It's a brand new year, and this time always brings with it a brand new way of looking at Microsoft's monthly Patch Tuesday updates. As we told you a few months back, as of February, update information will be distributed only through the Microsoft Security Guide Updates portal at https://portal.msrc.microsoft.com/en-us/security-guidance
The portal allows you to filter by dates, product categories, individual products, severities and impacts. Thus if you want to find, for example, only critical updates for Windows 10, you can do that. If you want to view all remote code execution vulnerabilities, you can do that, too. If you know the KB article of CVE number of the vulnerability in which you're interested, you can search for that, as well.
This makes it easier for system admins to slice and dice and drill down into just what updates are relevant to them – but makes it a bit harder for those of us who are tasked with summarizing all the update releases for a given month. Those IT admins who haven't used the portal before might have a slight learning curve, too.
Like it or not, though, this month marks the last one in which we'll see the familiar MSxx-xxx numbered security bulletins that summarize and detail the vulnerabilities addressed by each update and the software products to which each applies.
Only four such bulletins were released this time: for one critical update that applies to Adobe Flash Player running on Windows and three important updates for Microsoft Office 2016, Microsoft Edge and the Local Security Authority Subsystem Service. At the time of this writing, the Office update was shown as "critical" in the bulletin list but was categorized as important in the bulletin itself.
Interestingly, you won't see any bulletins here that say they're updates for Internet Explorer or Windows. We'll get to the "why" of that in a moment (although those of you who have been dealing with updates for a while can probably figure it out).
At first glance, you might be a little confused when you go to the Security Updates Guide portal and filter for updates released in January 2017, because there you will see updates for various versions of Windows. In fact, you'll find 34 "items" listed – but don't panic and think this is the number of different updates; the portal lists a separate "item" for the same patch for each different operating system or software application. For example, the same Adobe Flash Player fix described in KB 3214628 is listed twelve times – one for each OS to which it applies, as shown in the screenshot.
Okay, so why do the bulletins not list updates "for Windows" when there clearly are some, as shown below? You guessed it: click on the KB article for those Windows updates and you'll find that the Windows component being updated is the Local Security Authority Subsystem Service.
On the old monthly security bulletin summary page, we had both the affected OS or application information and the component given at one glance, but now that the information is parsed out this way, it "looks" different and we don't have as much information without drilling down.
Why not keep the old summaries and bulletins along with the portal for those who liked that format? I can't speak for Microsoft, but my guess is that compiling that summary information and then checking it for accuracy was time-consuming. And really, who needs it in that format – other than a handful of writers such as myself? For practitioners in the field, the portal really does make sense.
One thing that's nice about the portal is that in addition to filtering vulnerability and update information on the website, you can download an Excel spreadsheet with the selected data and manipulate it there. This gives you a lot of flexibility.
Beginning in February, then, we'll be changing up the presentation of the update information in these blog posts, but for now, let's take a look at those last four security bulletins before we bid their kind farewell.
MS17-003 (KB 3214628) This is an update for the Adobe Flash Player running on Windows 8.1 and 8.1 RT, Windows 10, and Windows Server 2010, 2010 R2 and 2016. It is rated critical for all.
The update addresses 12 vulnerabilities in the Flash Player software. These include use-after-free, heap buffer overflow and memory corruption issues that can be exploited to achieve remote code execution, along with a security bypass vulnerability that could result in information disclosure. For more information about the vulnerabilities, see Adobe's security bulletin APSB17-02.
There are published workarounds which involve preventing Adobe Flash from running and preventing ActiveX and Active Scripting from running. The instructions for these are available in the Microsoft bulletin at https://technet.microsoft.com/en-us/library/security/MS17-003 . There are also a number of mitigating factors listed there.
The update fixes the problems by resolving these issues.
MS17-001 (KB 3214288) This is an update for the Microsoft Edge web browser running on Windows 10 and Windows Server 2016. Because the server core installation doesn't run a web browser, it would not be affected. The update is rated important on both the client and server operating systems.
The update addresses a single elevation of privilege vulnerability related to improper enforcement of cross-domain policies with about:blank. It could be exploited to access information from one domain and inject it into another domain, thus achieving an elevation of privileges. User action would be required to carry out the exploit. There are no published mitigations or workarounds.
The update fixes the problem by assigning a unique origin to top-level windows that navigate to Data URLs.
MS17-002 (KB 3214291) This is an update for Microsoft Office that applies to Word 2016 (32 and 64 bit editions) and SharePoint Enterprise Server 2016. It is rated Critical in the bulletins list, but rated important in the bulletin itself, for both products.
The update addresses a single memory corruption issue that could be exploited to accomplish remote code execution by convincing a user to open a specially crafted file. User action is required to carry out the exploit. The preview pane in an email attack scenario is not an attack vector. There are no published mitigations or workarounds.
The update fixes the problem by correcting how the Office components handle objects in memory.
MS17-004 (KB 3216771) This is an update for the Local Security Authority Subsystem service in Windows Vista and Windows 7 client operating systems, and for Windows Server 2008 and 2008 R2, including the server core installation. It is rated important for all.
The update addresses a single vulnerability related to the way the LSASS handles authentication requests. This could be exploited by an unauthenticated attacker to achieve a local denial of service that would cause the computer to reboot. There are no published mitigations or workarounds.
The update fixes the problem by correcting the way the LSASS handles specially crafted authentication requests.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.