Microsoft's first Patch Tuesday for the year proved lighter than usual with the company rolling out four security bulletins today that cover just four potential exploits, two of which are rated critical.
Each bulletin contains just one vulnerability with MS17-002 and MS17-003 being the two considered critical, while MS17-001 and MS17-004 were tagged “important” by Microsoft. This is also the last month where network administrators and general users will get an update document from Microsoft and instead be directed to the new Security Updates Guide.
“The new security portal is driven by an online database and instead of having to browse through an index of documents, users can sort, search, and filter the database to find details about a specific security bulletin and its associated updates,” Amol Sarwate, director of Qualys' Vulnerability Labs, wrote in his Patch Tuesday blog.
Tyler Reguly, manager of Tripwire's Vulnerability and Exposure Research Team, said it was interesting that only four updates were sent out by Microsoft.
“When you remove the Flash update (which represents 12 of the 15 CVEs), you're left with 3 single-CVE bulletins, two of which have been publicly disclosed. While it may be that these were the only updates Microsoft had ready for release, another possibility is that they aimed for a minimal patch release to give them time to finalize the transition to the new Security Updates Guide," he said.
Chris Goettl, product manager with Shavlik, thought Microsoft's lighter than usual offering might be the harbinger of a larger Patch Tuesday next month.
"This could be the calm before the storm. We have not seen this light of a Patch Tuesday since January of 2014. Next month you should expect some adjustments and a heavier Patch Tuesday drop as Microsoft changes methodologies," he said.MS17-002, CVE-2017-0003, resolves a Microsoft Office Word 2016 and SharePoint 2016 vulnerability can allow remote code execution if the user opens a specially crafted Office file. The company noted that a successful exploit could allow an attacker to run arbitrary code in the context of the attacker, but those accounts with fewer user rights on the system are less vulnerable.
The second critical update, MS17-003, is for Flash Player, which received 13 patches today from Adobe. If left vulnerable systems will be open to remote code execution.
"Unfortunately, even though consumers remain the single largest attack vector, both consumer and server users should pay attention to the following critical remote code execution bulletins: MS17-002 and MS17-003. Fortunately, I have not seen exploitation of the two disclosed vulnerabilities," Adam Nowak, Rapid7 lead engineer, told SC Media.
The “important” MS17-001, CVE-2017-0002, is for Microsoft Edge and resolves an issue that could allow elevation of privilege if a viewer opens a specially crafted webpage using Edge in Windows 10 or Server 2016.
Despite only receiving an “important” rating by Microsoft, MS17-004 was considered by Sarwarte as the most important of the bunch. The patch addresses a denial of service vulnerability that exists in the way the Local Security Authority Subsystem Service (LSASS) handles authentication requests.
“To exploit the vulnerability an unauthenticated attacker could send a specially crafted authentication request which would lead in the reboot condition,” Sarwate wrote.