In the normal course of events, it takes a week (or two or three) for the bugs in each month’s Windows and Office security patches to shake out. This month’s patches are no exception. There are lots of reports of problems with IE and Edge, for example, and many more are piling up.
In the normal course of events, the fresh-off-the-press security patches present more of a threat to most people in the short term than do the problems the patches are supposed to fix. You have to patch sooner or later, but by waiting for the screams of pain to die down, you can save yourself some major headaches.
This month, unfortunately, the scales have tipped in the opposite direction.
Better to patch than risk infection
As I explained yesterday, this month’s Patch Tuesday brought a bunch of patches aimed at fixing a hole in .Net that allowed a bad RTF file to take over your machine. Coined CVE-2017-8759, the security hole romps through an alphabet soup of acronyms, but it boils down to this: Somebody could send you a bad document attached to an email message that, if improperly handled, could take over your computer.
The improper handling? You have to open the bad file in Word and then click the “Enable Editing” button at the top of the document. It's a "d'oh" kind of scenario that, unfortunately, plays out far too often.
As originally reported, this “SOAP WSDL parser code injection vulnerability” appeared in only one rigged Russian-language document, Проект.doc. The exploit appears to come from a group that’s trying to spy on a Russian-speaking organization.
Now I’m seeing mini-courses popping up all over the web, including this YouTube video and this GitHub entry from malware researcher Vincent Yiu, that explain in excruciating detail how to pop open the CVE-2017-8759 security hole. It’s only a matter of time — possibly just hours, certainly days — before the script kiddies pick up on the technique and start spraying infected RTF documents all over the internet.
Bottom line: DON’T CLICK “Enable Editing.” If you can’t keep your finger (or your friends’ or your clients’ fingers) from clicking that button, you better get .Net patched.
Microsoft has a detailed list of which patches to apply. If you’re running Windows 7 or 8.1 and you can figure out which version(s) of .Net are on your machine, you can apply individual patches. If you’re running Windows 10, you have no choice but to install this month’s cumulative update in its entirety.
It’s a damned-if-you-do situation, but in this case — if you can’t keep from clicking “Enable Editing” — you’re better off installing the patch(es) now and dealing with the bugs later.