Today’s VERT Alert addresses
4 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-706 on Wednesday, January 11th.
Ease of Use (published exploits) to Risk Table
Automated Exploit |
|
|
|
|
|
|
|
Easy |
|
|
MS17-001
|
|
|
|
|
Moderate |
|
|
|
|
|
|
|
Difficult |
|
|
|
|
|
|
|
Extremely Difficult |
|
|
|
MS17-004
|
|
|
|
No Known Exploit |
|
|
MS17-002
MS17-003
|
|
|
|
|
|
Exposure |
Local
Availability |
Local
Access |
Remote
Availability |
Remote
Access |
Local
Privileged |
Remote
Privileged |
MS17-001
Microsoft is starting off 2017 with a minimal set of patches – 4 bulletins and 15 CVEs, 12 of which are Flash related. The first bulletin this month resolves a single vulnerability in Microsoft Edge and, since this vulnerability is Edge specific, it means we don’t have an IE bulletin this month. The vulnerability is an elevation of privilege created by a lack of cross-domain policy enforcement with the about:blank page.
CVE-2017-0002 was publicly disclosed.
MS17-002
The second bulletin this month addresses a single vulnerability in Microsoft Word and SharePoint Enterprise Server 2016 that could allow code execution when opening malicious files.
MS17-003
The penultimate update this month is the companion update to
APSB17-02. This update resolves a dozen vulnerabilities affecting Adobe Flash.
MS17-004
The final bulletin this month is an unauthenticated denial of service vulnerability in the Local Security Authority Subsystem Service better known as LSASS. A malicious authentication request could result in the targeted system crashing.
CVE-2017-0004 was publicly disclosed.
As always,
VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.