Microsoft goes for a big patch work

Guest written by Greg Wiseman, senior security researcher at Rapid7 about this month’s Microsoft patches, which were released last tuesday

This month sees another spate of critical fixes from Microsoft, including patches for a number of Remote Code Execution (RCE) vulnerabilities. Two of these are already known to be exploited in the wild (CVE-2017-8543 and CVE-2017-8464). These patches are so crucial that Microsoft has once again released fixes for end-of-life operating systems, citing “the elevated risk for destructive cyber attacks at this time,” and explicitly calling out the threat of nation-state actors. Updates are available for Windows XP, Windows Vista, Windows 8, and Windows Server 2003. They include fixes for MS17-013 (a Security Bulletin from April), as well as 21 CVEs with impact ranging across RCE, information disclosure, and elevation of privilege. Further details are available in Microsoft’s Security Advisory 4025685.

This month’s updates aren’t just about severity, but quantity as well, with 94 separate flaws being patched (compared to 66 last month, and 44 in April). This doesn’t even include the nine critical Adobe Flash Player RCE vulnerabilities (see APSB17-17 for details) that are also being fixed and are rated “Priority 1” (meaning there is a high risk of vulnerable systems being targeted in the wild).

Most of the vulnerabilities are for Windows, split evenly between desktop and server flavors. All of the Windows CVEs have a severity of Important or Critical, with the bulk of impact being information disclosure, followed by RCE, privilege escalation, and some security feature bypass vulnerabilities in newer versions of Windows (8.1, 10, Server 2012 R2, and Server 2016).

Microsoft Office and Office-related software (e.g. SharePoint, Lync/Skype for Business, and Office Web Apps) also have plenty of vulnerabilities being addressed this month, with thirteen information disclosure vulnerabilities and twelve RCEs between them all. In addition to various RCE vulnerabilities for SharePoint being patched, Microsoft has released a defense-in-depth update for SharePoint Enterprise Server 2013 SP1 and Enterprise Server 2016 that harden the products without addressing specific vulnerabilities.

As usual, web technologies continue to provide additional attack surface. 16 issues with the Edge browser have been patched: 10 RCE, 3 information disclosure and 3 security feature bypass vulnerabilities. Internet Explorer sees 4 RCE and 2 information disclosure bugs being fixed. Last but not least, two critical RCE vulnerabilities in Silverlight have also been patched (CVE-2017-0283 and CVE-2017-8527, each of which also affects several other products).