保安警報 (A17-09-03): Microsoft 產品多個漏洞 (2017年9月)

描述:

Microsoft 發布了 80 個安全性更新，以應對多個影響個別 Microsoft 產品或元件漏洞，其中一項更新加強了多屬防禦措施的保安。

有報告指漏洞正受到攻擊。

受影響的系統:

• Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7
• Microsoft Internet Explorer 9, 10, 11
• Microsoft Edge
• Microsoft Windows 7, 8.1, RT 8.1, 10
• Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016
• Microsoft Office 2007, 2010, 2013, 2013 RT, 2016, 2011 for Mac, 2016 for Mac
• Microsoft Office Compatibility Pack
• Microsoft Office Web Apps 2010, 2013
• Microsoft Office Web Apps Server 2013
• Microsoft Office Word Viewer
• Office Online Server
• Microsoft Excel 2007, 2010, 2013, 2013 RT, 2016, 2011 for Mac, 2016 for Mac
• Microsoft Excel Viewer 2007
• Microsoft Excel Web App 2013
• Excel Services
• Microsoft PowerPoint 2007, 2010, 2013, 2013 RT, 2016
• Microsoft PowerPoint Viewer 2007
• Microsoft Live Meeting 2007 Add-in, 2007 Console
• Microsoft Lync 2010, 2010 Attendee, 2013, Basic 2013
• Microsoft Outlook 2007, 2010, 2013, 2013 RT, 2016
• Microsoft Exchange Server 2013, 2016
• Microsoft Publisher 2007, 2010
• Microsoft SharePoint Foundation 2013, Server 2013, Enterprise Server 2016
• Skype for Business 2016, 2016 Basic

有關受影響產品的完整列表，請參閱Microsoft資訊安全技術中心:

https://portal.msrc.microsoft.com/en-us/security-guidance

影響:

成功利用這些漏洞可以導致遠端執行程式碼、提高權限、泄漏資訊、服務受阻斷、繞過保安限制或仿冒詐騙，視乎攻擊者利用哪個漏洞而定。

建議:

受影響產品的修補程式可在 Windows Update 或 Microsoft Update Catalog 獲取。受影響系統的用戶應遵從產品供應商的建議，立即採取行動以降低風險。

進一步資訊:

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/5984735e-f651-e711-80dd-000d3a32fc99
https://support.microsoft.com/en-us/help/20170912/security-update-deployment-information
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170013
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170015
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759
https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html
https://www.hkcert.org/my_url/zh/alert/17091301
https://www.us-cert.gov/ncas/current-activity/2017/09/12/Microsoft-Releases-September-2017-Security-Updates
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0161
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8597
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8628 (to CVE-2017-8632)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8643
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8648
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8649
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8675 (to CVE-2017-8688)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8696
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8699
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8702
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8704
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8706 (to CVE-2017-8714)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8716
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8719
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8723 (to CVE-2017-8725)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8728
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8729
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8731
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8733 (to CVE-2017-8759)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11764
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11766