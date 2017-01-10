Microsoft releases only 4 security bulletins, 2 critical, on first 2017 Patch Tuesday

It's a super light month, meaning four patches later and you'll have closed holes in Windows and Adobe Flash Player.

windows bug
For the first Patch Tuesday of 2017, Microsoft is easing us into it by releasing only four security bulletins, half are of which are rated as critical for remote code execution flaws. In reality, only three of those are for Windows systems!

This is the lightest load I can recall Microsoft handing us. It almost feels like this surely can’t be right, but hey – you didn’t want to work hard today anyhow, did you?

Critical

MS17-002 resolves a remote code execution flaw in Microsoft Office. Microsoft Word 2016 32-bit and 64-bit editions and Microsoft SharePoint Enterprise Server 2016 are listed as the only affected software versions. The RCE bug is a result of Office software failing to properly handle objects in memory. If an attacker successfully exploited the flaw, and the user had admin rights, the attacker could take control of the box.

Tony Loi of Fortinet’s FortiGuard Labs is credited with discovering the Office memory corruption vulnerability.

While rated critical for RCE, MS17-003 is for Adobe Flash Player. Adobe resolved 13 CVEs in security bulletin APSB17-02.

Yeppers, that’s all Microsoft has listed this month to patch critical flaws.

Important

MS17-001 is to close a single elevation of privilege hole in Microsoft Edge. The flaw is present only on Windows 10 and Windows Server 2016. It has been publicly disclosed, although Microsoft noted that it is not currently being exploited.

MS17-004 fixes a denial of service vulnerability in the Local Security Authority Subsystem Service (LSASS). Microsoft noted, “An attacker who successfully exploited the vulnerability could cause a denial of service on the target system's LSASS service, which triggers an automatic reboot of the system.” The flaw has been publicly disclosed, but is reportedly not yet being exploited.

Nicolás Economou and Laurent Gaffie from Core Security are credited for discovering the denial of service flaw.

Do a happy dance because that’s it! Happy patching!

