Here we go again – already well into the month of July and here in Texas and other parts of the U.S., we’re feeling the heat. A midsummer night’s dream of most IT professionals is a vacation from security patches, but we know that in real life, that’s not going to happen. Meanwhile, our friends in the southern hemisphere are enjoying a low of 6°C (42.8°F). Perhaps a more attainable dream would be a trip to Sydney.

The good news is that Microsoft’s slate of security updates looks like “business as usual.” We have the monthly cumulative updates for the Internet Explorer and Edge web browsers, the monthly roll-ups for Windows 7/Server 2008 R2, Windows 8.1/Server 2012 R2, and Windows 10.  In addition, we have updates for Microsoft Office versions 2010, 2013 and 2016, and the ever-present Adobe Flash update.

Let’s take a look at some of this month’s updates and the issues they address this month.

  • Monthly roll-up for Windows 7 and Server 2008 R2 Security-only roll-up (KB4025337) includes security fixes for a number of different operating system components. These include the Windows kernel, ASP.NET, Windows Search, Windows Storage and File Systems, Datacenter Networking, Windows Virtualization, Windows Server, Windows shell, Microsoft NTFS, Microsoft PowerShell, Windows Kernel-Mode Drivers, and Microsoft Graphics Component. The OS roll-up also includes security fixes for Internet Explorer 11. These fixes address 22 vulnerabilities in Windows 7 and Windows Server 2008 R2, with two of those rated critical.
  • Monthly roll-up for Windows 8.1 and Server 2012 R2 Security-only roll-up (KB4025336) includes security fixes for a number of different operating system components, some of which are the same as those addressed in the Windows 7/Server 2008 R2 update. This roll-up addresses 24 vulnerabilities, with two of them rated critical.
  • Monthly roll-up for Windows 10 (KB4025342) Windows 10 version 1703 includes security fixes for a number of different operating system components. This month’s roll-up addresses only 27 vulnerabilities in contrast to over 50 in June, and only two of these are rated critical.  Issues that are addressed involve Windows Search, Windows kernel, Windows shell, Microsoft Scripting Engine, Windows Virtualization, Datacenter Networking, Windows Server, Windows Storage and File Systems, Microsoft Graphics Component, Windows kernel-mode drivers, ASP.NET, Microsoft PowerShell, and the .NET Framework. This roll-up also includes security fixes for Internet Explorer 11 and Edge.
  • Internet Explorer 11 Monthly Cumulative Update addresses a total of seven vulnerabilities, with five of these rated as critical.
  • Microsoft Edge Monthly Cumulative Update addresses nineteen vulnerabilities, with 15 of these rated as critical.
  • Microsoft Office security updates address two vulnerabilies in Office 2010, one vulnerability in Office 2013, and one vulnerability in Office 2016. None of these are rated critical.
  • .NET Framework update patches a .NET Denial of Service vulnerability.
  • ASP.NET update patches an HTTPS.SYS information disclosure vulnerability.
  • Adobe Flash Player update for Flash running on Windows 8.1 and 10 and Windows Server 2012, 2012 R2, and 2016 addresses the three vulnerabilities listed in Adobe’s security bulletin APSB17-21. These include one security bypass and two memory corruption vulnerabilities, with one of the memory corruption vulnerabilities rated as critical. Adobe has assigned the update a priority 1 rating. Microsoft describes mitigations and workarounds for these in its Security Advisory ADV170009 on the Security TechCenter site.
  • Malicious Software Removal Tool monthly update (KB890830) for Windows 7, 8.1, and 10 and Windows Server 2008/2008 R2, 2012/2012 R2, and 2016 was released on July 7.

Vulnerabilities Addressed

Some of the critical vulnerabilities addressed by these patches include:

  • CVE-2017-8463 | Windows Explorer Remote Code Execution Vulnerability. This vulnerability is due to the way Windows Explorer improperly handles executable files and shares during rename operations. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another user. Users not running as administrators would be less affected.
  • CVE-2017-8594 | Internet Explorer Memory Corruption Vulnerability. This is a remote code execution vulnerability that occurs when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2017-8595 | Scripting Engine Memory Corruption Vulnerability. This is a remote code execution vulnerability that is due to in the way Microsoft Edge handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2017-8601 | Scripting Engine Memory Corruption Vulnerability. This is a remote code execution vulnerability that is due to the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
  • CVE-2017-8603, 8604, 8605 | Scripting Engine Memory Corruption Vulnerability. These are all remote code execution vulnerabilities that are due to the way Microsoft Edge handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2017-8606, 8607, 8608 | Scripting Engine Memory Corruption Vulnerability. These are all remote code execution vulnerabilities that are due to the way JavaScript engines render when handling objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

These are only some examples of critical vulnerabilities that are fixed by the July updates. In total, Microsoft patched 55 vulnerabilities across products and technologies.

Summary

Those of us who attempt to summarize each month’s updates for readers continue to struggle since Microsoft discontinued the security bulletins that contained that information in easily accessed format and moved everything to the Security Update Guide portal that provides a deluge of unwieldy information. You can view or download the full Excel spreadsheet by entering the date range (July 11, 2017 to July 11, 2017) in the Guide interface. You can then sort and filter the data in different ways (although not, as far as I can tell, in a way that will provide us with the same formatted info as the gone-but-not-forgotten security bulletins).