March Patch Tuesday closes record number of vulnerabilities
With no February Patch Tuesday, it was to be expected that Microsoft would fix a huge number of security issues in March. They didn’t disappoint: 139 unique CVEs have been resolved.
As announced before, the information was released through the company’s Security Update Guide, but they’ve also decided to publish security bulletins (a total of 18) this month, “to give customers extra time to ensure they are ready to transition their processes.”
The March security release consists of security updates a wide variety of Microsoft offerings. Of these, those for Internet Explorer, Microsoft Edge, for several issues in Windows, and Adobe Flash Player are considered of “critical” importance – one vulnerability
“Probably the most “scary” set of vulnerabilities in this update are CVE 2017-0143, CVE 2017-0144, CVE 2017-0145, CVE 2017-0146, CVE 2017-0148,” notes SANS ISC CTO Johannes Ullrich.
They are remote code execution vulnerabilities that exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests, and could allow unauthenticated attackers to execute arbitrary code on the target server.
“Microsoft rates the exploitability with ‘1’, indicating that it wouldn’t be terribly difficult to develop an exploit for these,” he pointed out.
The two zero-day vulnerabilities for which PoC exploit code was released last month have also been patched.
All in all, the Internet Explorer update is the most critical, as one of the fixed bugs (CVE-2017-0149) is under active attack and leads to remote code execution.
Trend Micro’s Dustin Childs offered a helpful rundown on which updates admins should prioritize.