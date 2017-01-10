Microsoft releases one of its smallest monthly security patch bundles

Patches for Edge, Office, and Windows fix three vulnerabilities

|

Romania Correspondent, IDG News Service |

microsoft headquarters
Credit: Microsoft
Related

Microsoft has released its first batch of patches for this year, and it's one of the smallest ever for the company, with only three vulnerabilities fixed across its entire product portfolio.

The patches are covered in four security bulletins, but one is dedicated to Flash Player, for which Microsoft distributed patches through Windows update.

The only security bulletin rated as critical is the one for Microsoft Office and Office Services and Web Apps. It covers a memory corruption vulnerability that can be exploited by tricking users to open specially crafted files and can lead to remote code execution.

Another bulletin, for Microsoft's Edge browser, covers a privilege escalation flaw that can be exploited by tricking users to view a specially crafted web page. The issue exists in the browser's cross-domain policies and could allow attackers to inject information from one domain into another domain. Microsoft rates this bulletin as important.

The third bulletin covers a denial-of-service issue in Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. The flaw is in the Local Security Authority Subsystem Service (LSASS) that handles authentication requests and can be exploited to reboot the system.

The LSASS vulnerability is rated as important, but it has been publicly disclosed before being patched, and a proof-of-concept exploit for it could appear soon.

It's worth noting that this will be the last time Microsoft will arrange information about patches into security bulletins. Starting next month the company will publish vulnerability and patch details on a new portal called the Security Updates Guide that will give users more flexibility in how they search for and view such information.

For example, users will be able to sort and filter the data by CVE vulnerability identifier, knowledge base (KB) article number, product, or release date. They will also be able to filter out products that don't apply to them and access the information through an application programming interface.

"This could be the calm before the storm," said Chris Goettl, product manager at patch management firm Shavlik. "We have not seen this light of a Patch Tuesday since January of 2014. Next month you should expect some adjustments and a heavier Patch Tuesday drop as Microsoft changes methodologies."

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Lucian Constantin is an IDG News Service correspondent. He writes about information security, privacy, and data protection.

Must read: Hidden Cause of Slow Internet and how to fix it
You Might Like
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.
Don't Miss
Kaby Lake
Intel’s new Kaby Lake processors: No performance gains

Intel’s new Kaby Lake processors are pretty much even with the last generation of chips.

ces 2017 crowd
10 cool creative tech treasures at CES 2017

Plenty of gadgets for creative pros could be found on the show floor in Las Vegas. Here are our...

snail slow
The hidden cause of slow Internet and how to fix it

In 2010, Jim Gettys, a veteran computer programmer who currently works at Google, was at home uploading...

Resources
Top Stories
windows bug
Microsoft releases only 4 security bulletins, 2 critical, on first 2017 Patch

Hooray, four patches later and you'll have closed holes in Windows and Adobe Flash Player.

new year post-it resolution
How to land the job you want

If finding a new job is one of your New Year’s resolutions, these 14 tips will help you make your...

idgns2 s004 s001 t005.mov.00 11 43 15.still006
Top 10 PC technologies and trends to watch

In an era of sexy gadgets, its easy to knock PCs of being dinosaurs. But for every blue screen of...

160202 mayer
Mayer: not so much leaving Yahoo, as taking it with her?

Yahoo's board is getting ready to say goodbye to Marissa Mayer, the company announced Monday -- but at...