Due in part to the delay of February's fixes, today's Patch Tuesday is a big one, comprising 18 bulletins split evenly between "Critical" and "Important" ratings. It's also significant as three of the bulletins (MS17-006, MS17-012, and MS17-013) contain fixes for vulnerabilities that were previously disclosed by external vendors and have exploit code publicly available. Administrators should prioritize these three updates before moving on to the remaining Critical and then Important ones.
CVE-2017-0037 is a particularly nasty one, allowing attackers to remotely execute arbitrary code if a user visits a malicious web page using Internet Explorer 11 (or potentially Edge). CVE-2017-0038 allows remote attackers to glean potentially sensitive information from process heap memory due to an EMF file handling defect. And CVE-2017-0016 is a denial of service vulnerability that can crash Windows when connecting to a malicious SMB share. Exploit code for it has been publicly available since at least February 1st.
The fact that Microsoft published security bulletins at all this month may come as a surprise to some, given that they announced their intention to transition away from the Security Bulletin model in favour of their Security Updates Guide after January's updates. February's out-of-band release of Adobe Flash Player fixes as MS17-005 hinted that they weren't quite done with the format, and the slew of bulletins issued this month confirms that it's not yet deprecated.
Even so, the Rapid7 vulnerability content team is pressing forward with our promised changes to the way we identify Microsoft vulnerabilities. Instead of being bulletin-centric (e.g. "MS17-004: Security Update for Local Security Authority Subsystem Service (3216771)") vulnerabilities will be broken down by CVE. For example, MS17-017 is split across four separate CVE identifiers:
- msft-cve-2017-0050: Microsoft CVE-2017-0050: Windows Kernel Elevation of Privilege Vulnerability
- msft-cve-2017-0101: Microsoft CVE-2017-0101: Windows Elevation of Privilege Vulnerability
- msft-cve-2017-0102: Microsoft CVE-2017-0102: Windows Elevation of Privilege Vulnerability
- msft-cve-2017-0103: Microsoft CVE-2017-0103: Windows Registry Elevation of Privilege Vulnerability
This provides a more accurate assessment of risk compared to the legacy approach, where a single bulletin could encompass many individual vulnerabilities. Indeed, across the 18 bulletins this month there are a total of 134 unique CVE identifiers.
One last piece of administrivia this month that security teams should be aware of: the security-only updates for Windows 7, Server 2008 R2, Windows 8.1, and Server 2012 R2 do not include security updates for Internet Explorer. This aligns with how Microsoft has traditionally shipped IE fixes, but is a change back from how they've done it over the past several months.