Microsoft patched several critical and important vulnerabilities Tuesday tied to Office 2016, its Edge browser and its Local Security Authority Subsystem Service (LSASS). The patches are part of Microsoft’s regular Patch Tuesday update and included four bulletins altogether, with two marked as critical and the others rated important.
First up is a critical security patch for Microsoft Office ( MS17-002 ) that addresses a vulnerability that could allow remote code execution if a user opened a specially crafted Office file, according to Microsoft . The flaw (CVE-2017-0003) impacts specific Office applications such as Microsoft Word 2016 (64-bit, 32-bit) as well as Microsoft SharePoint Enterprise Server 2016.
“Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights,” according to the bulletin.
Microsoft’s second critical bulletin was tied to a swath of bugs tied to Adobe Flash Player used in its windows 8.1 OS (64-bit, 32-bit), Windows RT 8.1, multiple versions of Windows 10 and Windows Server 2016. Those Adobe Flash Player vulnerabilities were outlined earlier Tuesday by Adobe when it announced a bevy of patches that addressed code execution flaws in Flash, Reader and Acrobat. Besides applying the requisite patches, Microsoft suggested disabling instances of Adobe Flash Player in Internet Explorer and other applications that honor the kill bit feature, such as Office 2007 and Office 2010.
Elevation of privilege vulnerabilities (MS17-001), rated important, were found in seven versions of Microsoft’s Edge browser and were also patched.
“An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies with about:blank, which could allow an attacker to access information from one domain and inject it into another domain. An attacker who successfully exploited this vulnerability could elevate privileges in affected versions of Microsoft Edge,” according to Microsoft .
An additional denial of service vulnerability rated important was also patched, impacting Microsoft Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 (and Server Core). The DOS vulnerability ( MS17-004 ) exists in the way the Local Security Authority Subsystem Service (LSASS) handles authentication requests, said Microsoft. “An attacker who successfully exploited the vulnerability could cause a denial of service on the target system’s LSASS service, which triggers an automatic reboot of the system,” Microsoft said.
Today’sPatch Tuesday, the first of 2017, marks the first monthly cycle that Microsoft is doing away with bulletins for newer products. Instead, Microsoft patches will be delivered in one installable package. Under the new patch management regime Microsoft’s Vista operating system will still get bulletins however.
Microsoft’s Patch Tuesday coincides with the release with cumulative updates for nearly all versions of Windows 10 including the Anniversary Update for PCs (Build 14393.693). The update did not introduce new features, rather fixed several security-related features such as fingerprint authentication, App-V Connection Group and an issue that had allowed two similar input devices to work on the same machine.