Microsoft Patch Tuesday, March 2017

We knew that the Microsoft's Valentine's gift to cancel Patch Tuesday on February 14th was only going to be a temporary stay and, sure enough, Patch Tuesday is back and bigger than ever for March. Over all there are 18 bulletins patching a massive 139 unique CVEs. These bulletins are split right down the middle with nine rated as Critical and nine rated as Important. Among the Critical bulletins are remote code execution (RCE) vulnerabilities in the Internet Explorer, Edge browser and Adobe Flash. The Critical list also includes RCE vulnerabilities in the Windows PDF Library, Microsoft Uniscribe. These vulnerabilities can be exploited by being convincing a target to open a malicious document or visit a malicious web site. As always an ongoing Security Awareness training program is critical to protect your organization from social engineering attacks. A particularly nasty Critical bulletin affecting Hyper-V would allow any regular user in a guest operating system to trigger arbitrary code at the host operating system level.

Three zero day vulnerabilities released in February by security researchers are all patched by the Critical bulletins today. This includes the SMB DoS released by Laurent GaffiƩ as well the two Google Project Zero released. In February Project Zero released a critical vulnerability in IE and Edge (CVE-2017-0037) as well as a critical vulnerability in Microsoft Graphics Component (GDI).

The biggest news is not this Patch Tuesday, but the fact that Patch Tuesday was skipped in February. Even though we've seen specific patches slip to the following month, this was the first time that Microsoft delayed an entire release. That said, there are very few software vendors that have such a well defined and generally agile patching process as Microsoft. While we see zero days leaked on occasion like the SMB DoS or CVE-2017-0037, Microsoft's responsible disclosure program has done a great job of providing patches ahead of exploits. Their MAPP program gives security vendors like Trustwave early insight into their patches in order to provide additional protections for Microsoft customers that can't patch immediately. This has helped secure countless Microsoft users and is not something you see offered by many other major software vendors. All in all, it was an odd and unprecedented step to delay the release, but one that I think will probably benefitted Microsoft customers more than it put them at risk.

Back to this Patch Tuesday, these bulletins cover the gamut of Microsoft products. Client and Server software and operating systems. Some of the bulletins affect systems that are often made public like MS Exchange and IIS. Add in to all of this three zero day vulnerabilities and you've got a super busy week in front of you. So until next month, get patching!

MS17-006
CVE-2017-0008, CVE-2017-0009, CVE-2017-0012, CVE-2017-0018, CVE-2017-0033, CVE-2017-0037, CVE-2017-0040, CVE-2017-0049, CVE-2017-0059, CVE-2017-0130, CVE-2017-0149, CVE-2017-0154
Critical
Cumulative Security Update for Internet Explorer

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9) and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

MS17-007
CVE-2017-0009, CVE-2017-0010, CVE-2017-0011, CVE-2017-0012, CVE-2017-0015, CVE-2017-0017, CVE-2017-0023, CVE-2017-0032, CVE-2017-0033, CVE-2017-0034, CVE-2017-0035, CVE-2017-0037, CVE-2017-0065, CVE-2017-0066, CVE-2017-0067, CVE-2017-0068, CVE-2017-0069, CVE-2017-0070, CVE-2017-0071, CVE-2017-0094, CVE-2017-0131, CVE-2017-0132, CVE-2017-0133, CVE-2017-0134, CVE-2017-0135, CVE-2017-0136, CVE-2017-0137, CVE-2017-0138, CVE-2017-0140, CVE-2017-0141, CVE-2017-0150, CVE-2017-0151
Critical
Cumulative Security Update for Microsoft Edge

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Microsoft Edge on Windows 10 and Moderate on Windows Server 2016.

MS17-008
CVE-2017-0021, CVE-2017-0051, CVE-2017-0074, CVE-2017-0075, CVE-2017-0076, CVE-2017-0095, CVE-2017-0096, CVE-2017-0097, CVE-2017-0098, CVE-2017-0099, CVE-2017-0109
Critical
Security Update for Windows Hyper-V

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.

This security update is rated Critical for all supported editions of Windows

MS17-009
CVE-2017-0023
Critical
Security Update for Microsoft Windows PDF Library

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views specially crafted PDF content online or opens a specially crafted PDF document.

This security update is rated Critical for all supported editions of Windows 8.1, Windows Server 2012, Windows RT 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016.

MS17-010
CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148
Critical
Security Update for Windows SMB Server

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Windows SMBv1 server.

This security update is rated Critical for all supported releases of Microsoft Windows.

MS17-011
CVE-2017-0072, CVE-2017-0083, CVE-2017-0084, CVE-2017-0085, CVE-2017-0086, CVE-2017-0087, CVE-2017-0088, CVE-2017-0089, CVE-2017-0090, CVE-2017-0091, CVE-2017-0092, CVE-2017-0111, CVE-2017-0112, CVE-2017-0113, CVE-2017-0114, CVE-2017-0115, CVE-2017-0116, CVE-2017-0117, CVE-2017-0118, CVE-2017-0119, CVE-2017-0120, CVE-2017-0121, CVE-2017-0122, CVE-2017-0123, CVE-2017-0124, CVE-2017-0125, CVE-2017-0126, CVE-2017-0127, CVE-2017-0128
Critical
Security Update for Microsoft Uniscribe

This security update resolves vulnerabilities in Windows Uniscribe. The most severe of these vulnerabilities could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows RT 8.1, Windows Server 2012 R2, Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, and Windows Server 2016.

MS17-012
CVE-2017-0007, CVE-2017-0016, CVE-2017-0039, CVE-2017-0057, CVE-2017-0100, CVE-2017-0104
Critical
Security Update for Microsoft Windows

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker runs a specially crafted application that connects to an iSNS Server and then issues malicious requests to the server.

This security update is rated Critical for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 10 Version 1607 and Windows Server 2016, and Important for Windows Vista, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, and Windows 10 Version 1511.

MS17-013
CVE-2017-0001, CVE-2017-0005, CVE-2017-0014, CVE-2017-0025, CVE-2017-0038, CVE-2017-0047, CVE-2017-0060, CVE-2017-0061, CVE-2017-0062, CVE-2017-0063, CVE-2017-0073, CVE-2017-0108
Critical
Security Update for Microsoft Graphics Component

This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Microsoft Lync, and Microsoft Silverlight. The most severe of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The security update addresses the vulnerabilities by correcting how the Windows handles objects in memory.

This security update is rated Critical for all supported releases of Microsoft Windows, affected editions of Microsoft Office 2007 and Microsoft Office 2010, affected editions of Skype for Business 2016, Microsoft Lync 2013, and Microsoft Lync 2010 and affected editions of Silverlight.

MS17-014
CVE-2017-0006, CVE-2017-0019, CVE-2017-0020, CVE-2017-0027, CVE-2017-0029, CVE-2017-0030, CVE-2017-0031, CVE-2017-0052, CVE-2017-0053, CVE-2017-0105, CVE-2017-0107, CVE-2017-0129
Important
Security Update for Microsoft Office

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

See the full Microsoft bulletin for affected versions of Microsoft Office.

MS17-015
CVE-2017-0110
Important
Security Update for Microsoft Exchange Server

This security update resolves a vulnerability in Microsoft Exchange Outlook Web Access (OWA). The vulnerability could allow remote code execution in Exchange Server if an attacker sends an email with a specially crafted attachment to a vulnerable Exchange server.

This security update is rated Important for all supported editions of Microsoft Exchange Server 2013 and Microsoft Exchange Server 2016.

MS17-016
CVE-2017-0055
Important
Security Update for Internet Information Services

This security update resolves a vulnerability in Microsoft IIS Server. The vulnerability could allow elevation of privilege if a user clicks a specially crafted URL which is hosted by an affected Microsoft IIS Server. An attacker who successfully exploited this vulnerability could potentially execute scripts in the user's browser to obtain information from web sessions.

This security update is rated Important for all supported releases of Microsoft Windows.

MS17-017
CVE-2017-0050, CVE-2017-0101, CVE-2017-0102, CVE-2017-0103
Important
Security Update for Windows Kernel

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application.

This security update is rated Important for all supported releases of Microsoft Windows.

MS17-018
CVE-2017-0024, CVE-2017-0026, CVE-2017-0056, CVE-2017-0078, CVE-2017-0079, CVE-2017-0080, CVE-2017-0081, CVE-2017-0082
Important
Security Update for Windows Kernel-Mode Drivers

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.

This security update is rated Important for all supported releases of Windows 10 and for Windows Server 2016.

MS17-019
CVE-2017-0043
Important
Security Update for Active Directory Federation Services

This security update resolves a vulnerability in Active Directory Federation Services (ADFS). The vulnerability could allow information disclosure if an attacker sends a specially crafted request to an ADFS server, allowing the attacker to read sensitive information about the target system.

The update addresses the vulnerability by adding additional verification checks in ADFS.

MS17-020
CVE-2017-0045
Important
Security Update for Windows DVD Maker

This security update resolves an information disclosure vulnerability in Windows DVD Maker. The vulnerability could allow an attacker to obtain information to further compromise a target system.

This security update is rated Important for Windows Vista and Windows 7.

MS17-021
CVE-2017-0042
Important
Security Update for DirectShow

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow an information disclosure if Windows DirectShow opens specially crafted media content that is hosted on a malicious website. An attacker who successfully exploited the vulnerability could obtain information to further compromise a target system.

This security update is rated Important for all affected versions of Windows.

MS17-022
CVE-2017-0022
Important
Security Update for Microsoft XML Core Services

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user visits a malicious website. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message.

This security update is rated Important for Microsoft XML Core Services 3.0 on all supported releases of Microsoft Windows.

MS17-023
CVE-2017-2997, CVE-2017-2998, CVE-2017-2999, CVE-2017-3000, CVE-2017-3001, CVE-2017-3002, CVE-2017-3003
Adobe Security Bulletin APSB17-07
Critical
Security Update for Adobe Flash Player

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.