Today Microsoft released a massive Patch Tuesday security update consisting of 17 security bulletins that fixed a total of 134 vulnerabilities. Out of the 17 security bulletins 8 were marked as Critical which could lead to remote code execution while the remaining were marked as Important. Since there were no patches released for February, in one way, a massive update was expected this month. We also liked the fact that Microsoft kept the older way of clubbing KB articles and patches in security bulletins which, in our opinion, is easy to read and provides better overall picture. But the Microsoft blog here, allude that sometime in the future Microsoft will stop publishing security bulletins.
The highest priority overall goes to the Windows GDI bulletin MS17-013 which could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. This gets highest priority as CVE-2017-0005 is a zero day issue which is currently being exploited actively in the wild. This issue could be incorporated soon by ExploitKits using Silverlight as the attack vector as we have seen that happen in the past.
The next priority goes to SMB update MS17-012 which can allow malicious SMB servers to take control of a client which tries to connect to them. The vulnerability (CVE-2017-0057) which was fixed in this bulletin was publicly known since about a month and proof-of-concept exploits were available for the same. This elevates the need to patch quickly as attackers could already be at work trying to incorporate them into attacks.
On the desktop side, next priority goes to the IE and Edge browsers. The most severe of the browser vulnerabilities could allow remote code execution if a user views a specially crafted webpage that is hosted by the attacker. The details of the three browser vulnerabilities (CVE-2017-0008, CVE-2017-0037, CVE-2017-0065) fixed today were publicly disclosed which again elevates the need to patch quickly due to the public disclosure.
The next priority on the desktop side goes to the Office bulletin MS17-014 which could allow remote code execution if a user opens a specially crafted Microsoft Office file. Also information about one of the vulnerabilities (CVE-2017-0029) was publicly known.
On the server side, highest priority goes to the Microsoft Exchange and IIS bulletins (MS17-015 and MS17-016 respectively) as both the systems are exposed to the internet. Exchange Outlook Web Access (OWA) fails to properly handle web requests due to which an attacker who successfully exploited this vulnerability could, perform script/content injection attacks. An attacker could exploit the vulnerability by sending a specially crafted email, containing a malicious link, to a user. Attacker who successfully exploited the IIS vulnerability could perform cross-site scripting attacks on affected systems and run script in the security context of the current user.
On the server side, next priority goes to the Hyper-V bulletin MS17-008 as it could allow remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. This issues is marked as Critical due to the code execution aspect of the vulnerability. Next priority on the server side, goes to the Active Directory Federation Server bulletin MS17-019 by which an authenticated attacker who successfully exploited this vulnerability would be able to read sensitive information about the target system.
Overall, its going to be very busy for IT departments of all sizes due to the large number of desktop and server patches. But most people will be pleasantly surprised that Microsoft kept the older way of clubbing KB articles into security bulletins – at least for March.