Microsoft Rings Out the Year with 2017's Last Update Tuesday
December 12 marked Microsoft's last "update Tuesday" for this year.
This batch of security patches addresses 32 common vulnerabilities and disclosures (CVEs). The Microsoft software that's getting fixed includes Internet Explorer and Microsoft Edge browsers, ChakraCore (part of Internet Explorer), Windows operating systems, Exchange Server, Microsoft Office and Microsoft Office Services plus Web Apps, and the Microsoft Malware Protection Engine.
The terse details are all tucked away in the Microsoft "Security Update Guide" here, which is a Web portal that lists security patch details by release date, page by page.
All told, 20 of the 32 CVEs are deemed "Critical," with 12 of them rated "Important," according to a patch review by Trend Micro's TippingPoint Zero Day Initiative. None of the vulnerabilities were publicly known or under active attack, according to Trend Micro's account.
Trend Micro highlighted three flaws as being notable. There's an old InfoTech Storage Format information disclosure vulnerability (CVE-2017-11927). Device Guard has a security bypass flaw (CVE-2017-11899) being patched, which seems like a repeat of last month's patch. Lastly, Microsoft included a fix for its antimalware engine that it released last week (CVE-2017-11937).
For the sticklers out there, Trend Micro has an interesting discussion about what's considered to be an out-of-band (OOB) patch by Microsoft. Apparently, the Microsoft Malware Protection Engine gets patched whenever by Microsoft (it's not tied to patch Tuesdays), and so patches for it can never be considered to be OOB updates, or something like that.
According to Ivanti, priority this month should be put on patching the Internet Explorer and Microsoft Edge browsers. The Ivanti patch review also pointed to an Office update that addresses an Excel flaw that "could allow Remote Code Execution." The flaw, described in CVE-2017-11935, "is perfect for an attacker to take advantage of," according to Ivanti.
Ivanti also helpfully pointed out that the end of the year is a good time to assess the upcoming end-of-support dates for Microsoft's software. Microsoft has published a "Products Reaching End of Support for 2018" support article, which was last updated back in September. It shows the end dates for software products following the "Modern Lifecycle Policy" and the "Fixed Lifecycle Policy" support models, as well as products moving out of "mainstream support" and into "extended support."
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.