Just a few hours ago, Microsoft published a slew of updates for Windows 10 and other supported products, in its so-called Patch Tuesday release. The company has now published security advisories and bulletins to go alongside the update, informing us of the security issues that were fixed.
Given Microsoft missed its previous Patch Tuesday, many were expecting this month to be a bonanza of bug fixes and critical security patches for its operating system and other products. And indeed, the company did not disappoint, at least in terms of the number of user-facing issues addressed with this release.
However, as you’ll notice, the company was much more restrained in the security department, putting out a relatively small number of fixes. Out of 18 total security bulletins, only nine were deemed to be “Critical”, and these are detailed below:
- MS17-006 and MS17-007 address critical vulnerabilities in Windows, Internet Explorer and Microsoft Edge. These could allow a remote attacker to gain user privileges on the targeted machine if the victim was tricked into viewing a maliciously-crafted website. If the victim was using an admin account, the attacker could take full control over the targeted machine.
- MS17-008 fixes security problems identified in Windows and its Hyper-V component. If a user or a guest operating system deployed specially created code, it could allow for full code execution inside of the Hyper-V host operating system. If Hyper-V is disabled you’re not vulnerable to such attacks.
- MS17-009 relates to the way Windows handles PDF documents. A security vulnerability could allow an attacker to take full control over a targeted machine if the victim views a specially-crafted PDF file online or in an offline viewer.
- MS17-010 has to do with the Microsoft Server Message Block 1.0 (SMBv1) and a bug that might allow an attacker to execute remote code on a machine or server using the protocol.
- MS17-011 addresses problems inside of Windows Uniscribe. An attacker could gain user rights inside of a system if the victim is tricked into viewing a specially crafted website or document. Those running without admin rights would be less impacted by this flaw.
- MS17-012 patches a bug in Windows and the way the operating system handles the iSNS protocol. An attacker could execute remote code if he deployed a specially-crafted application that connected to an Internet Storage Name Service server and then issued malicious requests to the server.
- MS17-013 has to do with the Microsoft Graphics Component, a bit of software that comes up again and again in these regular security bulletins. The issue spans multiple products, including Windows, Office, Skype for Business, Lync, and Silverlight, and could allow for remote code execution and elevation of privileges if a user opens a malicious website or document.
- MS17-023 is the last Critical patch for this month and it contains all the fixes from Adobe for its Flash add-on.
Besides these updates, nine other patches were released being rated as “Important”. Many of them addressed vulnerabilities in Windows and Office that could allow for information disclosure and elevation of privileges.
As usual, we recommend you update to the latest version of the operating system you’re running and keep all your software up to date.