Microsoft fixes 45 flaws, including three actively exploited vulnerabilities
Microsoft released its monthly security-patch bundle Tuesday, fixing 45 unique vulnerabilities, three of which are publicly known and targeted by hackers.
The top priority this month should be given to the Microsoft Office security update because one of the fixed flaws has been actively exploited by attackers since January to infect computers with malware. Over the past few days this vulnerability, tracked as CVE-2017-0199, has seen widespread exploitation.
The CVE-2017-0199 vulnerability can be exploited through maliciously crafted RTF (Rich Text Format) documents when such documents are opened with either Microsoft Word or WordPad. Because WordPad is bundled with Windows by default, a patch for this flaw is also included in the security updates for Windows.
According to security vendor Qualys, the next priority should go to the updates for Microsoft’s Internet Explorer and Edge browsers. These update address several remote code execution vulnerabilities.
One flaw patched in IE allows attackers to bypass the cross-domain policies enforced by the browser. The flaw makes it possible to take information from one domain and inject it into another, violating an important security barrier.
Microsoft’s notes for this vulnerability mention that it has already been exploited in the wild, but don’t include other details about the attacks.
Critical vulnerabilities have also been patched in Hyper-V, Microsoft’s virtualization hypervisor that’s included in Windows Server 2008, 2012 and 2016, as well as in Windows 8.1 and 10. These vulnerabilities can allow applications running inside a guest operating system to escape the virtual machine and execute malicious code on the host OS.
Finally, a remote code execution vulnerability has been fixed in the Microsoft .NET Framework. This flaw potentially can be exploited by attackers to take complete control of a system running a vulnerable deployment of the framework.
Microsoft has also released a defense-in-depth update for Microsoft Office that disables the Encapsulated PostScript (EPS) filter by default. That’s because the company is aware of limited, targeted attacks that try to take advantage of an unpatched vulnerability in this filter.
The Microsoft updates also include third-party critical patches for Flash Player, which is bundled with Internet Explorer 11 and Edge.
This Patch Tuesday bundle is also notable because it marks the end of support for Windows Vista, which will no longer receive security updates after this round of patches.