Microsoft releases 18 security bulletins, 9 rated critical, many bugs disclosed/exploited

Microsoft releases 18 security bulletins, 9 rated critical
OpenClipArt-Vectors (CC0)

Be prepared for restarts and big day of patching after Microsoft skipped Patch Tuesday in February. For March, Microsoft released 18 security bulletins split into nine critical and nine important security updates.

Rated critical

MS17-006 patches 12 security issues in Internet Explorer. One of three information disclosure flaws has been publicly disclosed but is not being exploited, one of the three memory corruption bugs has been publicly disclosed but is not being exploited, and one of them has not been publicly disclosed but is being exploited. Both of the browser spoofing vulnerabilities have been publicly disclosed as has the Internet Explorer elevation of privilege flaw. The patch also addresses a scripting engine information disclosure bug and two scripting engine memory corruption flaws.

MS17-007 is the fix for a whole pile of problems in Microsoft Edge – 32 of them! Of those that have been publicly disclosed, two are listed as Microsoft browser spoofing vulnerabilities, one is called Microsoft Edge spoofing vulnerability, one is a Microsoft browser memory corruption vulnerability, and one is a Microsoft browser information disclosure flaw. Microsoft has each marked as not being exploited despite being publicly disclosed.

The remaining 18 scripting engine memory corruption vulnerabilities—four Microsoft Edge/browser information disclosure flaws, one Microsoft PDF memory corruption bug, three Edge security feature bypass vulnerabilities and one Edge memory corruption vulnerability—were neither previously disclosed nor exploited.

MS17-008 patches security flaws in Windows Hyper-V: Two address Hyper-V vSMB RCE vulnerabilities, and two resolve RCE holes in Hyper-V. It also fixes a Hyper-V information disclosure bug and six Hyper-V denial of service flaws, with one of those denoted as being Microsoft Hyper-V network switch DoS. One Hyper-V DoS vulnerability has been publicly disclosed, although Microsoft said it was not being exploited.

MS17-009 resolves a remote code execution vulnerability in Microsoft Windows PDF library, as it mishandles objects in memory.

MS17-010 addresses five remote code execution flaws in Windows SMB server and one information disclosure bug.

MS17-011 provides the fix for multiple vulnerabilities in Windows Uniscribe, eight of which address RCE vulnerabilities and 21 resolve Uniscribe information disclosure bugs.

MS17-012 addresses vulnerabilities in Windows, including a Windows DLL loading remote code execution flaw, a Device Guard security feature bypass bug, a Windows DNS query information disclosure flaw, a Windows HelpPane elevation of privilege vulnerability, an iSNS Server memory corruption flaw, and a Microsoft Server Message Block 2.0 and 3.0 null dereference denial of service vulnerability—which has been publicly disclosed but is reportedly not being exploited.

MS17-013 covers a plethora of security problems in Windows, Office, Skype for Business, Microsoft Lync and Silverlight. Four fixes are for Graphic Drive Interface (GDI) elevation of privilege vulnerabilities, one is for a GDI component information disclosure bug, three resolve GDI information disclosure flaws, two address Microsoft Color Management Module information disclosure holes, and two resolve graphics component remote code execution vulnerabilities—one of which has been publicly disclosed, but Microsoft says it was not being exploited. One GDI EoP flaw was not publicly disclosed, but it is marked as being actively exploited.

MS17-023 is the fix for Flash, as Adobe patched seven security updates.

Rated important

Although only rated as important, MS17-014 is for Microsoft Office and includes fixes for RCE flaws. It also addresses an XSS vulnerability in SharePoint Server 2013, a security feature bypass in Microsoft Lync for Mac 2011, seven Office memory corruption vulnerabilities, two Office information disclosure bugs, and a publicly disclosed denial of service flaw in Office.

MS17-015 resolves an elevation of privilege flaw in Microsoft Exchange Outlook Web Access (OWA).

MS17-016 is an update for Windows IIS, specifically to address an IIS server XSS elevation of privilege hole.

MS17-017 addresses four security issues, including a Windows kernel elevation of privilege flaw that has been publicly disclosed, two Windows elevation of privilege vulnerabilities and one Windows registry EoP bug.

MS17-018 updates Windows kernel-mode drivers to close eight Win32k elevation of privilege flaws.

MS17-019 fixes an information disclosure vulnerability in Windows Active Directory Federation Services (ADFS).

MS17-020 resolves an information disclosure flaw in Windows DVD Maker, specifically a Windows DVD Maker cross-site request forgery (CSRF) flaw.

MS17-021 patches an information disclosure flaw in Windows DirectShow.

Finally, MS17-022 addresses an information disclosure bug in Microsoft XML Core Services. While Microsoft said it had not been publicly disclosed, it is actively being exploited.

No time to dally, as you likely noted that many had previously been disclosed and several were being exploited already. Good luck, and happy patching!

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)