Microsoft Patch Tuesday Lands Hours After Emergency Patch

Tom Jowitt,

Redmond continues with new update format as May’s edition tackles 57 vulnerability fixes

Microsoft has issued its regular ‘Patch Tuesday’ security update for May, just hours after it released an emergency fix for a dangerous flaw present in most of its anti-malware technology.

That ‘out-of-band’ fix was rushed out on Monday after Google’s Project Zero researchers found a bug that could enable files with custom code to be executed when scanned by products including Microsoft Security Essentials, Windows Defender, and Microsoft Endpoint Protection.

Redmond followed this up on Tuesday with its regular Patch Tuesday update that contained fixes for 57 vulnerabilities in both its products and for Adobe Flash.

security vulnerability Shutterstock - © Andy Dean PhotographyNew Format

Microsoft revealed at the start of this year that it was changing its regular Patch Tuesday update process.

From March it began offering a dynamic online portal (the Security Update Guide) rather than the static bulletins it has published for the past 12 years.

This change is not universally popular as the new format means that system administrators now have to scan tens of pages in order to gain information about crucial updates.

While the Security Update Guide does provide a number of nice filtering options, people are frustrated as a bit of the organisation has now been lost.

That frustration aside, May’s Patch Tuesday update contains fixes for 57 vulnerabilities, including some for zero-day flaws.

This month’s Patch Tuesday covers 57 vulnerability fixes,” commented Amol Sarwate, director of vulnerability research at Qualys. “Highest priority should go to patching 0-day issues which are actively exploited. CVE-2017-0261 can be attacked via Office files containing a malformed graphics image. As this is actively exploited in the wild and attackers can take complete control of the victim system, this should be treated with priority.”

Adobe Flaws

CVE-2017-0222 is a vulnerability in Internet Explorer, and users can be compromised if they visit a malicious website hosted by attackers,” he added.

“This patch gets priority as the vulnerability is currently exploited in the wild and attackers can take complete control of the victim machine,” he said. “Microsoft also released an update to deprecate websites with public SHA-1 certificates.”

“Today we have updates from Microsoft and Adobe that need some attention,” said Chris Goettl, product manager with Ivanti. “By our count, there are 13 Microsoft updates this month addressing a total of 56 vulnerabilities, including three that have been exploited and three that were publicly disclosed.”

“This is aside from the advisory regarding the ‘crazy bad’ vulnerability discovered in the Malware Protection Engine,” he added. “Adobe has also released an update for Adobe Flash Player that resolves a total of seven vulnerabilities and is rated as critical or priority by Adobe’s verbiage.”

Quiz: Do you know all about security in 2016?