Microsoft Rings Out the Year with 2017's Last Update Tuesday

December 12 marked Microsoft's last "update Tuesday" for this year.

This batch of security patches addresses 32 common vulnerabilities and disclosures (CVEs). The Microsoft software that's getting fixed includes Internet Explorer and Microsoft Edge browsers, ChakraCore (part of Internet Explorer), Windows operating systems, Exchange Server, Microsoft Office and Microsoft Office Services plus Web Apps, and the Microsoft Malware Protection Engine.

The terse details are all tucked away in the Microsoft "Security Update Guide" here, which is a Web portal that lists security patch details by release date, page by page.

All told, 20 of the 32 CVEs are deemed "Critical," with 12 of them rated "Important," according to a patch review by Trend Micro's TippingPoint Zero Day Initiative. None of the vulnerabilities were publicly known or under active attack, according to Trend Micro's account.

Trend Micro highlighted three flaws as being notable. There's an old InfoTech Storage Format information disclosure vulnerability (CVE-2017-11927). Device Guard has a security bypass flaw (CVE-2017-11899) being patched, which seems like a repeat of last month's patch. Lastly, Microsoft included a fix for its antimalware engine that it released last week (CVE-2017-11937).

For the sticklers out there, Trend Micro has an interesting discussion about what's considered to be an out-of-band (OOB) patch by Microsoft. Apparently, the Microsoft Malware Protection Engine gets patched whenever by Microsoft (it's not tied to patch Tuesdays), and so patches for it can never be considered to be OOB updates, or something like that.

According to Ivanti, priority this month should be put on patching the Internet Explorer and Microsoft Edge browsers. The Ivanti patch review also pointed to an Office update that addresses an Excel flaw that "could allow Remote Code Execution." The flaw, described in CVE-2017-11935, "is perfect for an attacker to take advantage of," according to Ivanti.

Ivanti also helpfully pointed out that the end of the year is a good time to assess the upcoming end-of-support dates for Microsoft's software. Microsoft has published a "Products Reaching End of Support for 2018" support article, which was last updated back in September. It shows the end dates for software products following the "Modern Lifecycle Policy" and the "Fixed Lifecycle Policy" support models, as well as products moving out of "mainstream support" and into "extended support."

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Azure Backup for SQL Server Now Commercially Available

    Microsoft on Monday announced that Azure Backup for SQL Server had reached "general availability" status, meaning it's deemed ready for production-environment use.

  • Insights for MyAnalytics Getting Switched On for Office 365 Users This Month

    Microsoft is planning to activate "Insights for MyAnalytics" sometime late this month for most Office 365 users, but the ability of organizations to manage this feature won't be available until possibly mid-May.

  • SharePoint Framework 1.8 Now Generally Available

    Microsoft this week announced that SharePoint Framework 1.8 had reached "general availability" status, although some features are still at the preview stage.

  • How To Create Office 365 User Accounts in Bulk

    Manual account creation can be tedious, time-consuming and prone to human error, especially if you have more than a handful of Office 365 users to set up. Brien shows you a better way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.