This is a relatively light update from Microsoft for this December Patch Tuesday, with “only” 32 reported vulnerabilities, none of which have publicly reported or exploited in the wild. The primary concern for this month are the updates to IE and Edge. Microsoft Office has a minor update that can wait for a scheduled patch effort. And lastly, yes, we still have updates for Adobe Flash Player – but it’s not a critical update as Adobe has given it a Priority 2 rating.
Following the advice from Microsoft for this December update release bulletin, please note the following additional items:
- Starting in March 2017, there will be Windows 10 1607, 1703, and 1709 delta packages that contain just the delta changes between the previous month and the current release.
- After May 9, 2017, customers running Windows 10 version 1507 will no longer receive security and quality updates, with the exception of the Windows 10 2015 LTSB and the Windows 10 IoT Enterprise 2015 LTSB editions.
More information on these Microsoft patching changes can be foundhere:
This month, we will be covering the following areas for Patch Tuesday:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows
- Microsoft Office (Including Web Apps)
- MicrosoftNET Core, .NET Core and Chakra Core
- Adobe Flash Player
Browsers (Microsoft IE and Edge)
Microsoft has attempted to address 23 unique vulnerabilities in Microsoft IE and Edge that at worst could lead to a remote code execution security vulnerability. As we have seen in many updates to both IE and Microsoft Edge, most of the reported security vulnerabilities relate to how objects are handled in memory – potentially allowing arbitrary code execution by 3rd parties. These updates are no exception and will require a full (DLL and associated files) update to both Microsoft IE and Edge. Though the largest proportion of critical rated security issues have been raised against Microsoft Edge, add both the Edge and IE updates to your “Patch Now” list.
This is very light month for Windows (both desktop and server) updates. For December, Microsoft has addressed three security vulnerabilities that could lead to a remote code execution scenario, but have (only) been rated as important by Microsoft due to their difficulty of implementation. As noted above, none of these vulnerabilities have been publicly reported or exploited. It really just looks like Microsoft has been doing some house-cleaning on the Windows core code base. Add these updates to your standard update schedule
Microsoft Office (including Web Apps)
After worrying about the IE11 and Edge updates, the patches for Microsoft Office should be next on your list. Microsoft has addressed four security vulnerabilities in their latest version (Office 2016) of which at least one could lead to a remote code execution scenario. For this December update, Microsoft has also released a security advisory (ADV170021) that includes advice for disabling DDE (Dynamic Data Exchange) in Microsoft Word. If required, you can find out more about the exact registry settings and preferred new settings here.
Windows .NET Frameworks and Chakra Core
We won’t see any update for any of the ASP.NET or .NET frameworks this month. However, we do see a single security update to the open-source Microsoft Chakra development effort. The latest commits can be found on GitHub here. This release brings Chakra Core to version 1.7.5 with the resolution of 14 non-critical security issues. Add this update to your standard development updates process.
Adobe Flash Player
This non-critical update for Adobe Flash Player (ADV170022) relates to how Adobe is attempting to resolve a single vulnerability in Adobe Flash Player (CVE-2017-11305). This patch has attempted to resolve an unintended consequence of a previous update to the Adobe Flash Player global settings preference file. Add this update to your standard patch deployment schedule.
Chris Goettl has made a really good point this month regarding the end of life of Windows Release 1607 in March 2018. You can read more about his thoughts on Patch Tuesday here with the helpful Ivanti Patch Tuesday infographic here. And, you can read more about Microsoft’s products that are reaching their end of life dates here.
CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.