Reg comments41

Cowardly Microsoft buries critical Hyper-V, WordPad, Office, Outlook, etc security patches in normal fixes

Patch Tuesday shakeup sucks

Microsoft today buried among minor bug fixes patches for critical security flaws that can be exploited by attackers to hijack vulnerable computers.

In a massive shakeup of its monthly Patch Tuesday updates, the Windows giant has done away with its easy-to-understand lists of security fixes published on TechNet – and instead scattered details of changes across a new portal: Microsoft's Security Update Guide.

Billed by Redmond as "the authoritative source of information on our security updates," the portal merely obfuscates discovered vulnerabilities and the fixes available for them. Rather than neatly split patches into bulletins as in previous months, Microsoft has dumped the lot into an unwieldy, buggy and confusing table that links out to a sprawl of advisories and patch installation instructions.

Punters and sysadmins unable to handle the overload of info are left with a fact-light summary of April's patches – or a single bullet point buried at the end of a list of tweaks to, for instance, Windows 10.

Now, ordinary folk are probably happy with installing these changes as soon as possible, silently and automatically, without worrying about the nitty-gritty details of the fixed flaws. However, IT pros, and anyone else curious or who wants to test patches before deploying them, will have to fish through the portal's table for details of individual updates.

Critical fixes hushed away

These updates include Hyper-V bugs that allow guest applications to hijack underlying host servers or siphon off information. And a remote-code execution bug in trusty WordPad that means opening a malicious file can trigger the installation of spyware or some other software nasty. And another remote-code execution hole in Outlook that means opening or previewing a booby-trapped email can lead to a malware infection.

Crucially, none of these programming blunders are mentioned in the PR-friendly summary put out today by Microsoft – a multibillion-dollar corporation that appears to care more about its image as a secure software vendor than coming clean on where its well-paid engineers cocked up. The summary lists "security updates" for "Microsoft Windows," "Microsoft Office," and "Internet Explorer" without version numbers or details.

The summary also fails to point out that three bugs – CVE-2017-0199 in Word and WordPad, CVE-2017-0210 in Internet Explorer, and CVE-2017-2605 in Office – are being actively attacked in the wild by miscreants and the Dridex malware. That latter bug has no patch, by the way: Microsoft just switched off an exploited PostScript filter by default.

"This new portal gives our customers a more relevant and customized user experience and is the single location for information on our security updates," a Microsoft spokesperson told El Reg. But we already had a single relevant location for security advisories: TechNet bulletins. Now that useful service has been mothballed as Microsoft moves full swing into its patch bundle approach.

Amusingly, if you want a breakdown of the actual bugs fixed, you have to find the acknowledgements page, which lists each vulnerability patched along with a CVE number and the names of the researchers who reported the flaws. This list isn't perfect, though: the bugs are listed in order of CVE, and not grouped by product or severity, so it's rather all over the shop.

According to this month's high-level overview, Redmond has made available patches to address security shortcomings in the following:

  • Edge
  • Internet Explorer
  • Windows
  • Office, Office Services, Office Web Apps
  • .NET framework
  • Flash Player (more on that below)
  • Visual Studio for Mac
  • Silverlight

These fixes can now be installed automatically via Windows Update. Reboot and you're done. But wait, there are caveats. For example, the patch bundles KB4015549, KB4015546, KB4015550, KB4015547 that install the security fixes on Windows 7 and 8 have an unfortunate side-effect on computers using AMD Carrizo-based processors – they'll be blocked from receiving further software updates until Microsoft sorts that out. Gulp!

"If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates. Microsoft is working on a resolution and will provide an update in an upcoming release," we're told.

How does that even happen?

Anyway, here are the gems we've found so far buried in today's patches:

  • Flaws in Office/Word Pad, Internet Explorer, and Office that are being targeted in the wild, according to Zero Day Initiative.
  • Seven holes in Hyper-V: three allowing remote code execution (CVE-2017-0162, CVE-2017-0163, CVE-2017-0181), two permitting information disclosure (CVE-2017-0168, CVE-2017-0169), and two denial of service (CVE-2017-0182, CVE-2017-0186). These were found by the Microsoft Offensive Security Research Team, Felix Wilhelm, and Microsoft's Vulnerabilities & Mitigations team.
  • A remote-code execution flaw in Outlook (CVE-2017-0106) that can be triggered by simply opening or previewing a maliciously crafted message.
  • An information-leaking flaw (CVE-2013-6629) in libjpeg, a JPEG-processing library present on all supported versions of Windows and Windows Server.
  • A code-execution flaw in .NET (CVE-2017-0160) that requires local access on the target machine to exploit. The hole is present in all versions of .NET Framework from 2.0 SP2 through 4.7.
  • Three flaws in Win32.sys, two allowing information disclosure (CVE-2017-0058, CVE-2017-0188) and one allowing elevation of privilege (CVE-2017-0189). Malicious apps and logged-in users can exploit these to extract data from memory or gain control of the system.
  • Microsoft Office flaws that include memory-corruption (CVE-2017-0194) bugs, cross-site-scripting with elevation of privilege (CVE-2017-0195), and a DLL-loading flaw (CVE-2017-0197). An update for Office for Mac addresses an HTML spoofing flaw (CVE-2017-0207).
  • Two memory-corruption flaws (CVE-2017-0200, CVE-2017-0205) in Microsoft Edge, while two memory corruption flaws (CVE-2017-0202, CVE-2017-0158) and an elevation of privilege (CVE-2017-0210) error were spotted in Internet Explorer. These bugs can be exploited to run malicious code on a system by tricking a victim into simply opening a booby-trapped webpage.
  • Elevation-of-privilege flaws (CVE-2017-0155, CVE-2017-0156) in Windows Graphics and Windows Graphics Component, as well as an elevation of privilege vulnerability in Windows (CVE-2017-0165), allowing a malicious application or logged-in user to hijack a system, and an information-disclosure flaw (CVE-2017-0167) in Windows Kernel.
  • ADFS can be brute-forced (CVE-2017-0159) in Windows 10 and Windows Server to allow an account password to be guessed, while Windows 10, 8.1 and Server 2012 allow elevation of privilege (CVE-2017-0165) at admin level and Active Directory can be crashed (CVE-2017-0164) with a malicious search query, and domain controllers can be targeted thanks to an elevation-of-privilege flaw (CVE-2017-0166) in LDAP.
  • A denial-of-service flaw (CVE-2017-0191) can be abused by applications to crash Windows and Windows Server boxes, while Windows OLE has an elevation of privilege (CVE-2017-0211) flaw, and the Adobe Type Manager Font Driver can be exploited (CVE-2017-0192) to trigger information disclosure.
  • The Windows Scripting Engine sports a memory-corruption (CVE-2017-0201) vulnerability as well as an information-disclosure (CVE-2017-0208) flaw.

A bunch of these bugs were found by, among others, Google Project Zero, folks working with Trend Micro's Zero Day Initiative, the Qihoo 360 Vulcan Team, Secunia Research at Flexera Software, McAfee, Hyundai, Securify B.V., FireEye, Optiv, SecuriTeam, and Palo Alta Networks.

Of course, Adobe, too

Meanwhile, Adobe stuck with its tried-and-true format of actually telling people what was getting fixed in this month's Patch Tuesday. The April Flash Player update addresses seven remote code execution flaws for Windows, macOS, and Linux versions.

Adobe also addressed 47 CVE-listed flaws in Acrobat and Reader, two in Photoshop CC for Mac and Windows, two in the Creative Cloud Desktop Application for Windows, and one in Adobe Campaign.

The Flash Player update can be downloaded through Adobe or will be installed automatically in Chrome, Edge and newer versions of Internet Explorer. ®

Spot anything else weird and wonderful in today's patches? Let us know!

Sign up to our Newsletter

Get IT in your inbox daily

Biting the hand that feeds IT © 1998–2017