March's Patch Release
If you followed the Microsoft March patch Tuesday, you may have noticed a large number of patch releases.
March’s patch line consisted of two months’ worth of patches after the issue which they occurred in February. This included a total of 18 bulletin updates, 9 critical patches and 9 important 9 patches. Overall 136 unique CVEs, 3 Zero day and 12 public disclosures were made.
In regards to third party patches 2 bulletins from Adobe were released and two were also released from VMware.
Patch summary breakdown
MS17-006- is a Cumulative Update for Internet Explorer. It is rated as Critical and resolves a total of 12 vulnerabilities including 5 Publicly Disclosed (CVE-2017-0008, CVE-2017-0037, CVE-2017-0012, CVE-2017-0033, CVE-2017-0154) and one Zero Day (CVE-2017-0149). The Zero Day is a User Targeted vulnerability that could allow the attacker to gain equal rights to the logged on user. The attacker could exploit this vulnerability by hosting specially crafted websites or taking advantage of a compromised website or user hosting user contributed content or ads.
MS17-007- is a Cumulative Update for the Edge browser. It is rated as Critical and resolves a total of 32 vulnerabilities including 5 Publicly Disclosed (CVE-2017-0065, CVE-2017-0012, CVE-2017-0033, CVE-2017-0069, CVE-2017-0037) vulnerabilities. A Zero Day is obviously the biggest risk factor for prioritizing a Bulletin, but Public Disclosures are higher risk because enough information may be available to a Threat Actor for them to build an exploit. Many of the vulnerabilities are User Targeted meaning they are perfect for Phishing attacks. Crafted web content, ads, etc. Privilege Management can also mitigate the impact of many of the vulnerabilities. Meaning the attacker only gains equal rights to the user who was exploited and would then have to escalate privileges to progress further.
MS17-013- is an update for Office, Lync, Skype, and Silverlight. It is rated as Critical and resolves a total of 12 vulnerabilities including one Publicly Disclosed (CVE-2017-0014) and one Zero Day (CVE-2017-0005) vulnerability. There are many user targeted vulnerabilities in this bulletin including a few that could utilize the Preview Pane as an attack vector.
MS17-022- is an update for Microsoft XML Core Services. It is only rated as important and resolves one vulnerability, but that happens to be a Zero Day that could allow for Information Disclosure. In this case an attacker can host a specially crafted website designed to exploit the XML vulnerability and allow the attacker to test for the presence of files on disk. From there an attacker could validate if other exploits may be possible.
There are many more Microsoft bulletins, but those are the higher priority items. Shifting gears to 3rd Parties, we have two Adobe Bulletins and two VMware Bulletins this month.
Adobe Flash Player- is an expected addition to the list. In 2016 there was only one Patch Tuesday that did not include an update for Flash Player. As always it is important to note that Adobe Flash and plug-ins for IE, Chrome, and FireFox all need to be updated to completely protect against the vulnerabilities. This month’s bulletin, APSB17-07 includes fixes for 7 vulnerabilities, user targeted, and could allow an attacker to gain control of the affected system. The update is rated as Priority 1 by Adobe and makes our top priority list as well.
VMware VMSA-2017-0005- is a Critical vulnerability in VMware Workstation Fusion and Player. One vulnerability is resolved by this update. It is an out-of-bounds memory access vulnerability which could allow code execution.
Keep a look out for the next patch release!