Here we are again: floundering around amid the confusion of another Patch Tuesday without security bulletins. A check of the Security Updates Guide, filtered to show items released between April 12 (post-patch Wednesday of last month) and May 9 shows a total 243 listings – which is, of course, a pretty meaningless number since it includes a line item for the same patch for each different version of Windows.
The release notes tell us that this month’s releases include updates for Internet Explorer, Edge, Windows, Office/Office Services and Web Apps, the .NET Framework, and Adobe Flash Player. Of course, they don’t tell us how many updates there are for each (because that would be too helpful?).
But before we get to the Patch Tuesday updates, we need to highlight an emergency security fix that Microsoft released on Monday. This fix patches a security vulnerability in the Malware Protection Engine that is part of Windows Defender, Security Essentials, and Microsoft Forefront and Intune EndPoint Protection software (CVE-2017-0290). This was a critical issue that enabled attackers to automatically run malware, when the file was scanned by the MPE, that could lead to remote code execution or denial of service. You can read more about this one in Security Advisory 4022344.
Now on to the Tuesday releases. Most updates are now cumulative roll-ups for a particular operating system or software application. Thus, we have cumulative updates for the IE and Edge browsers, as well as for Windows 10, 8.1 and 7. For those of you still running Windows Vista, just a reminder that Microsoft ended support for it last month. And if by any chance you’re still running the RTM version of Windows 10, be aware that support for this product ended on this Patch Tuesday (May 9).
- Cumulative update 2017-05 for Windows 10, also known as KB4016871 applies to the “Creators Update” edition of Windows 10 and replaces v15063.250 with v 15063.296. This cumulative update is also available for Windows 10 Mobile. According to Microsoft, the update includes security fixes for Edge, IE, the Microsoft Graphics Component, the Windows SMB server, the Windows COM component, the Microsoft scripting engine, the kernel, and the .NET Framework, along with some performance and reliability fixes.
- Security update for Windows 7 and Server 2008 R2 (KB4019263) contains fixes for the Microsoft Graphics Component, Windows COM, ActiveX, Windows Server, Windows DNS and the Windows kernel, and also deprecates the SHA-1 authentication method for SSL/TLS server authentication in the Windows Cryptography API.
- Security update for Windows 8.1 and Server 2012 R2 (KB4019213) contains the same fixes as the Windows 7/2008 R2 update.
- Cumulative update for Internet Explorer (KB4018271) applies to IE running on Windows 7 SP1, Windows 8.1, Windows 10, Server 2008 R2, 2012 R2 and 2016 and fixes multiple security vulnerabilities.
- Security update for the .NET Framework versions 3.5.1, 4.5.2, 4.6, 4.6.1, and 4.62 running on Windows 7 SP1 and Windows Server 2008 SP2, 2008 R2 SP1, 2012 and 2012 R2 fixes a security feature bypass caused by incomplete validation of certificates.
- Adobe Flash Player security update (KB4020821) applies the Flash Player software running on Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, Windows 8.1, or Windows RT 8.1. This security was released by Adobe as APSB17-15, and addresses seven critical vulnerabilities that include memory corruption issues and a use-after-free vulnerability, both of which could be exploited to accomplish code execution.
- Security update for Microsoft Office applications, services and web apps to address CVE-2017-0261 and CVE-2017-0254, both of which are memory corruption issues that can lead to remote code execution. The first is exploited when a user opens a specially crafted EPS file. The second could be exploited by an attacker to run remote code in the context of the current user, by persuading a user to open a specially crafted file or download it from a malicious or compromised web site. The update fixes it by changing the way Office handles objects in memory.
Some are the more critical and/or more exploitable vulnerabilities patched in today’s updates, in addition to those mentioned above, include:
- sys elevation of privilege vulnerability (CVE02017-0077) in supported versions of the Windows client and server operating systems (Windows 7, 8.1, 10 and Server 2008/2008 R2, 2012/2012 R2 and 2016), which is caused by improper handling of objects in memory. The update fixes the way the Microsoft DirectX graphics kernel subsystem handles certain calls and escapes to preclude improper memory mapping and prevent unintended elevation from user-mode.
- Windows SMB remote code execution vulnerability (CVE-2017-0272) in supported versions of the Windows client and server operating systems (Windows 7, 8.1, 10 and Server 2008/2008 R2, 2012/2012 R2 and 2016), which can allow an unauthenticated attacker to remotely execute code, because of the way the Microsoft Server Message Block server handles certain requests. The update corrects the handling of specially craft requests by the SMB server.
- Memory corruption vulnerability in Internet Explorer (CVE-2017-0222) in IE 10 and 11 running on Windows 7, 8.1, 10 and Server 2008 R2, 2012/2012 R2 and 2016 that is caused by improper handling of objects in memory, and can be exploited by an attacker to run arbitrary code in the context of the current user by luring the user to a malicious or compromised web site. The update fixes the problem by changing the way IE handles objects in memory.
This is only a sampling of some of the vulnerabilities that were patched in this month’s releases.
Microsoft also issued a new build of Windows 10 version 1703 (Build 15063.250) today, which addresses a number of compatibility and non-security issues that include the following:
- VMs losing network connectivity while provisioning IP addresses.
- Remote ring not initiated on device when RemoteRing Configuration Service Provider (CSP) is used.
- Memory leak in Internet Explorer when hosting pages containing nested framesets that load cross-domain content.
- Unexpected intermittent logout from Web applications.
- Monitor brightness issue when booting with the external monitor only and then switching to the built-in display only.
- Unresponsive system (freeze) when running Win32 Direct3D applications or games in full-screen exclusive mode if you resume from Connected Standby.
- Progress page displays incorrect characters when upgrading in Chinese language edition.
- Can’t disable lock screen via Group Policy on Professional SKUs.
- Issue in Windows Forms configuration that causes antivirus applications to quit working when you start up.
- Internet Explorer, and Microsoft Edge fixes.
For more information, you can download the relevant release information Excel spreadsheet from the Microsoft Security Updates Guide web site and then manipulate that information in Excel to give you different views and filtering options – you’ll find the download link here.