The March 2017 Patch Tuesday release was a bit larger than usual, as it also contains the fixes that were delayed...
with the cancellation of Patch Tuesday in February. The March release includes 18 Windows security bulletins, nine of which are rated as critical.
Experts knew the March Patch Tuesday release would be bigger than usual, since it covers two months' worth of fixes. But security professionals may have their hands full dealing with patches for one known zero-day vulnerability and at least five bugs that were publicly disclosed before being patched.
MS17-006, MS17-007 and MS17-023 are three of the regular critical Windows security bulletins for vulnerabilities in Internet Explorer, Microsoft Edge and Adobe Flash, respectively. All nine critical Windows security bulletins this month, including these three, target vulnerabilities that could allow for remote code execution (RCE) by an attacker and should be patched immediately.
According to Amol Sarwate, director of vulnerability labs at Qualys Inc., based in Redwood City, Calif., these Windows security bulletins fix three publicly disclosed vulnerabilities, one of which (CVE-2017-0037) was disclosed by Google Project Zero last month.
However, Sarwate said the highest-priority bulletin this month was MS17-013, which also targets a vulnerability disclosed by Google Project Zero. The issues patched were found in Microsoft's Graphics Device Interface library, and Mateusz Jurczyk, a Project Zero security researcher based in Poland, said he disclosed the bugs to Microsoft in November 2016 after a previous patch failed to fully correct the problems.
This patch should be the highest priority, because it "could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document," Sarwate wrote in a blog post. "CVE-2017-0005 is a zero day issue which is currently being exploited actively in the wild. This issue could be incorporated soon by exploit kits using Silverlight as the attack vector as we have seen that happen in the past."
Sarwate also gave high priority to MS17-012, a critical Windows security bulletin, which resolves multiple vulnerabilities, including yet another flaw that was publicly disclosed in February. A researcher released proof-of-concept code for a denial-of-service issue with the Windows Server Message Block after being frustrated by Microsoft delaying the patch. Microsoft said, at the time, the bug posed relatively low risk, and the vulnerability has been rated important here. The critical bug in MS17-012 concerns a memory corruption flaw in iSNS servers.
Also affecting the Windows Server Message Block protocol is MS17-010, the final bulletin concerning a known vulnerability in SMB. This critical bulletin targets a flaw suspected to be part of the Shadow Brokers' dump of National Security Agency hacking tools and prompted an advisory by US-CERT asking organizations to disable Windows SMB v1.
Although it isn't rated critical by Microsoft, Craig Young, security researcher at Tripwire Inc., based in Portland, Ore., said MS17-016 deserves special attention. MS17-016 is a Windows security bulletin affecting Microsoft's Internet Information Server (IIS).
"This is a cross-site scripting [XSS] issue, which apparently would impact any site running on IIS and is exploitable with a simple link. Microsoft has listed that there are no mitigating factors or workarounds indicating that the reflected XSS attack may not be blocked by common anti-XSS filters," Young told SearchSecurity. "An attacker could exploit this vulnerability to completely undermine the protections from HTTPS if they are able to get a victim to click on a crafted link. This problem is compounded by the prevalence of IIS on the internet and the fact that web servers are often neglected for patches to avoid downtime or adverse effects from the patch."
Rounding out the critical Windows security bulletins this month are MS17-008, MS17-009 and MS17-011, which resolve vulnerabilities in Microsoft Hyper-V, the Windows PDF library and Microsoft Uniscribe, respectively. Each bulletin covers RCE flaws and should be patched as soon as possible.
The most important remaining bulletins, MS17-014 and MS17-015, take on RCE vulnerabilities in Microsoft Office and Exchange Server. MS17-017 and MS17-018 concern elevation-of-privilege flaws in the Windows Kernel and Kernel-Mode Drivers. MS17-019, MS17-020, MS17-021 and MS17-022 all target information-disclosure issues in Active Directory Federation Services, Windows DVD Maker, Windows DirectShow and XML Core Services, respectively. Organizations that use those products should update during the normal patch process.
Catch up on the January 2017 Patch Tuesday news.
Learn why Pawn Storm APT ramped up after a Windows vulnerability disclosure.
Find out about the Windows zero-day that sparked a debate.