Microsoft has followed up its swift work patching a “crazy bad” Windows zero day bug this week with the release of May’s Patch Tuesday updates, which this month fix 56 vulnerabilities.
The update round includes 15 CVEs rated "Critical", 40 rated "Important" and one rated "Moderate”.
Three bugs are being actively exploited in the wild so should take precedence: CVE-2017-0261, CVE-2017-0263 and CVE-2017-0222.
The former is triggered when a user opens an Office file containing a malformed graphics image, according to Qualys’ director of vulnerability labs, Amol Sarwate.
“The file could be delivered via email or any other means,” he explained in a blog post. “As this is actively exploited in the wild and attackers can take complete control of the victim system, this should be treated with priority.”
The second affects IE, with users at risk if they visit a malicious website. Attackers are currently exploiting this zero day to take complete control of victim machines.
CVE-2017-263 is an elevation of privilege vulnerability in Windows kernel-mode drivers, according to Trend Micro’s Zero Day Initiative blog.
“In this case, the attacker must be logged on to the target system. The local nature of the bug is why the severity drops from Critical to Important,” it noted. “These bugs are typically paired with a remote bug – like the two previously mentioned – to allow an attacker to completely take over a system. For those who believe zero-days don’t matter, they should probably ask those affected by these bugs for their opinion.”
Next up, Edge browser vulnerability CVE-2017-0229 has been publicly disclosed prior to the Patch Tuesday release, so warrants attention, again allowing hackers to take complete control of a targeted machine if the user visits malicious websites.
“Next priority goes to three critical SMB remote code execution vulnerabilities (CVE-2017-0277, CVE-2017-0278, CVE-2017-0279) that affect the Windows server machines as well as desktop clients,” claimed Sarwate.
“The issue exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploits the vulnerability could gain the ability to execute code on the target. To exploit the vulnerability, in most situations an unauthenticated attacker would send a specially crafted packet to the SMBv1 server.”
Also yesterday, Adobe released the critical APSB17-15 which fixes six memory corruption vulnerabilities and a use-after-free issue in Flash which could lead to code execution.