IDG Contributor Network: Largest ever Patch Tuesday from Microsoft
Credit to Author: Greg Lambert| Date: Wed, 15 Mar 2017 11:44:00 -0700
After last month’s rather brief Patch Tuesday from Microsoft, we see the largest ever release of updates for Windows and Microsoft Office — and of course another critical update for Adobe Flash Player.
For this March update, we see an unusually large number of critical updates — nine patches rated as critical and the remaining nine rated by Microsoft as important. In addition to this large cohort of patches, we also get a security advisory with KB3123479.
We have added both browser patches (MS17-006 and MS17-007) and the Adobe Flash Player update (MS17-023) to our “Patch Now” list. In addition, the core XML Services patch (MS17-022), though only rated as important by Microsoft, attempts to resolve a publicly disclosed zero-day flaw. MS17-022 was therefore also added to our “Patch Now” list.
Recently, there have been a few significant changes to how Microsoft releases updates for its Windows platforms. Last October we saw the patch roll-up approach employed for Windows 10 rolled back to include both Windows 8.x and Windows 7 systems. Earlier this year, Microsoft announced that it would be splitting out IE updates due to customer feedback regarding the large size of patch downloads. Chris Goettl from Ivanti (was Shavlik) commented, “This was a welcomed change for companies. Breaking IE out from the Security Only Bundles will allow more flexibility for companies to avoid supportability issues in web apps or have to not deploy any updates for the OS as well.”
There was speculation that last month’s Patch Tuesday release problems were due to infrastructure changes required to support this patch release change. That said, we have not seen this change to the release cycle yet, and may not for the next few months. In addition to these changes, Microsoft has added a new component to Upgrade Analytics with the introduction of a Patch Compliance feature. Sandeep Deo from Microsoft explains that, “Microsoft has launched a new Windows Analytics based solution called Update Compliance that allows IT pros to get a holistic view of OS compliance including Patch Tuesday, update deployment progress and failure troubleshooting for all Windows 10 systems.” You can read more about this cloud based patch compliance service here.
The first (of many) updates for this March Patch Tuesday is MS17-006, which attempts to address 12 serious security issues in Microsoft Internet Explorer (IE). Using a specially crafted web page, an attacker could use the most severe of these vulnerabilities to execute code on a targeted machine. Most of these errors fall into the more common categories of script and memory handling issues that have plagued IE for the past many years.
This update is rated critical by Microsoft for all currently supported desktop platforms, but only moderate for Windows Server platforms. Unfortunately, one of these vulnerabilities has been reported to Microsoft as publicly exploited, which makes this IE update a “Patch Now” fix from Microsoft.
Remember the good old days when IE had more reported vulnerabilities than Microsoft Edge? Well, with MS17-007, Microsoft Edge has a reported 32 vulnerabilities, most relating to memory and scripting issues with an additional lower risk issue reported against the built-in Microsoft PDF component. Microsoft Edge at present, does not have a publicly reported vulnerability, but given the related issues to Adobe Flash and the PDF component, this update should be included in your “Patch Now” release cycle. Note that the changes and contents of the update MS17-009 are included in this Microsoft Edge patch.
MS17-008 attempts to address lower risk security vulnerabilities in Microsoft Hyper-V that, if left unpatched, could lead to a remote code execution scenario. Though Hyper-V can be installed on older systems (Windows 8 and 7) and enabled on Windows 10, it is primarily used on Microsoft server platforms (Server 2012 and 2016). Add this update to your standard patch deployment effort, noting that this update will require a server restart and will be included in this month’s Security Only Quality Update roll-up for March.
MS17-009 addresses a single, lower risk vulnerability in the Microsoft PDF component which affects all currently supported Microsoft Platforms (server and desktop). The changes included in this patch are also included in the Microsoft Edge update MS17-007.
MS17-010 is the “super” SMB vulnerability that we have been waiting for Microsoft to resolve since early February of this year. This vulnerability (and subsequent update) applies to all currently supported Microsoft platforms (desktop and server) and if left unpatched could lead to a remote code execution scenario through six highly likely exploitation routes. What are you waiting for? Add this update to your “Patch Now” update list.
MS17-011 attempts to address a whopping 29 vulnerabilities in the Microsoft Uniscribe component. Uniscribe is a set of API’s that are used by Microsoft to process fin typography or glyphs. My suspicion is that these series of vulnerabilities are related to the PDF issues resolved by the PDF update MS17-009.
MS17-012 addresses six medium risk vulnerabilities on both Windows desktop and server platforms that could lead to a remote code execution scenario. These security issues are more likely to result in a denial-of-service or security feature bypass attack and this patch will require a restart. Add this update to your standard patch deployment schedule.
MS17-013 attempts to address 12 high to medium risk security issues in the core Windows graphics component. In addition, this update is rated critical for all currently supported versions of Office, Skype for Business and Silverlight. This patch covers both a publicly disclosed and a zero-day exploit. One vulnerability actually employs the preview pane of infected files to compromise a target machine. Add this update to your “Patch Now” release cycle.
MS17-023 addresses seven serious security vulnerabilities in Adobe Flash Player that could lead to an attacker taking complete control over a compromised machine. You can read more about the Adobe patch APSB17-07 on the Adobe website. This is a “Patch Now” update from Microsoft/Adobe. Please update your systems and consider removing Flash.
MS17-014 attempts to address 12 reported (11 privately reported, one publicly) but not yet exploited vulnerabilities in Microsoft Office. This series of updates affects all versions of currently supported Office. Add this update to your standard patch release cycle.
MS17-015 addresses a single privately reported vulnerability in Microsoft Exchange Server (2013 and 2106). It will require a reboot, so add this update to your standard server patch cycle.
MS17-016 resolves a single, privately reported vulnerability in Microsoft IIS Server, that left unpatched could lead to an elevation of privilege scenario. Add to your standard server patch deployment effort.
MS17-017 addresses four vulnerabilities in the Windows kernel (three reported privately, and one publicly) relating to how API calls are handled by this core Windows component. This update is a bit of a tricky one. The patch is an update to previous kernel patches from last January and December, which in themselves are cascading kernel updates. This patch may require core application testing in isolation before inclusion in the roll-up patch deployment.
MS17-018 addresses eight privately reported higher-risk vulnerabilities in the Windows Kernel-Mode drivers that could result in an elevation of privilege scenario. These attacks require a user to login to an unpatched system and run a specially crafted application (EXE). Add this update to your standard patch cycle.
MS17-019 addresses a single, privately reported, difficult to exploit vulnerability in Microsoft Active Directory Federation Services (ADFS) that could lead to the disclosure of sensitive information. Add this update to your standard server update cycle. There are no reported workarounds or mitigating factors, and this update will require a server restart.
MS17-020 resolves a single, privately reported low-risk vulnerability in the Windows DVD Make feature. Add this update to your standard deployment effort.
MS17-021 is another low-risk single issue update to a lesser used Windows feature. This time the DirectShow graphic API’s gets an update to prevent unintended information disclosure. Add this update to your standard patch effort.
Microsoft does this a lot. The patch team tries to sneak a “stinker” in as the second to last patch of the month (the final patch for this month, MS17-023, is listed above as it has been rated as critical). MS17-022 attempts to resolve a single publicly reported zero-day vulnerability in Microsoft core XML Services (MSXML). MSXML is a key component for many systems, and more importantly a key piece of middle-ware for most enterprises. The challenge is not updating this version of MSXML, but keeping it updated. Older applications may include an older and unpatched version and attempt to overwrite the latest secure version. Or deployment systems may deploy key middle-ware systems like this in separate application packages, causing unintended reversions to older, less secure versions. Whenever I see updates to key dependencies like this one, deployments are never straightforward. Test your core applications with this latest MSXML component before general deployment.
This article is published as part of the IDG Contributor Network. Want to Join?