After announcing for months that there would be no more security bulletins after the February updates, Microsoft gave us a reprieve in March and issued bulletins after all. I wasn’t the only one who was surprised and happy to see that – but we knew it was only temporary, and that eventually we would have to face what we’d been dreading: the loss of that nicely packaged information that would force us to slog through literally hundreds of update items every month (644 this month, to be exact).
Instead of the bulletins, we now have only the Security Update Guide on the Microsoft Security Response Center (MSRC) web site. The information there is detailed and granular – and unfortunately that granularity creates a tough situation for anyone who’s looking to create a concise review of the releases.
This is undoubtedly easier for the MSRC and allows them to spend more time on hunting down and actually creating the updates to fix the vulnerabilities. It may also work fine for some customers, who want to be able to export the information to a spreadsheet and filter it to apply only to their particular configurations. But for my purposes in writing this blog post, to put it simply, it’s a mess. There is no way to continue providing our monthly patch summary in the same format as before; to try to go through and consolidate the six hundred plus listed updates and glean the pertinent data to do so would take days. I think you’ll find that other writers who cover the patches will be dealing with the same problem.
I’ll sort and summarize as best I can within the new parameters, but expect a different way of presenting the patch information going forward, and more focus on the most critical and/or the widest impact updates. With vulnerabilities and affected software no longer conveniently bundled into bulletins, I’ll be experimenting for a while to find the best way to address this.
As if this weren’t enough, this month is also complicated by the fact that the latest version of Windows 10, the Creators Edition update, will start rolling out (I have, in fact, already installed it and whereas it didn’t bring any dramatic changes, it’s been stable and fast on my Surface Pro 4).
In addition – and this is important for those who are still running older operating systems – April is the end date for Vista’s extended support period. That means no more security updates for the OS. If you have computers in your organization that are still running Vista, it’s time to upgrade to a more modern and more secure version of Windows.
As for the more mundane news, we know that April’s updates will include the usual cumulative updates for IE and Edge, a number of updates for various versions of Windows, Microsoft Office, including the web apps, and Adobe Flash Player. Other updates this month apply to the .NET Framework, Silverlight, and Visual Studio for Mac.
The security bulletins were numbered in the format of MSXX-XXX, with the first two Xs being the year and the last three representing the number of the release within that year. Thus MS17-002 would be the second bulletin issued in 2017. Since the bulletins are no more, there is no easy way to categorize them now. Do you go by KB number, address each CVE, “details” number (which in some cases is the CVE and in other cases isn’t)? Did I mention that this is a mess?
One of the advantages (for some) of the Security Update Guide is that you can download an Excel spreadsheet containing all the update items (all 644 of them) and then sort them by the various columns. This hasn’t been terribly useful to me in bringing order out of the chaos, but perhaps as time goes on, I’ll devise a way to make it more efficient. Bottom line: While there is more information out there if you want to dig through the entirety of the 644 links, there is less information easily and readily available, and I can no longer just point you to a single link to learn more about a given cumulative update.
Meanwhile, since we don’t have much choice, let’s jump right into some of this month’s updates. This month brings us, by my manual count, fixes for fifteen critical vulnerabilities, all of which are remote code execution issues. We also get a number of fixes for important and moderate vulnerabilities, which include information disclosure, denial of service, security bypass and elevation of privilege issues.
We’ll start with the cumulative updates and roll-ups.
Windows 7 SP1 and Server 2008 R2 security update roll-up (KB 4015546). This update addresses multiple vulnerabilities in many different Windows components, including scripting engine, Hyper-V, libjpeg image-processing library, Adobe Type Manager Font Driver, Win32K, Microsoft Outlook, Internet Explorer, Graphics Component, Windows kernel-mode drivers and Lightweight Directory Access Protocol.
Windows 8.1 and Server 2012 R2 security update roll-up (KB 4015550). This update addresses multiple vulnerabilities in many different Windows components, including Hyper-V, libjpeg image-process library, Win32K, Adobe Type Manager font driver, Active Directory Federation Services, Lightweight Directory Access Protocol, Windows kernel-mode drivers, OLE, Scripting Engine, and the Windows Graphics component.
Windows 10 v1703 security update (KB 4015583). This update addresses multiple vulnerabilities in many different Windows components, including scripting engine, libjpeg image-processing library, Hyper-V, Windows kernel-mode drivers, Adobe Type Manager Font Driver, Internet Explorer, Graphics Component, Active Directory Federation Services, .NET Framework, Lightweight Directory Access Protocol, Microsoft Edge and Windows OLE.
Cumulative update for Internet Explorer (KB 4014661). This update for IE addresses multiple vulnerabilities in the web browser, running on Windows 10, and Server 2016, including the server core installation. The most severe of these are memory corruption issues that could result in remote code execution, thus the update is rated critical.
Security updates for Microsoft Edge. There are a number of updates issued this month to fix security issues in Microsoft Edge running on Windows 10. Both important and critical vulnerabilities are addressed. The most severe of these are memory corruption issues that could result in remote code execution, thus the update is rated critical.
Security updates for Microsoft .NET Framework. These updates address a remote code execution vulnerability that exists when Microsoft .NET Framework fails to properly validate input before loading libraries, in .NET Framework versions 2.0 SP2 through 4.7 running on all currently supported versions of the Windows client and server operating systems. It is rated critical for all.
2017-2605. This is an update for Microsoft Office that turns off, by default, the Encapsulated PostScript (EPS) Filter in Office as a defense-in-depth measure. Microsoft is aware of limited targeted attacks that could leverage an unpatched vulnerability in the EPS filter and is taking this action to help reduce customer risk until the security update is released. It applies to Office 2010, 2013, 2013 RT, and 2016.
2017-3447. This is an update for Adobe Flash that addresses seven vulnerabilities in the Flash Player software, the most serious of which could result in remote code execution. It applies to Windows 10, 8.1 and RT 8.1, and Server 2016.