This month Microsoft released patches for 56 new CVEs in Internet Explorer, Edge, Office, Windows, .NET Framework and Adobe Flash. 14 CVEs are rated Critical and the remaining are rated Important in severity. Three of these CVEs documented below are being actively exploited and should be prioritized.
Security Update Summary
We have not uncovered any widespread problems with any of these patches and are releasing all of them. (See “Optional Deny KB” below
CVE-2017-0261: Microsoft Office Remote Code Execution Vulnerability
A remote code execution vulnerability exists in Microsoft Office that could be exploited when a user opens a file containing a malformed graphics image or when a user inserts a malformed graphics image into an Office file. Such a file could also be included in an email attachment.
CVE-2017-0222: Internet Explorer Memory Corruption Vulnerability
The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
CVE-2017-0263: Win32k Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Microsoft Malware Protection Engine Remote Code Execution Vulnerability- CVE-2017-0290
Patch Tuesday was overshadowed by a zero day exploit in Window Defender. Microsoft quickly released a fix. The Defender engine updates automatically and your machines should have update to version 1.1.13704.0 within 48 hours.
Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning.
Optional Deny KB
Last week an old patch KB3008923 showed up in Windows Updates. Microsoft has not given any explanation but they expired it on Wednesday morning. However the same day 2 more old KBs showed up. These are all old patches that have been superseded. While they will cause no harm we are denying them.
- KB3008923 (MS14-080 from Apr 2015) Superseded By: KB3139929/MS16-023
- KB3003057 (MS14-065 from Nov 2014) Superseded By: KB3065822/MS15-065
- KB2987107 (MS14-056 from Oct 2014) Superseded By: KB3139929/MS16-023
New Security Advisories
Microsoft Security Advisory 4010323
Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11
Microsoft Security Advisory 4021279
Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege
Microsoft Security Advisory 4022344
Security Update for Microsoft Malware Protection Engine
Monthly Rollup/Security Only/Windows 10/Server 2016 KBs
May 2017 security monthly quality rollup
- KB4019264 – Windows 7, Windows Server 2008 R2
- KB4019215 – Windows 8.1, Windows Server 2012 R2
- KB4019216 – Windows Server 2012
May 2017 security only quality update
KB4019263 – Windows 7, Windows Server 2008 R2
KB4019213 – Windows 8.1, Windows Server 2012 R2
KB4019214 – Windows Server 2012
- May, 2017 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2
- May, 2017 Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2
- The KB numbers for .Net are different for each version and in some cases each OS installed.
Cumulative update for Windows 10
KB4019474 – Original release version 1507 (OS Build 10240.17354)
KB4019473 – Version 1511 (OS Build 10586.873)
KB4019472 – Version 1607 “Anniversary Update” (OS Build 14393.1066 and 14393.1083)
KB4016871 – Version 1703 “Creators Update” (OS Build 15063.138)
Note: Server 2016 uses the same KB as Windows 10 Version 1607
Release Notes May 2017 Security Updates
Release Date: May 09, 2017
The May security release consists of security updates for the following software:
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- NET Framework
- Adobe Flash Player
In addition, Microsoft is releasing security updates for ASP.NET Core to address CVE-2017-0247, CVE-2017-0249, and CVE-2017-0256, and for .NET Core to address CVE-2017-0248. For more information see https://github.com/aspnet/Announcements/issues/239.
Please note the following information regarding the security updates:
Beginning with the October 2016 release, Microsoft is changing the update servicing model for Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. For more information, please see this Microsoft Technet article, Further simplifying servicing models forWindows 7 and Windows 8.1.
Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
Starting in March 2017, there will be a Windows 10 1607 delta package that contains just the delta changes between the previous month and the current release.
Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features
Note As a reminder, the Security Updates Guide will be replacing security bulletins. Please see our blog post, Furthering our commitment to security updates, for more details.