Hours before today’s Patch Tuesday release on the eve of May 8, Microsoft released an emergency updated to fix a vulnerability in their Malware Protection Engine. This critical vulnerability allows an attacker to take complete control of the victim’s machine by just sending an e-mail attachment. When the malware protection engine scans the attachment the malicious code in the file gets executed, allowing the attacker complete and full access to the computer. The attack can also be carried out by sending the file via an instant message or having the victim download the file from a website. It is absolutely essential that organizations using Microsoft Malware Protection Engine make sure that they are at version Version 1.1.13704.0 or later. Users should also check if they are patched for CVE-2017-0290, which was released for the same issue today.
In today’s Patch Tuesday update Microsoft released a total of 57 vulnerability fixes. Highest priority should go to patching 0-day issues which are actively exploited. On top of our list is the Office patch for CVE-2017-0261 which is triggered when a victim opens an Office file containing a malformed graphics image. The file could be delivered via email or any other means. As this is actively exploited in the wild and attackers can take complete control of the victim system, this should be treated with priority.
CVE-2017-0222 also makes the top of the actively attacked list. This vulnerability affects Internet Explorer, and users can be compromised if they visit a malicious website hosted by attackers. This patch gets priority as the vulnerability is currently exploited in the wild and attackers can take complete control of the victim machine.
Next priority goes to the Edge browser vulnerability CVE-2017-0229, which was publicly disclosed before today’s patch Tuesday release. This issue allows attackers to take complete control of victim machine when the user visits malicious websites using Edge.
Next priority goes to three critical SMB remote code execution vulnerabilities (CVE-2017-0277, CVE-2017-0278, CVE-2017-0279) that affect the Windows server machines as well as desktop clients. The issue exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploits the vulnerability could gain the ability to execute code on the target. To exploit the vulnerability, in most situations an unauthenticated attacker would send a specially crafted packet to the SMBv1 server.
Also today Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning. This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted.
In summary today’s release fixed 3 actively exploited and 4 publicly disclosed issues including the malware protection engine, Office, IE, Edge and SMB vulnerabilities. Microsoft also deprecated SHA-1 certificates from IE and Edge.