After delaying patches in February, Microsoft today released18 security bulletins, eight of them critical, patching vulnerabilities in server and desktop software.
“This month's Patch Tuesday updates are particularly important due to the delayed release of February's planned fixes,” Greg Wiseman, Rapid7 senior security researcher, said in comments emailed to SC Media, who said the delay in February patches resulted in “more updates than usual' in March. “Included, are three separate vulnerabilities that were disclosed by external vendors over the past several weeks (with exploit code publicly available), which are now being patched.”
In late February, Google's Project Zero revealed a bug in Microsoft's Internet Explorer and Edge browsers, whereby if a user were to visit a malicious websites, it could crash the browser, and then execute code. Earlier in the month, Google's Project Zero revealed a bug in Windows' Graphics Component GDI Library before Microsoft had fixed it.
ACROS Security had previously issued temporary patches for CVE-2017-0037 and CVE-2017-0038.
The highest priority should be “Windows GDI bulletin MS17-013 which could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document,” Amol Sarwate, director of engineering at Qualys, said in emailed comments to SC Media. “This gets highest priority as CVE-2017-0005 is a zero day issue which is currently being exploited actively in the wild.”
In a sea of patches, security teams should focus on patching MS17-013 and MS17-006 and MS17-012, “the vulnerabilities that were previously disclosed and with known exploits out there,” Wiseman said. “Six additional bulletins are also rated Critical and should be tackled next, before looking at the nine ranked as important.”
“CVE-2017-0037 is a particularly nasty one, allowing attackers to remotely execute arbitrary code if a user visits a malicious web page using the Internet Explorer 11 or Edge browsers,” said Wiseman. “CVE-2017-0038 allows remote attackers to glean potentially sensitive information from process heap memory due to an EMF file handling bug. CVE-2017-0016 is a denial of service vulnerability that can crash Windows when connecting to a malicious SMB share. Exploit code for it has been publicly available since at least February 1.”
Sarwate said that while “overall today is going to be very busy for IT department in organizations of all sizes due to the large number of client as well as server patches to be installed,” security pros would ‘be pleasantly surprised as Microsoft kept the older way of clubbing KB articles into security bulletins.”
Microsoft said it would begin releasing patches in their Security Updates Guide after January, Wiseman said “It is also noteworthy that Microsoft continued to publish their updates as Security Bulletins this month.”
