Patch Tuesday - April 2017

This month’s updates deliver vital client-side fixes, resolving publicly disclosed remote code execution (RCE) vulnerabilities for Internet Explorer and Microsoft Office that attackers are already exploiting in the wild. In particular, they’ve patched the CVE-2017-0199 zero-day flaw in Office and WordPad, which could allow an attacker to run arbitrary code on a victim’s system if they are able to successfully social engineer their target into opening or previewing a maliciously crafted document.

Microsoft has also already issued a fix for their new version of Windows 10 (1703, also known as the “Creators Update”), which was only made generally available today. It addresses several RCE and elevation of privilege vulnerabilities.

Data center admins can’t rest easy, however. This month sees updates for all supported versions of Windows Server, with fixes across the board for RCE, privilege escalation, and denial of service (DoS) vulnerabilities.

Administrators should be aware that after today, Windows Vista will no longer be supported. Any systems running Vista should be upgraded to a supported version in order to continue receiving security fixes. As the recent zero-day IIS exploit for Server 2003 R2 reminded us, attackers are happy to take advantage of obsolete systems still in use.

It is also worth noting that information about this month’s fixes are only available from Microsoft’s Security Updates Guide. Instead of grouping related fixes under Security Bulletins such as MS16-XXX, their new system allows users to pivot on the vulnerability identifiers (CVEs) and KB article numbers. They also provide the ability to search and filter based on product, severity, and impact (e.g. RCE, DoS, etc.) which can help administrators prioritize how they roll out the updates. Please refer to this blog post for more details about how this affects Nexpose users.