{"id":6992,"date":"2017-03-15T12:30:14","date_gmt":"2017-03-15T20:30:14","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/15\/news-783\/"},"modified":"2017-03-15T12:30:14","modified_gmt":"2017-03-15T20:30:14","slug":"news-783","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/03\/15\/news-783\/","title":{"rendered":"IDG Contributor Network: Largest ever Patch Tuesday from Microsoft"},"content":{"rendered":"

<\/p>\n

Credit to Author: Greg Lambert| Date: Wed, 15 Mar 2017 11:44:00 -0700<\/strong><\/p>\n

After last month\u2019s rather brief<\/a> Patch Tuesday from Microsoft, we see the largest ever release of updates for Windows and Microsoft Office — and of course another critical update for Adobe Flash Player.<\/p>\n

For this March update, we see an unusually large number of critical updates — nine patches rated as critical and the remaining nine rated by Microsoft as important. In addition to this large cohort of patches, we also get a security advisory with KB3123479<\/a>.<\/p>\n

We have added both browser patches (MS17-006<\/a> and MS17-007<\/a>) and the Adobe Flash Player update (MS17-023<\/a>) to our “Patch Now” list. In addition, the core XML Services patch (MS17-022<\/a>), though only rated as important by Microsoft, attempts to resolve a publicly disclosed zero-day<\/a> flaw. MS17-022<\/a>\u00a0was therefore also added to our “Patch Now” list.<\/p>\n

Recently, there have been a few significant changes to how Microsoft releases updates for its Windows platforms. Last October we saw the patch roll-up<\/a> approach employed for Windows 10 rolled back to include both Windows 8.x and Windows 7 systems. Earlier this year, Microsoft announced that it would be splitting out IE updates<\/a>\u00a0due to customer feedback regarding the large size of patch downloads. Chris Goettl<\/a> from Ivanti<\/a> (was Shavlik) commented, “This was a welcomed change for companies. Breaking IE out from the Security Only Bundles will allow more flexibility for companies to avoid supportability issues in web apps or have to not deploy any updates for the OS as well.”\u00a0<\/p>\n

There was speculation that last month’s Patch Tuesday release problems were due to infrastructure changes required to support this patch release change. That said, we have not seen this change to the release cycle yet, and may not for the next few months. In addition to these changes, Microsoft has added a new component to Upgrade Analytics<\/a> with the introduction of a Patch Compliance feature. Sandeep Deo from Microsoft explains that, “Microsoft has launched a new Windows Analytics based solution called Update Compliance that allows IT pros to get a holistic view of OS compliance including Patch Tuesday, update deployment progress and failure troubleshooting for all Windows 10 systems.” You can read more about this cloud based patch compliance service here<\/a>.<\/p>\n

The first (of many) updates for this March Patch Tuesday is MS17-006<\/a>,\u00a0which attempts to address 12 serious security issues in Microsoft Internet Explorer (IE). Using a specially crafted web page, an attacker could use the most severe of these\u00a0vulnerabilities\u00a0to execute code on a targeted machine. Most of these errors fall into the more common categories of script and memory handling issues that have plagued IE for the past many years.<\/p>\n

This update is rated critical by Microsoft for all currently supported desktop platforms, but only moderate for Windows Server platforms. Unfortunately, one of these\u00a0vulnerabilities\u00a0has been reported to Microsoft as publicly exploited, which makes this IE\u00a0update\u00a0a “Patch Now” fix from Microsoft.<\/p>\n

Remember the good old days when IE had more reported\u00a0vulnerabilities than Microsoft Edge? Well, with MS17-007<\/a>, Microsoft Edge has a reported 32 vulnerabilities, most relating to memory and scripting issues with an additional lower risk issue reported against the built-in Microsoft PDF component. Microsoft Edge at present, does not have a publicly reported\u00a0vulnerability, but given the related issues to Adobe Flash and the PDF component, this update should be included in your “Patch Now” release cycle. Note that the changes and contents of the update\u00a0MS17-009<\/a>\u00a0are included in this Microsoft Edge patch.<\/p>\n

MS17-008<\/a>\u00a0attempts to address lower risk security vulnerabilities in Microsoft Hyper-V<\/a>\u00a0that, if left unpatched, could lead to a remote code execution scenario. Though Hyper-V can be installed on older systems (Windows 8 and 7) and enabled on Windows 10, it is primarily used on Microsoft server platforms (Server 2012 and 2016). Add this update to your standard patch deployment effort, noting that this update will require a server restart and will be included in this month’s Security Only Quality Update roll-up for March.<\/p>\n

MS17-009<\/a>\u00a0addresses a single, lower risk\u00a0vulnerability in the Microsoft PDF\u00a0<\/a>component\u00a0which affects all currently supported Microsoft Platforms (server and desktop). The changes included in this patch are also included in the Microsoft Edge update MS17-007<\/a>.<\/p>\n

MS17-010<\/a>\u00a0is the “super<\/a>” SMB<\/a>\u00a0vulnerability that we have been waiting for Microsoft to resolve since early February of this year. This\u00a0vulnerability (and subsequent update) applies to all currently supported Microsoft\u00a0platforms\u00a0(desktop and server)\u00a0and if left unpatched could lead to a remote code execution scenario through six highly likely exploitation routes. What are you waiting for? Add this update to your “Patch Now” update list.<\/p>\n

MS17-011<\/a> attempts to address a whopping 29\u00a0vulnerabilities in the Microsoft Uniscribe<\/a> component. Uniscribe is a set of API’s that are used by Microsoft to process fin typography or glyphs<\/a>. My\u00a0suspicion is that these series of\u00a0vulnerabilities\u00a0are related to the PDF issues resolved by the PDF update MS17-009<\/a>.<\/p>\n

MS17-012<\/a> addresses six medium risk\u00a0vulnerabilities on both Windows desktop and server platforms that could lead to a remote code execution scenario.\u00a0These security issues are more likely to result in a denial-of-service<\/a> or security feature bypass attack and this patch will require a restart. Add this update to your standard patch deployment schedule.<\/p>\n

MS17-013<\/a>\u00a0attempts to address 12 high to medium risk security issues in the core Windows graphics component. In addition, this update is rated critical for all currently supported versions of Office, Skype for Business and Silverlight. This patch covers both a\u00a0publicly disclosed and a zero-day exploit. One vulnerability actually employs the preview pane of infected files to compromise a target machine. Add this update to your “Patch Now” release cycle.<\/p>\n

MS17-023<\/a>\u00a0addresses seven serious security\u00a0vulnerabilities in Adobe Flash Player<\/a> that could lead to an attacker taking complete control over a compromised machine.\u00a0You can read more about the Adobe patch APSB17-07<\/a>\u00a0on the Adobe website. This is a “Patch Now” update from Microsoft\/Adobe. Please update your systems and consider removing Flash.<\/p>\n

MS17-014<\/a>\u00a0attempts to address 12 reported (11 privately reported, one publicly) but not yet exploited vulnerabilities\u00a0in Microsoft Office. This series of updates affects all versions of currently supported Office. Add this update to your standard patch release cycle.<\/p>\n

MS17-015<\/a>\u00a0addresses a single privately reported\u00a0vulnerability\u00a0in Microsoft Exchange Server (2013 and 2106). It will require a reboot, so add this update to your standard server patch cycle.<\/p>\n

MS17-016<\/a>\u00a0resolves a single, privately reported\u00a0vulnerability in Microsoft IIS Server, that left unpatched could lead to an elevation of privilege scenario. Add to your standard server patch deployment effort.<\/p>\n

MS17-017<\/a>\u00a0addresses four\u00a0vulnerabilities in the Windows kernel (three reported privately, and one publicly) relating to how API calls are handled by this core Windows component. This update is a bit of a tricky one. The patch is an update to previous kernel patches from last January and December, which in themselves are cascading kernel updates. This patch may require core application testing in isolation before inclusion in the roll-up patch deployment.<\/p>\n

MS17-018<\/a>\u00a0addresses eight privately reported higher-risk\u00a0vulnerabilities\u00a0in the Windows Kernel-Mode drivers that could result in an elevation of privilege scenario. These attacks require a user to\u00a0login\u00a0to an unpatched system and run a specially crafted application (EXE). Add this update to your standard patch cycle.<\/p>\n

MS17-019<\/a>\u00a0addresses a single, privately reported, difficult to exploit vulnerability\u00a0in Microsoft Active Directory Federation Services (ADFS<\/a>) that could lead to the disclosure of sensitive information. Add this update to your standard server update cycle. There are no reported workarounds or mitigating factors, and this update will require a server restart.<\/p>\n

MS17-020<\/a>\u00a0resolves a single, privately reported low-risk\u00a0vulnerability\u00a0in the Windows DVD Make feature. Add this update to your standard deployment effort.<\/p>\n

MS17-021<\/a>\u00a0is another low-risk single issue update to a lesser used Windows feature. This time the\u00a0DirectShow<\/a>\u00a0graphic API’s gets an update to prevent unintended information disclosure. Add this update to your standard patch effort.<\/p>\n

Microsoft does this a lot. The patch team tries to sneak a “stinker” in as the second to last patch of the month \u00a0(the final patch for this month, MS17-023, is listed above as it has been rated as critical).\u00a0MS17-022<\/a>\u00a0attempts to resolve a single publicly reported zero-day\u00a0vulnerability\u00a0in Microsoft core XML Services (MSXML<\/a>). MSXML is a key component for many systems, and more importantly a key piece of\u00a0middle-ware\u00a0for most enterprises. The challenge is not updating this version of MSXML, but keeping it updated. Older applications may include an older and unpatched version and attempt to overwrite the latest secure version. Or deployment systems may deploy key middle-ware systems like this in separate application packages, causing unintended reversions to older, less secure versions. Whenever I see updates to key dependencies like this one, deployments are never straightforward. Test your core applications with this latest MSXML component before general deployment.<\/p>\n

This article is published as part of the IDG Contributor Network. Want to Join?<\/a><\/strong><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Greg Lambert| Date: Wed, 15 Mar 2017 11:44:00 -0700<\/strong><\/p>\n

\n
\n

After last month\u2019s rather brief<\/a> Patch Tuesday from Microsoft, we see the largest ever release of updates for Windows and Microsoft Office — and of course another critical update for Adobe Flash Player.<\/p>\n

For this March update, we see an unusually large number of critical updates — nine patches rated as critical and the remaining nine rated by Microsoft as important. In addition to this large cohort of patches, we also get a security advisory with KB3123479<\/a>.<\/p>\n

We have added both browser patches (MS17-006<\/a> and MS17-007<\/a>) and the Adobe Flash Player update (MS17-023<\/a>) to our “Patch Now” list. In addition, the core XML Services patch (MS17-022<\/a>), though only rated as important by Microsoft, attempts to resolve a publicly disclosed zero-day<\/a> flaw. MS17-022<\/a>\u00a0was therefore also added to our “Patch Now” list.<\/p>\n

To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10761,11079],"class_list":["post-6992","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows-10","tag-windows-pcs"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6992","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6992"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6992\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6992"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6992"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6992"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}