A few days ago, we reported about a newly revealed Microsoft Word zero-day flaw that affected all versions of Microsoft Word. The said bug can be used to secretly install malware, even on fully patched machines.
Microsoft said that a fix will be issued in this month’s set of updates and patches, regularly scheduled for “Patch Tuesday” (the second Tuesday of each month is unofficially called Patch or Update Tuesday).
As promised, the patch was rolled out yesterday, together with fixes for 45 other vulnerabilities, including two other zero-day exploits. Yesterday also marked the end of the line for one of Microsoft’s most reviled Windows versions.
Aside from the fix for the Microsoft Word/Note Pad zero-day flaw (CVE-2015-0199), two other zero-days were fixed.
- CVE-2017-0210 is a patch for an Internet Explorer elevation of privilege vulnerability that allowed an attacker to access information from one domain and inject it into another domain.
- CVE-2017-2605 is more of a defensive measure against an Encapsulated PostScript filter vulnerability in Office. Instead of an actual patch for this zero-day flaw, this update merely turns off the EPS filter for now.
Vulnerabilities rated critical
Other patches are for critical vulnerabilities including fixes for Microsoft Edge, Hyper-V, Internet Explorer 9, 10, 11, Microsoft Office, various versions of Windows and Adobe Flash Player.
- The fixes for Microsoft Edge address memory corruption exploits (CVE-2017-0200, CVE-2017-0205)
- Internet Explorer (CVE-2017-0210) gets patched for elevation of privilege flaws and memory corruption (CVE-2017-0202, CVE-2017-0158), as well.
- The seven flaws in Hyper-V can allow information disclosure (CVE-2017-0168, CVE-2017-0169), remote code execution (CVE-2017-0162, CVE-2017-0163, CVE-2017-0181) and denial of service attacks (CVE-2017-0182, CVE-2017-0186).
- Microsoft Office memory corruption flaws (CVE-2017-0194), a cross-site scripting and elevation of privilege bug (CVE-2017-0195) and a DLL-loading flaw (CVE-2017-0197) were also addressed.
- Other Windows system fixes include patches for Outlook (CVE-2017-0106)
- libjpeg (CVE-2013-6629)
- .NET Framework (CVE-2017-0160)
- Win32.sys (CVE-2017-0058, CVE-2017-0188, CVE-2017-0189)
- Windows Graphics Component (CVE-2017-0155, CVE-2017-0156)
- ADFS brute-forcing (CVE-2017-0159)
- Adobe Flash Player was likewise patched for remote code execution flaws across different platforms, including Windows.
This month also marks the debut of the new Microsoft Security Update Guide in lieu of the old Security Bulletin format.
Although this new portal has a search feature, compared to the old format, it takes more clicks to get the information for each update. Additionally, the patch details are no longer viewable on one page, grouped according to the issue. This is probably not a big deal for regular users but IT professionals may find this new system cumbersome.
End of Vista
In related news, as we warned you earlier, yesterday, April 11, marked the last day of support for Windows Vista. If you’re still in this Windows version, it is recommended that you upgrade as soon as possible since there will be no more security patches or software updates for Vista as of April 12.
Windows 10 Creator’s Update
For Windows 10 users, the big Creator’s Update also started rolling out yesterday. This will bring a plethora of new features and improvements to Microsoft’s latest operating system. Read more about it here.
How to update Windows
Most Windows machines are set to download and install updates automatically by default. If you haven’t changed your automatic update settings then you should be fine.
But if you want to check, here’s how:
On Windows 10, click Start (Windows logo), choose “Settings,” select “Update & Security,” then on the “Windows Update” section, click on “Advanced Options.” (Note: the “Windows Update” section is also handy for showing you updates that are currently being downloaded or applied.) Under “Advanced Options,” just make sure the drop down box is set to “Automatic.”
If you have an older Windows 7 system, check out our tips on how to set up and check Windows Updates.