Microsoft Corp. has issued a range of patches in its monthly “Patch Tuesday,” covering products including web browsers Internet Explorer and Microsoft Edge, the .NET Framework and various Office suite apps.
By the numbers, there were 243 Windows patches, of which 81 of were deemed critical. Topping the list were patches for three previously undiscovered issues, including one known as CVE-2017-0222 in Internet Explorer 10 and 11, CVE-2017-0261 in Microsoft Office 2010, 2013 and 2016 and CVE-2017-0263 in all supported versions of Windows.
Of the three, the remote code execution vulnerability in Microsoft Office was considered the most severe. It could be exploited when a user opens a file containing a malicious image or when a user inserts a malicious graphics image into an Office file. The Internet Explorer vulnerability worked along similar lines, with remote code execution able to be triggered if a user visited an infected web page.
Other patches included a correction to a failure in the Windows Update Client to receive updates issued under security advisory 4022345. “The Windows Update Client may not properly scan for, or download, updates.” Micreosoft explained. “This scenario may affect customers who installed a Windows 10 or Windows Server 2016 operating system, and who have never interactively logged in to the system or connected to it through remote desktop services.”
Coming into Patch Tuesday, Microsoft had already moved to patch one critical flaw the day before, CVE-2017-0290. That was a hole in Microsoft’s anti-malware tools that could allow attackers to create files that can install malware while the affected software is examining files.
Rapid7 Inc. Senior Security Researcher Greg Wiseman told SiliconANGLE that while the new release was a relatively light month as far Patch Tuesday go, the release continues “some longstanding trends we’ve seen from Microsoft, with critical KBs [Knowledge Bases, a Microsoft indexing format for security issues] for all supported operating systems addressing remote code execution and privilege escalation vulnerabilities.”
Wiseman noted that two separate RCE vulnerabilities in Office were also patched, one of which (CVE-2017-0261) is known to be exploited in the wild. “The other Office vulnerability, CVE-2017-0281, is rated ‘important’ but affects a wide range of products beyond just Office, including Skype for Business and several server platforms such as SharePoint, Office Web Apps and Project Server 2013,” he said. “Edge and Internet Explorer remain reliable attack surfaces with RCE vulnerabilities being patched for both. Rounding out the vulnerabilities this month is a DNS denial of service (CVE-2017-0171) affecting all supported server operating systems.”
Although not gaining as much attention, Microsoft’s decision to fully deprecate SSL/TLS security certificates that use the SHA-1 encryption standard was also a standout feature in the release, he said. “IE 11 and Edge will no longer load sites with such certificates, and instead display an invalid certificate warning. The exception to this is self-signed and enterprise certificates (those not chained to a trusted root); however, any such sites really should switch to SHA-2 based certificates as soon as possible.”