After a relatively modest start to the year in terms of Patch Tuesdays, with four security fixes in January and nine fixes in March, despite February's round of patches having been canceled, the latest swathe of updates from Microsoft is set to cast a large shadow over prior months.
At a high level, a staggering 57 common vulnerabilities and exposures (CVEs) have been addressed as part of this month's Patch Tuesday and is comprised of 16 critical and 41 important updates. In terms of affected software, the list includes:
- Adobe Flash Player
- Internet Explorer 9, 10, and 11
- Microsoft .NET Framework 3.5 and later
- Microsoft Edge
- Microsoft Office and component products
- Windows Defender
- Windows 7, 8.1, RT 8.1, and 10
- Windows Server 2008, 2008 R2, 2012, 2012 R2, and 2016
In aggregate, supported versions of Windows and Windows Server received a total of 28 patches, representing roughly 49% of the patches issued this cycle. Meanwhile, Microsoft Edge was runner-up in terms of patch volumes, racking up 15 patches for the month of May.
However, in terms of notable vulnerabilities, perhaps one of the most critical addressed by Patch Tuesday was a remote code execution flaw affecting Microsoft Office 2010, 2013, and 2016. Tracked under CVE-2017-0261, the exploit could be leveraged when a user opened a file containing a malformed image, which had been inserted into a document, or viewed as an email attachment. Successful execution would enable a remote attacker to take control of the compromised system.
Also of particular concern was a critical flaw found in Windows Defender, Microsoft Security Essentials, Windows Intune Endpoint Protection, and specific Microsoft Forefront products, tracked under CVE-2017-0290. The vulnerability enabled remote code execution when "the Microsoft Malware Protection Engine does not properly scan a specially crafted file leading to memory corruption." At its simplest, an exploit could take place if a user simply downloaded a malicious file from a website and, provided that real-time protection was enabled in the aforementioned software, their system would be compromised.
Rounding out some of the headline updates are three which specifically concern Service Message Block (SMB) server. Following on from Microsoft's security bulletin from last month covering six flaws affecting SMBv1, May's Patch Tuesday addresses a further three remote code execution vulnerabilities affecting both desktop and server versions of Microsoft Windows.
Of course, these are but a few of the critical issues being addressed by Microsoft this month, of which more information is available via the company's Security Update Guide.
As always, we recommend you update to the latest version of the operating system you’re running and keep all your software up to date.