Microsoft has released its latest Patch Tuesday and it is among the smallest it has ever issued. It consists of just four patches, two of which are critical and two are important. The two critical patches are a security patch for Microsoft Office and another for Adobe Flash Player. Microsoft Edge is also patched to remove an elevation of privilege vulnerability. The remaining patch is a reissue to fix a vulnerability that was not dealt with properly in November.
System Administrators may be overjoyed by the size of this release but it is unlikely to reduce their January patching load much. Many users will be bringing new devices into the office that they received for Christmas. These will need software installing and for some that means many rounds of patching.
In a blog on the Qualys website, Amol Sarwate, director of vulnerability research at Qualys, said: “In the first Patch Tuesday of 2017 Microsoft fixed only 3 vulnerabilities which makes it one of the smallest patch months ever. Patches were released for Microsoft Office, the Edge browser and LSASS. It’s an unusually small patch update and will definitely make system administrators happy.
“It is worth noting that starting next month Microsoft will scrap the existing system where users get a document each month in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide. The new security portal is driven by an online database, and instead of having to browse through an index of documents, users can sort, search, and filter the database to find details about a specific security bulletin and its associated updates.”
Three patches for Microsoft software
Server administrators will be focused on the Local Security Authority Subsystem Service (LSASS) patch. This was originally dealt with back in November but not very well. Nicolas Economou from Core Security tested the patch against the Proof of Concept (PoC) code and discovered it did not work. Microsoft has now issued a replacement patch and anyone running Windows Server 2008, Windows Vista, Windows XP or Windows 7 needs to deploy this patch.
The patch for Microsoft Office is classified as Critical. It covers a remote code execution that would allow an attacker to run code on the local machine as if they were the logged on user. The big risk issue here is a user with administrator rights. This would allow the attacker complete control over the local machine. As well as deploying the patch it is an opportunity to review user rights and permissions. The vulnerability affects Word 2016, 32 and 64-bit as well as SharePoint Enterprise Server 2016.
There is also a patch for Microsoft Edge, the replacement for Internet Explorer. This is to fix a vulnerability that allows an attacker to elevate their privileges on the local computer. It affects Windows 10 and Windows Server 2016.
The pain never ends for Adobe Flash Player
The last of the patches covers Adobe Flash Player and it rated as critical. It affects all client and server versions of Windows from Windows 8.1 and Windows Server 2012 R2. It replaces all the Adobe libraries that are used by Microsoft Edge and Internet Explorer 10 and above. Adobe Flash Player is a common target for zero-day vulnerabilities. This means that this patch needs to be deployed across organisations as quickly as possible.
While Microsoft has issued just a single patch for Adobe Flash Player, Adobe itself has issued two different security bulletins. There are 13 vulnerabilities fixed in the Adobe Flash update. The second bulletin covers both Acrobat and Reader with 29 vulnerabilities addressed. These are not vulnerabilities confined just to Microsoft. They also affect the software when installed on Apple devices.
An easy start to the year for security administrators masks the challenge that January brings. New devices entering the workplace where Bring Your Own Device (BYOD) is supported will need to be identified and brought up to corporate security standards. New Windows devices will pick up these updates using the automatic updates routine. Administrators should still run utilities to check if patches have been applied properly.