Microsoft Rings Out the Year with 2017's Last Update Tuesday -- Redmondmag.com

Microsoft Rings Out the Year with 2017's Last Update Tuesday

By Kurt Mackie
12/12/2017

December 12 marked Microsoft's last "update Tuesday" for this year.

This batch of security patches addresses 32 common vulnerabilities and disclosures (CVEs). The Microsoft software that's getting fixed includes Internet Explorer and Microsoft Edge browsers, ChakraCore (part of Internet Explorer), Windows operating systems, Exchange Server, Microsoft Office and Microsoft Office Services plus Web Apps, and the Microsoft Malware Protection Engine.

The terse details are all tucked away in the Microsoft "Security Update Guide" here, which is a Web portal that lists security patch details by release date, page by page.

All told, 20 of the 32 CVEs are deemed "Critical," with 12 of them rated "Important," according to a patch review by Trend Micro's TippingPoint Zero Day Initiative. None of the vulnerabilities were publicly known or under active attack, according to Trend Micro's account.

Trend Micro highlighted three flaws as being notable. There's an old InfoTech Storage Format information disclosure vulnerability (CVE-2017-11927). Device Guard has a security bypass flaw (CVE-2017-11899) being patched, which seems like a repeat of last month's patch. Lastly, Microsoft included a fix for its antimalware engine that it released last week (CVE-2017-11937).

For the sticklers out there, Trend Micro has an interesting discussion about what's considered to be an out-of-band (OOB) patch by Microsoft. Apparently, the Microsoft Malware Protection Engine gets patched whenever by Microsoft (it's not tied to patch Tuesdays), and so patches for it can never be considered to be OOB updates, or something like that.

According to Ivanti, priority this month should be put on patching the Internet Explorer and Microsoft Edge browsers. The Ivanti patch review also pointed to an Office update that addresses an Excel flaw that "could allow Remote Code Execution." The flaw, described in CVE-2017-11935, "is perfect for an attacker to take advantage of," according to Ivanti.

Ivanti also helpfully pointed out that the end of the year is a good time to assess the upcoming end-of-support dates for Microsoft's software. Microsoft has published a "Products Reaching End of Support for 2018" support article, which was last updated back in September. It shows the end dates for software products following the "Modern Lifecycle Policy" and the "Fixed Lifecycle Policy" support models, as well as products moving out of "mainstream support" and into "extended support."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.