Microsoft kicks security bulletins to the curb in favor of security update guide
Forget about security bulletins; Microsoft is so done with them. Now, it’s all about the Security Update Guide – something Microsoft claimed customers wanted back in November 2016. Bulletins were supposed to bite the dust starting in January 2017, but it appears as if they did starting in April 2017. This new era for patching Microsoft is great, if you really like clicking again and again. If not, I suppose that is too bad, so sad.
The release notes are slightly more informative than the Microsoft Security Response Center post about the April patches. The latter simply stated, “Today we released security updates to provide additional protections against malicious attackers.” Microsoft recommends turning on automatic updates, but probably not to stop the upcoming migraine for the click-fest you will have to endure to find out about the security updates.
The release notes at least say the security updates are for Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, Visual Studio for Mac, .NET Framework and Silverlight.
If you look across the board at all the products and all severities – that is after you accept the terms of service – there are 644 total items listed on Security Update Guide for April 11, 2017. Of the 45 unique CVEs, the Zero Day Initiative said three of the CVEs were listed as being under active attack and should be prioritized above the others: CVE-2017-0199: Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API; CVE-2017-0210: Internet Explorer Elevation of Privilege Vulnerability; and CVE-2017-2605: Defense-in-Depth Update for Microsoft Office.
If you sort the patches by severity, then there are critical vulnerabilities in Microsoft Office, Microsoft Edge, Microsoft Outlook, .NET Framework, Windows and Internet Explorer. Pick your poison. There is:
Cumulative update for Microsoft Edge: The fixes for Microsoft Edge 32-bit and x64-based systems are rated critical due to RCE vulnerabilities.
The cumulative update for Internet Explorer 9, 10 and 11 addresses a plethora of problems and is called a “monthly rollup” by Microsoft.
Microsoft Outlook: The fixes for Microsoft Outlook are rated critical for vulnerabilities described only as a security vulnerability “that could allow arbitrary code to run when a maliciously modified file is opened.” You don’t see that without clicking on each Outlook update, which leads to the security updates for Microsoft Outlook 2016 64-bit and 32-bit editions, 2010 Service Pack 2 64-bit and 32-bit, 2013 Service Park 1 32-bit and 64-bit editions, as well as 2007 Service Pack 3.
Microsoft Office is listed separately than Outlook, but Office also has listings under critical severity, as well as important, and even “none.” Here are the links which lead to fixes for the critical flaws in Office 2013 64-bit and 32-bit editions, 2007, 2016 32-bit and 64-bit, and 2010 32-bit and 64-bit editions.
Windows: There are fixes for a critical scripting engine memory corruption flaw for various versions of Windows.
There are also bundled patches for different versions of the OS, which include improvements as well as close security holes in things like scripting engine, Internet Explorer, Hyper-V, Win32k, Adobe Type Manager Font Driver, graphics components, Lightweight Directory Access Protocol, Windows Kernel mode drivers, Windows OLE, libjpeg image-processing library and .NET Framework. Which things get patched depend upon which version of Windows you use.
The security update for Adobe Flash Player is also rated critical for RCE holes.
You can also get fixes individually, such as for the critical RCE flaw in .NET Framework.
By now, I’ve decided this feels like hell. Of course, I’m not looking specifically for what applies to my system; instead, I’m trying to give you an overall look at this month’s patches. You click on a security update, which generally takes you to a Microsoft Update Catalog page with more links to click. When you do click, a popup box basically tells you nothing of value and suggests that if you want to know about the security update, then click again on the support article for that specific vulnerability. I hope you like it and it works well for you. Right this very minute, I hate it. I’m sorry, but I’m not willing to click like a thousand times to get all the answers – and that would be if you did not have to click even twice to get the dirt on the 644 total listings.
So let’s turn to Amol Sarwate, Director of Qualys Vulnerability Labs, for more information. He reported that Microsoft addressed 45 vulnerabilities which ranged from “remote code execution, denial-of-service, elevation of privileges, security feature bypass and spoofing.”
Qualys says Office and WordPad should be your top priority since it closes a 0-day vulnerability which is currently being exploited in the wild. Patch Microsoft Edge and Internet Explorer next, Sarwate said, followed by Hyper-V and then ASP.NET.
I’ll try to find a better way to sort what is what by next month, but no promises. For now, good luck and happy patching!