Today is the first month since 1998 in which Microsoft stopped releasing security bulletins with the familiar MSxx-xxx format and replaced it with the new security update guide. We talked about this change earlier in a few blog posts and finally today it’s time to say good bye to security bulletins which essentially combined related vulnerabilities and products for easy of consumption.
In today’s release Microsoft fixed a total of 45 vulnerabilities that could lead to remote code execution, denial-of-service, elevation of privileges, security feature bypass and spoofing. Top priority goes to the Office and WordPad CVE-2017-0199 which fixed a 0-day vulnerability that is being actively exploited in the wild. Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Office or WordPad. Attacker could accomplish this by sending a specially crafted file to the user and then convincing the user to open the file. We recommend administrators patch this as soon as possible.
Next priority goes to Microsoft IE and Edge browsers. Two critical vulnerabilities (CVE-2017-0201, CVE-2017-0202) were fixed in IE 9, 10 and 11. In the most common scenario an attacker will host a specially crafted website with malicious JScript and VBScript code that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. Upon viewing the pages in IE the attacker code can take complete control of the user’s computer. Three critical vulnerabilities (CVE-2017-0093, CVE-2017-0200, CVE-2017-0205) were fixed in the Edge browser which can allow attackers to take complete control of the system
Next priority goes to Windows Hyper-V component for the three critical vulnerabilities: CVE-2017-0162, CVE-2017-0163, CVE-2017-0180, which could allow malicious guest applications to execute code on the Hyper-V host operating system. The security update addresses the vulnerability by correcting how Windows Hyper-V Network Switch validates guest operating system network traffic.
The last remote code execution vulnerability exists in ASP.NET which fails to properly validate input before loading libraries allowing attackers to take complete control of the system. Other information disclosure, denial-of-service, privilege elevation and security bypass vulnerabilities were fixed which either require special access to execute the attack or produce information which could aid in further attacks.
Overall, it was a moderately sized update but to get the holistic picture, system administrators and security assessment teams will need to get used to the new security update guide and say goodbye to familiar security bulletins.