scripting Engine Information Disclosure Vulnerability@b@CVE-2017-11913 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11916 - Scripting Engine Memory Corruption Vulnerability@b@CVE-2017-11919 - Scripting Engine Information Disclosure Vulnerability@b@CVE-2017-11927 - Microsoft Windows Information Disclosure Vulnerability@b@CVE-2017-11932 - Microsoft Exchange Spoofing Vulnerability@b@CVE-2017-11934 - Microsoft PowerPoint Information Disclosure Vulnerability@b@CVE-2017-11935 - Microsoft Excel Remote Code Execution Vulnerability@b@CVE-2017-11936 - Microsoft SharePoint Elevation of Privilege Vulnerability@b@CVE-2017-11939 - Microsoft Office Information Disclosure Vulnerability
二、修复建议
阿里云安全团队建议您关注这些漏洞,并根据业务情况去更新补丁,提高服务器安全性。
建议您开启Windows Update功能,然后单击检查更新按钮,根据业务情况下载安装相关安全补丁。安装完毕后重启服务器,检查系统运行情况。
注意:在安装更新前,请先进行测试,并务必准备好数据备份和快照,防止发生意外。
三、情报来源