Menu
Microsoft fixes 45 flaws, including three actively exploited vulnerabilities

Microsoft fixes 45 flaws, including three actively exploited vulnerabilities

Microsoft Patch Tuesday includes fixes for critical flaws in IE, Edge, Office, Windows and .NET

Microsoft released its monthly security-patch bundle Tuesday, fixing 45 unique vulnerabilities, three of which are publicly known and targeted by hackers.

The top priority this month should be given to the Microsoft Office security update because one of the fixed flaws has been actively exploited by attackers since January to infect computers with malware. Over the past few days this vulnerability, tracked as CVE-2017-0199, has seen widespread exploitation.

The CVE-2017-0199 vulnerability can be exploited through maliciously crafted RTF (Rich Text Format) documents when such documents are opened with either Microsoft Word or WordPad. Because WordPad is bundled with Windows by default, a patch for this flaw is also included in the security updates for Windows.

According to security vendor Qualys, the next priority should go to the updates for Microsoft's Internet Explorer and Edge browsers. These update address several remote code execution vulnerabilities.

One flaw patched in IE allows attackers to bypass the cross-domain policies enforced by the browser. The flaw makes it possible to take information from one domain and inject it into another, violating an important security barrier.

Microsoft's notes for this vulnerability mention that it has already been exploited in the wild, but don't include other details about the attacks.

Critical vulnerabilities have also been patched in Hyper-V, Microsoft's virtualization hypervisor that's included in Windows Server 2008, 2012 and 2016, as well as in Windows 8.1 and 10. These vulnerabilities can allow applications running inside a guest operating system to escape the virtual machine and execute malicious code on the host OS.

Finally, a remote code execution vulnerability has been fixed in the Microsoft .NET Framework. This flaw potentially can be exploited by attackers to take complete control of a system running a vulnerable deployment of the framework.

Microsoft has also released a defense-in-depth update for Microsoft Office that disables the Encapsulated PostScript (EPS) filter by default. That's because the company is aware of limited, targeted attacks that try to take advantage of an unpatched vulnerability in this filter.

The Microsoft updates also include third-party critical patches for Flash Player, which is bundled with Internet Explorer 11 and Edge.

This Patch Tuesday bundle is also notable because it marks the end of support for Windows Vista, which will no longer receive security updates after this round of patches.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments