June 2017 – Microsoft Patch Tuesday

This year has gone by quickly; hard to believe we’re almost half-way through it already. A mid-summer night’s dream for IT professionals is a summer with no security updates but alas, that’s sure to remain nothing but a fantasy for the foreseeable future. Some of us would settle for just getting the security bulletins back.

As usual, this month brings us an array of patches for all of the currently supported Windows operating systems, both client and server versions. Since support for Vista recently ended, that means Windows 7, 8.1, RT 8.1 and 10, along with Server 2008, 2008 R2, 2012, 2012 R2 and 2016, are getting critical and important updates. We also have the usual cumulative updates for both the Internet Explorer and Edge web browsers, as well as security fixes for Office 2010, 2013 and 2016.

As we’ve discussed here previously, Microsoft is moving away from the individual update model to one of cumulative roll-ups for their products. On the one hand, this makes it easier and more convenient to apply (like an all-in-one combination vaccine for children that protects against diphtheria, tetanus, pertussis, hepatitis B and polio all in one shot). The disadvantage is that if just one of these components causes an allergic reaction (or in the case of update roll-ups, system instability due to incompatibility), there is no easy way to apply some components without the problematic one.

Nonetheless, this is the way it’s done now, so let’s take a look at some of those roll-ups and the issues they address this month.

• Monthly roll-up for Windows 7 and Server 2008 R2 Security-only roll-up (KB4022722) includes security fixes for the Microsoft Graphics Component, Windows COM, Windows Shell, Internet Explorer, Uniscribe, the Windows kernel and kernel-mode drivers. KB4022719 includes the same security fixes plus non-security fixes for printing problems, problems with scanning for hardware with some AMD processor-based systems, and an update to fix a problem with update installation. This month’s updates address 48 vulnerabilities in Windows 7, with six of these rated as critical. A total of 45 vulnerabilities are addressed in Server 2008 and 49 in Server 2008 R2; in both cases six are rated critical.
• Monthly roll-up for Windows 8.1 and Server 2012 R2 Security-only roll-up (KB4022717) includes security fixes for Windows PDF, Windows Scripting Engine, Microsoft Graphics Component, Windows COM, Windows Shell, Internet Explorer, Uniscribe, the Windows kernel and kernel-mode drivers. KB4022726 includes the same security fixes plus non-security fixesfor issues with printing, problems with scanning for hardware with some AMD processor-based systems, and an issue with the functioning of the mouse.  This month’s updates address 52 vulnerabilities in Windows 8.1 and in Server 2012 and 2012 R2, with eight of these rated as critical.
• Monthly roll-up for Windows 10 (KB4022725) applies to Windows 10 builds 15063.413 and .414, and includes security fixes for Windows PDF, Device Guard, IE and Edge, the kernel mode drivers, the Windows Shell and Uniscribe.  This month’s updates address 45 vulnerabilities in Windows 10, with seven of these rated as critical. Some 57 vulnerabilities are addressed this month in Server 2016, with seven of these rated as critical.
• Internet Explorer 11 Monthly Cumulative Update addresses a total of six vulnerabilities, three of which are rated as critical.
• Microsoft Edge Monthly Cumulative Update addresses 17 vulnerabilities, eleven of which are rated as critical.
• Microsoft Office security updates address 18 vulnerabilities (three of which are critical) in Office 2010, five vulnerabilities (none critical) in Office 2013, and four vulnerabilities (none, critical) in Office 2016.
• Security update for Silverlight 5 installed on Windows addresses a remote code execution vulnerability that could be exploited by persuading a user to visit a compromised website or in a file-sharing scenario.  This is the Uniscribe issue and is caused by improper handling of objects in memory by the Windows Uniscribe component. This affects Silverlight, Office 2007 and 2010, Lync 2013, Skype for Business 2016, Office Word Viewer, and all supported versions of the Windows operating system, including the server core installation.
• Adobe Flash Player update for all supported versions of Windows client and server addresses the nine vulnerabilities listed in Adobe’s security bulletin APSB17-17. These include four use-after-free vulnerabilities and five memory corruption vulnerabilities. Adobe has assigned the update a priority 1 rating. Microsoft describes a number of mitigations and workarounds for these issues in Security Advisory 170007 on the MSRC web site.

Vulnerabilities Addressed

According to best count, Microsoft released updates to fix a total of 96 vulnerabilities this month, with eighteen of them rated as critical and seventy-six as important. One each is rated moderate and low. The eighteen critical vulnerabilities that are addressed by the June patches include:

• LNK Remote Code Execution vulnerability (CVR-2017-8464)
• Windows Search Remote Code Execution vulnerability (CVE-2017-8543)
• Windows Uniscribe Remote Code Execution vulnerability (CVE-2017-0283)
• Windows PDF Remote Code Execution vulnerability (CVE-2017-0291)
• Windows PDF Remote Code Execution vulnerability (CVE-2017-0292)
• Scripting Engine Memory Corruption vulnerability (CVE-2017-0223)
• Windows Remote Code Execution vulnerability (CVE-2017-0294)
• Edge Memory Corruption vulnerability (CVE-2017-8496)
• Edge Memory Corruption vulnerability (CVE-2017-8497)
• Scripting Engine Memory Corruption vulnerability (CVE-2017-8499)
• Scripting Engine Memory Corruption vulnerability (CVE-2017-8517)
• Scripting Engine Memory Corruption vulnerability (CVE-2017-8520)
• Scripting Engine Memory Corruption vulnerability (CVE-2017-8522)
• Scripting Engine Memory Corruption vulnerability (CVE-2017-8524)
• Windows Graphics Remote Code Execution vulnerability (CVE-2017-8527)
• Windows Uniscribe Remote Code Execution vulnerability (CVE-2017-8528)
• Scripting Engine Memory Corruption vulnerability (CVE-2017-8548)
• Scripting Engine Remote Code Execution vulnerability (CVE-2017-8549)

The first two of these critical vulnerabilities are known to have been exploited.

Update for older (out of support) operating systems

Microsoft made an unusual move by including in this month’s Patch Tuesday releases a security update for Windows XP, which has been out of support for over three years now, as well as for Vista, that went out of support only two months ago. This is in response to the spread of a ransomware variant called “WannaCry” or “Wanna Decryptor” that reportedly shut down a number of hospitals in the U.K. last month and also infected significant numbers of systems in Russia, Spain and over seventy other countries.

Microsoft announced in the MSRC Team blog on the TechNet site that this update will be available for all recent supported and unsupported versions of Windows and can be installed via Windows Update or downloaded from the Microsoft Download Center. The rationale for this is the widespread and serious nature of the malware, and the threat of state-sponsored attacks utilizing the malware. You can find more information about the vulnerabilities that are addressed by these updates in Microsoft Security Advisory 4025685.

The vulnerabilities presumed to be at risk of imminent attack include several older vulnerabilities (detailed in MS08-067, MS09-050, MS10-061, and MS14-068) as well as 12 more recently discovered ones.

Advisory: Defense in depth update for SharePoint Enterprise Server

Microsoft released an advisory, ADV170008, concerning the update for SharePoint Enterprise Server 2013 SP1 and 2016 to resolve address code execution vulnerabilities (CVE-2017-8509), which is due to failure to properly handle objects in memory.

Summary

This month’s slate of patches was fairly hefty, given the number of vulnerabilities addressed; however, since most of the fixes are rolled up into cumulative updates, the number of patches that need to be applied is much lower. Note that Microsoft also rolled out an update for Windows 10 Mobile devices, which will bring the build number up to 15063.414.