January 2017 Patch Tuesday: Four Updates Issued by Microsoft

January 2017 Patch Tuesday sees one of the lightest updates for Microsoft. The updates are spread across just four security bulletins, two of which have been marked as critical. The updates deal with three exploits affecting Microsoft products directly: Microsoft Edge, MS Office and Windows. The fourth update is for Adobe Flash and updates the Edge and IE browsers.

The two critical security bulletins are for Microsoft Office and the Adobe Flash. The updates for the Microsoft Edge browser and Windows are marked as important.

The Office update affects Microsoft Office Services and Web Apps and addresses a vulnerability that is being tracked as CVE-2017-0003. The vulnerability could allow an attacker to remotely execute code if a user opens a specially crafted MS Office document. The update changes how Office – MS Word 2016 and SharePoint Enterprise – handles memory objects. If exploited, an attacker could run arbitrary code in the context of the current user.

The Adobe Flash update addresses thirteen vulnerabilities and is required for all supported versions of Windows. The patch updates the Adobe Flash libraries in Edge and Internet Explorer 10 and 11. The vulnerabilities are being tracked as (CVE-2017-2925, CVE-2017-2926, CVE-2017-2927, CVE-2017-2928, CVE-2017-2930, CVE-2017-2931, CVE-2017-2932, CVE-2017-2933, CVE-2017-2934, CVE-2017-2935, CVE-2017-2936, CVE-2017-2937, CVE-2017-2938).

The important update for Windows addresses a denial of service vulnerability that is being tracked as CVE-2017-0004. The update changes how authentication requests are handled by the Local Security Authority Subsystem Service (LSASS). The flaw could be exploited to cause a denial of service in LSASS and cause a reboot of the system. This vulnerability has been publicly disclosed, although a proof-of-concept exploit has not yet been made public.

This is the last month that Microsoft will be issuing security bulletins. The company will be changing the way it issues updates and makes them public. February 2017 Patch Tuesday will see the vulnerabilities and updates published on the Microsoft’s Security Update Guide.

January 2017 Patch Tuesday may not address many vulnerabilities, although next month is likely to be larger. The new system will make it easier for users to filter the updates and view only those that are relevant. However, since the updates are bundled together, it will not be possible to pick and choose which updates are installed.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news