Microsoft Sends Out Its Last Security Patches of 2017
Microsoft issued its last "update Tuesday" for this year on Dec. 12, addressing 32 common vulnerabilities and disclosures (CVEs).
The list of Microsoft software getting fixed includes the Edge and Internet Explorer browsers, ChakraCore (part of IE), Windows operating systems, Exchange Server, Office and Office Services plus Web Apps, and the Microsoft Malware Protection Engine.
The terse details are all tucked away in the Microsoft "Security Update Guide" here, which is a Web portal that lists security patch details by release date, page by page.
All told, 20 of the 32 CVEs are deemed "Critical," with 12 of them rated "Important," according to a patch review by Trend Micro's TippingPoint Zero Day Initiative. None of the vulnerabilities were publicly known or under active attack, according to Trend Micro's account.
Trend Micro highlighted three flaws as being notable. There's an old InfoTech Storage Format information disclosure vulnerability (CVE-2017-11927). Device Guard has a security bypass flaw (CVE-2017-11899) being patched, which seems like a repeat of last month's patch. Lastly, Microsoft included a fix for its anti-malware engine that it released last week (CVE-2017-11937).
For the sticklers out there, Trend Micro has an interesting discussion about what's considered to be an out-of-band (OOB) patch by Microsoft. Apparently, the Microsoft Malware Protection Engine gets patched whenever by Microsoft (it's not tied to patch Tuesdays), and so patches for it can never be considered to be OOB updates, or something like that.
According to Ivanti, priority this month should be put on patching the Internet Explorer and Microsoft Edge browsers. The Ivanti patch review also pointed to an Office update that addresses an Excel flaw that "could allow Remote Code Execution." The flaw, described in CVE-2017-11935, "is perfect for an attacker to take advantage of," according to Ivanti.
Ivanti also helpfully pointed out that the end of the year is a good time to assess the upcoming end-of-support dates for Microsoft's software. Microsoft has published a "Products Reaching End of Support for 2018" support article, which was last updated back in September. It shows the end dates for software products following the "Modern Lifecycle Policy" and the "Fixed Lifecycle Policy" support models, as well as products moving out of "mainstream support" and into "extended support."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.