Microsoft’s Patch Tuesday landed yesterday and with it a new approach to security updates focusing on CVEs rather than bulletins, with 15 critical bugs fixed.
This month’s update round is only around a third of the size of March’s mammoth release, with 46 vulnerabilities fixed, 14 of which are found in Hyper-V.
Those which admins should prioritize include two zero-days being exploited in the wild: CVE-2017-0199 and CVE-2017-0210.
The former, which we reported on Monday, has been targeting Microsoft Word users since January and affects all versions of Office up to Office 2016 running on Windows 10, Microsoft’s most secure OS to date.
It has also been exploited in an email campaign designed to distribute the notorious Dridex banking Trojan.
The other zero-day is an elevation of privilege vulnerability in IE.
“Anyone able to social engineer a user into opening a maliciously crafted document can execute arbitrary code on their machine, gaining a foothold to further compromise their organization's network or otherwise use the system for nefarious purposes”, Rapid7 senior security researcher, Greg Wiseman, said of the two flaws.
There are also critical updates for the newly released Windows 10 Creators Update, as well as Windows Server, .NET Framework, Adobe Flash for IE and more.
Windows Vista received its last round of updates, so any organizations still running the OS should upgrade as soon as possible.
Microsoft has claimed in the past that customers have been asking for a more CVE-focused Patch Tuesday, but experts warned the new approach would take some getting used to.
“Microsoft has finally done away with the bulletin pages. You must now use the Security Update Guide, which provides a number of nice filtering options, but you lose a bit of the organization,” explained Ivanti product manager, Chris Goettl.
“For instance, to look at all CVEs that are resolved for a single update, you must now look at each individually where the bulletin page had them organized into one place. Likely, it will take a while for people to get used to.”
He added that the update round has left organizations running IIS6 exposed to the zero-day CVE-2017-7269.
“This vulnerability will not be resolved as it is in an old version of IIS that runs on Server 2003. More than 600,000 internet-facing servers running IIS 6.0 have the WebDAV module enabled, allowing this vulnerability to be exploited”, warned Goettl.
“With a Metasploit module on the way, or already out, you can bet these web servers will become targets if they are not already exploited.”