It's a relatively light month as far as Patch Tuesdays go, with Microsoft issuing fixes for a total of seven vulnerabilities as part of their standard update program. However, an eighth, highly critical vulnerability (CVE-2017-0290) that had some of the security community buzzing over the weekend was also addressed late Monday evening. A flaw in the scanning engine used by various Microsoft anti-malware products could allow attackers to fully compromise a user's system simply by sending them a file as an email attachment or in an instant message, or by enticing them to visit a malicious web page. This vulnerability is especially dangerous for two reasons. In most attacks, users need to be tricked into opening a file or visiting a web page, and even then the malware would generally run at their privilege level unless it's able to escalate. But because the engine runs as SYSTEM, the highest privilege level, it's game over for a compromised system; the attacker has full control. Additionally, because the engine may scan files in the background before the user even sees them, exploitation can occur without the typical prerequisite social engineering tactics. The only good news here is that Microsoft shipped the fix very quickly after being notified, and since it's being delivered as an anti-malware update as opposed to via Windows Update, most users should get the patch without having to take any action.
The fixes released as part of the regular Patch Tuesday updates continue some long-standing trends we've seen from Microsoft, with critical KBs for all supported operating systems addressing remote code execution (RCE) and privilege escalation vulnerabilities. Two separate RCE vulnerabilities in Office were also patched, one of which (CVE-2017-0261) is known to be exploited in the wild. The other Office vulnerability, CVE-2017-0281, is rated "Important" but affects a wide range of products beyond just Office, including Skype for Business and several server platforms such as SharePoint, Office Web Apps, and Project Server 2013. Edge and Internet Explorer remain reliable attack surfaces with RCE vulnerabilities being patched for both. Rounding out the vulnerabilities this month is a DNS denial of service (CVE-2017-0171) affecting all supported server operating systems.
Alongside today's updates Microsoft published Security Advisory 4010323 indicating that they've now fully deprecated SSL/TLS certificates that use SHA-1 due to known weaknesses in the algorithm. IE 11 and Edge will no longer load sites with such certificates, and will instead display an invalid certificate warning. The exception to this is self-signed and enterprise certificates (those not chained to a Microsoft-trusted root); however, any such sites really should switch to SHA-2 based certificates as soon as possible.