Security updates were high on Microsoft’s list of priorities this month. There were 51 CVEs (known security threats) across 6 products that cover 48 security holes. Four of the vulnerabilities are deemed Critical, and three of the vulnerabilities for Windows and Server OS’s became public before they were patched. Fortunately, they weren’t being exploited before the patches arrived (as far as we know. We’re looking at you NSA.) All the more reason to patch quickly, though.
Windows and Server Patches
- Critical: Internet Explorer and Edge have remote code execution and security feature bypass exploits. Edge also has escalation of privilege and information disclosure vulnerabilities.
- Critical: All supported Windows versions from 7-10 as well as Server 2008-2016 have denial of service, remote code execution, elevation of privilege, information disclosure vulnerabilities.
- Critical: Adobe Flash Player Windows and Server versions: remote code execution. If you’re running Windows 10, Flash Player will be included with Windows Updates. However, that is only for Edge and IE. If you have Windows 7 and/or user other browsers, you’ll have to update it yourself (more on that later.)
- Important: SQL Server 2012 – 2014 for information disclosure
Adobe Flash Player Security Updates
“The Flash player updates for Windows, Macintosh, Linux and Chrome OS addressed a critical type confusion vulnerability that could lead to code execution, and an important security bypass vulnerability that could lead to information disclosure”, according to SCMagazine. The most recent version is 184.108.40.206.
Brian Krebs stated: “Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are ready to install).”
Adobe Reader and Acrobat Updates
Adobe saw the need to patch several vulnerabilities that were deemed critical or important. As was the case with many of the Windows updates, these vulnerabilities could result in either a remote code execution or information disclosure. There were a whopping 69 total CVEs resolved, 43 of which are rated as Critical CVEs. The most recent Reader versions are: 2017.012.20093 for Reader DC and 11.0.21 for Reader XI. Anything older than Reader XI has not been supported with security updates for quite some time. Hey, Reader is free. No excuse not to be running the latest version.
With all the “critical” designations this month, you’d be wise to patch these as soon as you can.