Today Microsoft released a massive Patch Tuesday security update consisting of 17 security bulletins that fixed a total of 134 vulnerabilities. Out of the 17 security bulletins 8 were marked as Critical which could lead to remote code execution while the remaining were marked as Important. Since there were no patches released for February, in one way, a massive update was expected this month. We also liked the fact that Microsoft kept the older way of clubbing KB articles and patches in security bulletins which, in our opinion, is easy to read and provides better overall picture.
The highest priority overall goes to the windows GDI bulletin MS17-013 which could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. This gets highest priority as CVE-2017-0005 is a zero day issue which is currently being exploited actively in the wild. This issue could be incorporated soon by ExploitKits using Silverlight as the attack vector as we have seen that happen in the past.
The next priority goes to SMB update MS17-012 which can allow malicious SMB servers to take control of a client which tries to connect to them. The vulnerability ( CVE-2017-0057 ) which was fixed in this bulletin was publicly known since about a month and proof-of-concept exploits were available for the same. This elevates the need to patch quickly as attackers could already be at work trying to incorporate them into attacks.
On the client side, next priority goes to the IE and Edge browsers. The most severe of the browser vulnerabilities could allow remote code execution if a user views a specially crafted webpage that is hosted by the attacker. The details of the three browser vulnerabilities ( CVE-2017-0008 , CVE-2017-0037 , CVE-2017-0065 ) fixed today were publicly disclosed which again elevates the need to patch quicklydue to the public disclosure.
The next priority on client side goes to the office bulletin MS17-014 which could allow remote code execution if a user opens a specially crafted Microsoft Office file. Also information about one of the vulnerabilities ( CVE-2017-0029 ) was publicly known.
On the server side, highest priority goes to the Microsoft Exchange and IIS bulletins (MS17-015 and MS17-016 respectively) as both the systems are exposed to the internet. Exchange Outlook Web Access (OWA) fails to properly handle web requests due to which an attacker who successfully exploited this vulnerability could, perform script/content injection attacks. An attacker could exploit the vulnerability by sending a specially crafted email, containing a malicious link, to a user. Attacker who successfully exploited the IIS vulnerability could perform cross-site scripting attacks on affected systems and run script in the security context of the current user.
On the server side, next priority goes to the Hyper-V bulletin MS17-008 as it could allow remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. This issues is marked as Critical due to thecode execution aspect ofthe vulnerability.Next priority on the server side, goes to the Active Directory Federation Server bulletin (MS17-019) by which an authenticated attacker who successfully exploited this vulnerability would be able to read sensitive information about the target system.
Overall today is going to be very busy for IT department in organizations of all sizes due to the large number of client as well as server patches to be installed. But most people will be pleasantly surprised as Microsoft kept the older way of clubbing KB articles into security bulletins.