May Patch Tuesday delivers fixes critical Windows 10 exploits

Microsoft attempts to resolve 56 reported vulnerabilities in Microsoft Office, Windows, both Browsers and the .NET development platform.

Nerves can get to you worried anxious fret nervous anxiety
Credit: Thinkstock

For this May Microsoft Patch Tuesday, we see Microsoft attempt to resolve 56 reported vulnerabilities in Microsoft Office, Windows, both Browsers and the .NET development platform.

Three of the vulnerabilities have been reported publicly and several have been actively exploited. Adding to an already serious situation, Microsoft’s anti-malware tool was compromised, resulting in the inadvertent deployment of malware through the anti-malware engine.

Microsoft responded very quickly with an out-of-band update (Security Advisory 4022344). Though there was general relief and kudos to Microsoft for their rapid response to this embarrassing episode, this bug was described as the “worst in recent memory” and as "crazy bad” by two of the lead researchers from Google’s Project Zero.

The patch team from Ivanti have put some real effort into formatting the latest updates into thirteen “virtual bulletins” and have a published a helpful infographic and cheat sheet for this month's patches. 

As we have now moved away from the old Microsoft Security bulletin approach with the final bulletin MS17-023 delivered as a single update, it appears that Microsoft is now grouping patches by the following product families:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • .NET Framework
  • Adobe Flash Player

It is interesting to note that Adobe Flash Player continues to play such a significant, important and problematic role every month, that it now merits its own deployment category from Microsoft.

Internet Explorer (IE)

This update ring has been rated as critical by Microsoft with seven related KB articles resolving six reported vulnerabilities. Most importantly, one vulnerability has been publicly reported and another has been reported as exploited. This is Patch Now update from Microsoft. Deploying this patch will require a restart and affects versions 9, 10 and 11 of IE.

Microsoft Edge

Microsoft has broken down some of the patch data in a browser family with Internet Explorer (IE) and Edge as two products. Somewhat confusingly, Edge updates are also included in Windows 10, so I have broken out the updates from Microsoft Edge for this release. This grouping may change next month.

This Microsoft Edge specific grouping attempts to resolve 15 vulnerabilities that at worst could lead to a remote code execution scenario. Nine of these vulnerabilities have been rated as critical by Microsoft. Therefore, add this update to Microsoft Edge to your “Patch Now” schedule.

Windows

This update ring will normally contain the updates and patches for the Windows desktop and server platforms. However, this month, due to the Defender engine corruption issue, it also includes an update to the System Centre server component. I am not sure how this will continue, and we may split this section into three rings in the future, comprising: Windows desktop, Windows server and System Center.

There are a whopping 42 vulnerabilities included in the Windows 10 cumulative update for this May patch release. With potential remote code execution vulnerabilities and at least four publicly reported issues, this update should be included in the Patch Now release. There are 27 reported vulnerabilities for the Windows 7, 8.x and Server 2012 platforms, with one remote code execution exploit publicly reported. Unfortunately, these patches should be considered to have a critical rating from Microsoft and need to be deployed as soon as possible.

Microsoft Office

Microsoft has attempted to resolve seven Office vulnerabilities, which due to a remote code execution scenario, require a critical rating from the Microsoft patch team. This update affects all supported versions of Office (2007-2106) and this patch will apply to both Windows and Mac versions of Office. This update will require a restart and should be added to your “Patch Now” list.

Adobe Flash Player

This is a bundled critical update from Microsoft for Adobe Flash Player (APSB17-15). This update for Adobe Flash player attempts to resolve seven reported vulnerabilities relating to a use-after-free memory issue, resulting in a potential remote code execution exploit. This patch will require a system restart. This is another terrible exploit for Adobe Flash -- please deploy this patch ASAP.

Microsoft .NET

This update ring to the Microsoft .NET framework should be considered as having an important rating. This patch affects .NET versions from 2.0 to 4.7 and attempts to resolve a single vulnerability (CVE-2017-0248) that could lead to a security feature bypass scenario. Of all the updates for this month, this is the only one that can be added to your standard deployment schedule.

Finally, if Microsoft deploying malware through its own anti-malware engine was not enough for this month, we have also heard that a criminal gang is using Microsoft’s application compatibility database (shims) to compromise specially targeted systems in order to steal financial information. Shim files are special files from Microsoft that help older or legacy applications work on newer operating systems. This “bad” shim masquerades as a Windows update called KB2832077, and helps itself to your credit card details.

This article is published as part of the IDG Contributor Network. Want to Join?

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon