Microsoft’s first Patch Tuesday update of 2017 is one of the smallest in the history of the program with four bulletins released today, including three rated important along with Adobe’s monthly Flash Player update for Internet Explorer and Edge, which was rated critical by the vendor.
The Microsoft bulletins were for vulnerabilities in Office 2016, its Edge browser and its Local Security Authority Subsystem Service (LSASS).
The Office bulletin, MS17-002, includes a patch for a single remote code execution vulnerability triggered if a user opened a specially crafted Office file. This vulnerability was originally rated critical by Microsoft, but it later downgraded the bulletin to important. The flaw (CVE-2017-0003) impacts specific Office applications such as Microsoft Word 2016 (64-bit, 32-bit) as well as Microsoft SharePoint Enterprise Server 2016.
“Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights,” according to the bulletin.
The Edge bulletin, MS17-001, patched one elevation of privilege vulnerability rated important by Microsoft.
“An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies with about:blank, which could allow an attacker to access information from one domain and inject it into another domain. An attacker who successfully exploited this vulnerability could elevate privileges in affected versions of Microsoft Edge,” according to Microsoft.
A denial of service vulnerability rated important by Microsoft was also patched in MS17-004 in the Local Security Authority Subsystem Service (LSASS). The flaw impacts Microsoft Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 (and Server Core). The vulnerability exists in the way the Local Security Authority Subsystem Service (LSASS) handles authentication requests, said Microsoft. “An attacker who successfully exploited the vulnerability could cause a denial of service on the target system’s LSASS service, which triggers an automatic reboot of the system,” Microsoft said.
Finally, Microsoft also published a critical bulletin, MS17-003, tied to a swath of bugs found in Adobe Flash Player used in its Windows 8.1 OS (64-bit, 32-bit), Windows RT 8.1, multiple versions of Windows 10 and Windows Server 2016. Those Adobe Flash Player vulnerabilities were outlined earlier Tuesday by Adobe when it announced a bevy of patches that addressed code execution flaws in Flash, Reader and Acrobat. Besides applying the requisite patches, Microsoft suggested disabling instances of Adobe Flash Player in Internet Explorer and other applications that honor the kill bit feature, such as Office 2007 and Office 2010.
Today’s Patch Tuesday, the first of 2017, marks the first monthly cycle that Microsoft is doing away with bulletins for newer products. Instead, Microsoft patches will be delivered in one installable package. Under the new patch management regime Microsoft’s Vista operating system will still get bulletins however.
Microsoft’s Patch Tuesday coincides with the release with cumulative updates for nearly all versions of Windows 10 including the Anniversary Update for PCs (Build 14393.693). The update did not introduce new features, rather fixed several security-related features such as fingerprint authentication, App-V Connection Group and an issue that had allowed two similar input devices to work on the same machine.