Microsoft Releases 'Largest' Monthly Security Patch
After skipping the February Patch Tuesday release, Microsoft is back with a larger-than-usual rollup of fixes.
As might be expected, because of that February deferral, Microsoft's March "patch Tuesday" security release is arriving somewhat hefty. It consists of 18 bulletins. Nine of them are rated "Critical," while the other nine are considered "Important" by Microsoft.
A "Security Bulletin Summary" for March was published, which lists all of the bulletins by ID number. They are also shown in Microsoft's new Security Update Guide. An old portal was supposed to have been superseded by the new Security Update Guide last month, and the old bulletin numbering system was supposed to have been scrapped, too, according to an earlier Microsoft announcement. However, both practices were continued as of this month.
A blog post by the Microsoft Security Research Center explained on Tuesday that "security bulletins were also published this month to give customers extra time to ensure they are ready to transition their processes."
In addition, Microsoft today issued an informational update to a January Security Advisory. It's a fairly incomprehensible notice about the SHA-1 hashing algorithm. SHA-1 is getting distrusted by the Internet Explorer and Microsoft Edge browsers. Microsoft has published a guide on its deprecation plan for SHA-1. According to that plan, end users are now supposed to see a warning in their Microsoft browsers when encountering sites using SHA-1.
Microsoft also issued a notice this week that System Center Configuration Manager 2007 will still fall back to trusting SHA-1, as it doesn't support SHA-2 certificates.
Largest Patch Tuesday
The March patch Tuesday release was described by software security firm Trend Micro as "the largest patch Tuesday in Microsoft's history" in a review article. The article also noted that Microsoft has as yet not explained why its February patches were delayed. The March release contains fixes for 135 common vulnerabilities and exposures (CVEs), plus Adobe Flash Player fixes for seven CVEs, according to Trend Micro.
The February Adobe Flash Player security updates for Windows systems were initially deferred by Microsoft, along with the other security patches. However, in late February, Microsoft released them separately.
This month's security update addresses three zero-day flaws and 12 flaws that were publicly disclosed, according to analysis by Chris Goettl, product manager at Ivanti (formerly known as Shavlik). Microsoft notably this month issued a patch for the Server Message Block security hole that didn't get patched last month, Goettl noted. The SMB flaw had been flagged by the U.S. Computer Emergency Readiness Team, but Microsoft still didn't issue a patch until today.
Microsoft has now separated its Internet Explorer security-only patches for the Windows 7 and Windows 8.1 operating systems, Goettl observed. Microsoft had promised back in January that it would follow that practice for its February patch release, although the whole release got deferred. This security-only patch approach for IE would only be available for organizations that didn't use the Windows Update service. Microsoft took this approach to address potential bandwidth issues posed by IE cumulative updates.
Microsoft typically provides an "exploitability index" as a guide for prioritizing patching, as described in its March summary. Goettl offered his own assessment, focusing on four bulletins to keep at the top of a list. They include:
- MS17-006, a cumulative update for IE that's rated Critical and includes a zero-day flaw that could permit an attacker to gain user access rights
- MS17-007, a cumulative update for the Microsoft Edge browser that's rated Critical
- MS17-013, an update to Lync, Office, Silverlight and Skype that rated Critical and includes a zero-day flaw
- MS17-022, a Microsoft XML Core Services update that's rated Important and has a zero-day information disclosure flaw
Goettl noted the importance of patching zero-day flaws, which are typically described as software flaws that are unknown to software publishers. However, publicly disclosed flaws can't be discounted either because they afford an opportunity for attackers to craft exploits, he added.
Vault 7 Issues
In other patch news, Ivanti has created a Vault 7 Tracker. It's designed to chart the patching of software that purportedly was subject to a bunch of CIA espionage tools, labeled "Vault 7" by WikiLeaks, which disclosed their existence last week. A lot of the software was subject to Dynamic Link Library hijacks. One notable CIA target subject to DLL hijacks was Libre Office, the free open source productivity suite, Goettl noted. The Vault 7 release contains the largest number of zero-day exploits since an earlier Hacking Team exposure, Goettl noted in a blog post.
Some vendors have published limited information about their responses to the Vault 7 disclosures. For instance, Intel Security recently claimed that its Stinger tool isn't subject to Vault 7 exploits anymore, and it also issued a test release of a scanning tool designed to check for UEFI firmware exploits on PCs. Apple told USA Today last week that it is working on patching its software but claimed that many of the exploits exposed with Vault 7 "were already patched in the latest OS."
Microsoft apparently has been in contact with WikiLeaks, according to a recent story by The Register. WikiLeaks had offered to provide the exploit code for the Vault 7 tools to the affected software vendors first before releasing the code publicly.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.