Update: See below for an update for the upcoming February Patch Tuesday.
Microsoft starts off the year with 4 bulletins and continues a long running trend with their products where the majority of bulletins (2) are remote code execution (RCE) followed by an even distribution of elevation of privilege and denial of service. Missing from this month's list of affected products is Internet Explorer, which typically complements the Edge bulletin (MS17-002). All this month's critical bulletins are remote code execution vulnerabilities, affecting Adobe Flash Player, Microsoft Office, Microsoft Office Services and Web Apps, Microsoft Windows.
While Microsoft continue actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing table in which they are unable to permanently address these vulnerabilities, which predominately affect the consumer applications listed above. Unfortunately this leads to one of the single largest attack vectors, consumers.
This month Microsoft resolves 15 vulnerabilities across 4 bulletins. Both consumers and server users MS17-002 and MS17-003 are the bulletins to watch out for, addressing 14 vulnerabilities. Fortunately, at this time no vulnerabilities are known to have been exploited in the wild. However, two vulnerabilities addressed by MS17-001 (CVE-2017-0002) and MS17-004 (CVE-2017-0004) are known to have been publicly disclosed.
Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month's bulletins and in accordance with your specific configuration, prioritize your deployment of this months' updates. At a minimum, ensure to patch systems affected by critical bulletins (MS17-002, MS17-003).
Please note that January marks the end of Microsoft's Security Bulletins as the tech giant transitions to their Security Update Guide; instead of publishing bulletins to describe related vulnerabilities. This new portal provides security vulnerability information through an online database where users can filter, sort and search. Be advised that the current Security Update Guide is in preview; for further information refer to Microsoft's blog post on furthering their commitment to security updates.
- CVE-2017-0002 (MS17-001)
- CVE-2017-0003 (MS17-002)
- CVE-2017-2925 (MS17-003)
- CVE-2017-2926 (MS17-003)
- CVE-2017-2927 (MS17-003)
- CVE-2017-2928 (MS17-003)
- CVE-2017-2930 (MS17-003)
- CVE-2017-2931 (MS17-003)
- CVE-2017-2932 (MS17-003)
- CVE-2017-2933 (MS17-003)
- CVE-2017-2934 (MS17-003)
- CVE-2017-2935 (MS17-003)
- CVE-2017-2936 (MS17-003)
- CVE-2017-2937 (MS17-003)
- CVE-2017-0004 (MS17-004)
Update: Microsoft's Security Update Guide FAQ
This Patch Tuesday, February 14th, marks a change for the security community as Microsoft introduces a new portal to consume security updates about their products. For the past 12 years, Microsoft has published security bulletin webpages (e.g. MS16-118) that often-referenced multiple vulnerabilities and KB article IDs. Microsoft has taken the opportunity to pivot to a new model focusing around vulnerability ID (CVE-2017-0004) and KB article ID numbers (KB2913602) in attempts to easy the access of security information, providing customers more flexibility. The tech giant is actively working with vendors whose tools rely on security bulletin pages in-order to help them transition to their new portal. One point the FAQ does not address is if Microsoft intends to localize their new API.