Microsoft begins its monthly set of bulletins for 2017 with relatively few bulletins released in January. Four security bulletins make up this month’s Patch Tuesday—one of which is rated Critical to address vulnerabilities seen in Adobe Flash Player while the other three are tagged as Important to patch vulnerabilities in Microsoft Office, Edge, and the Local Security Authority Subsystem Service (LSASS).
There are no regular cumulative updates for Microsoft released this month and the only Critical update released, MS17-003, issues fixes for vulnerabilities in Adobe Flash Player by updating affected libraries in Internet Explorer 10, 11, and Microsoft Edge.
The remaining Important updates are made up of MS17-001, which resolves Microsoft Edge vulnerabilities that could elevate privileges to an attacker when a user visits a specially-crafted webpage. MS17-002 is rolled out to address arbitrary code execution vulnerabilities in MS Office 2016. This allows remote code execution to an attacker if a user unknowingly opens a specially-crafted Microsoft Office file. Lastly, MS17-004 patches a denial of service vulnerability that lies in Local Security Authority Subsystem Service’s management of authentication requests.
In sync with Microsoft, Adobe also released security updates for their own products, which includes fixes for disclosed vulnerabilities in Adobe Acrobat and Reader (APSB17-01) and Adobe Flash Player (APSB17-02). This brings the latest version of Flash Player to 18.104.22.168.
The following vulnerabilities were disclosed via Trend Micro’s Zero Day Initiative (ZDI):
- CVE-2017-2941 (APSB17-01)
- CVE-2017-2946 (APSB17-01)
- CVE-2017-2950 (APSB17-01)
- CVE-2017-2951 (APSB17-01)
- CVE-2017-2959 (APSB17-01)
- CVE-2017-2960 (APSB17-01)
- CVE-2017-2961 (APSB17-01)
- CVE-2017-2962 (APSB17-01)
- CVE-2017-2963 (APSB17-01)
- CVE-2017-2964 (APSB17-01)
- CVE-2017-2965 (APSB17-01)
- CVE-2017-2966 (APSB17-01)
- CVE-2017-2967 (APSB17-01)
Trend Micro Solutions
- 1008116-Microsoft Office Memory Corruption Vulnerability (CVE-2017-0003)
- 1008119-Microsoft Windows Local Security Authority Subsystem Service (LSASS) Denial Of Service Vulnerability (CVE-2017-0004)
TippingPoint customers are protected from attacks exploiting these vulnerabilities with the following MainlineDV filters:
- 26410: HTTP: Microsoft Word RTF Memory Corruption Vulnerability