The second Tuesday of the month is always busy with updates from many operating system and software vendors, except February 2017 when Microsoft delayed updates until March.
Today’s updates included Microsoft’s usual updates for May 2017:
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- NET Framework
- Adobe Flash Player in Internet Explorer
In addition, Microsoft released an out-of-band patch for the Microsoft Malware Protection Engine, the software behind Windows Defender and other Endpoint Protection antivirus products on Windows. The bug was discovered by a Google Project Zero researcher who notified Microsoft of the problem this weekend. Microsoft Security Advisory 4022344 details the vulnerability:
The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.
No action is required as the Microsoft Malware Protection Engine and malware definitions are kept up to date automatically. If your environment controls these updates, you should review that the update process is working as expected.
Still blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos. Amazing.
— Tavis Ormandy (@taviso) May 9, 2017
The last point for Microsoft’s activity today includes an odd update in Microsoft Security Advisory 4022345, which corrects Windows Update clients that might fail to receive updates. An edge case was discovered where Windows 10 or Windows Server 2016 clients may not download Windows Updates if they have never been logged into interactively to complete the initial setup.
The update fixes this issue with a “self-healing mechanism” to correct the problem where the machine will honor the settings a sysadmin has configured, for example, through Group Policy, and machines that have Windows Updates disabled will not be forced to install updates.
Adobe patched Flash Player on Windows, macOS, and Linux. Adobe Security Bulletin APSB17-15 brings Flash Player up to version 220.127.116.11 and should be installed promptly as the critical vulnerabilities could allow an attacker to take control of a computer.
Adobe Experience Manager Forms was also updated with details in Adobe Security Bulletin APSB17-16.