Last Updated: 2017-05-09 17:42:21 UTC
by Johannes Ullrich (Version: 1)
It is Microsoft patch Tuesday again, and back are the difficulties to make sense of the way vulnerability information is organized. The Security Update Guide lists a total of 243 security updates, but note how for each product (e.g. Microsoft Edge) we have different platforms listed. These are patches that fix the same group of vulnerabilities but for different platforms.
According to the Security Advisories page, Microsoft released 3 advisories today, and one yesterday. The Security Guidance page has a few more (but some of the links are currently broken). Here are the highlights:
Advisory 4022345: If you installed Windows 10 or Server 2016, but never logged on, then it is possible that your system isn't checking for updates. This is probably not a big deal for most people, but if you deploy large sets of machines, for example in cloud environments, and never log in, then this may be a problem.
Advisory 4021279: .Net Core, ASP.Net Core Privilege Escalation: This is an update to various .Net core packages. If you used a vulnerable package in your project, then your project may be vulnerable. To fix this, you not only need to update .Net Core, but you will also need to update the dependencies in your project. This will require editing the respective project configuration file which specifies the version included.
Advisory 4010323: No more SHA-1 in Internet Explorer 11 and Edge.
Now the probably most interesting advisory came yesterday, a day before the official patch Tuesday. Turns out that Microsoft's Malware Protection engine had a remote code execution vulnerability that could be triggered by it scanning a crafted binary. This vulnerability turned the security software against the user. This vulnerability got quite a bit of press after Tavis Ormandy hinted about it in a widely distributed tweet on Friday. In the end, this will likely not be as catastrophic as many made it seem. First of all, there is currently no public exploit. Secondly, but the time to read this, you are very likely patched. This patch will be applied as part of Microsoft's regular signature update. It is not a patch that you specifically have to apply. Windows should check for updated signatures at least once a day. If it skips an update, then maybe it will take another day. But there is currently no public exploit, so don't panic. You probably have plenty of other issues to worry about. Just let this one work itself up.
And Adobe, of course, patched Flash, which also affects Internet Explorer and Edge.