After last month’s postponement, Microsoft’s Patch Tuesday is back with a massive release of fixes that includes patches for security vulnerabilities in Windows and associated software disclosed and exploited since January’s patch release.
Meanwhile, Adobe has also pushed out security updates for its products, releasing patches for at least seven security vulnerabilities in its Flash Player software.
Microsoft patched a total of 140 separate security vulnerabilities across 18 security bulletins, nine of them critical as they allow remote code execution on the affected computer.
Microsoft Finally Patches Publicly Disclosed Windows Flaws
Among the “critical” security updates include a flaw in the SMB (server message block) network file sharing protocol, which had publicly disclosed exploit code since last month. The original patch released last year for this flaw was incomplete.
The flaw is a memory corruption issue that could allow remote code execution (RCE) of a malicious code if an attacker sends specially crafted messages to a Microsoft SMBv1 server.
All versions of Microsoft Windows are affected by this issue that could allow a remote, unauthenticated attacker to crash systems with denial of service attack.
Microsoft admitted: “Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server. To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.”
Microsoft patched the vulnerability but did not credit Laurent Gaffié, who found the flaw last year and released the exploit code in February.
Microsoft Also Patches Flaws Uncovered By Google
Another critical patch (MS17-013) contains a dozen of serious flaws in Windows’ Graphics Component GDI Library used in Office, Skype, Lync, and Silverlight.
The flaws reside in the way Windows handles certain image files. Hackers can exploit the weaknesses to achieve remote code execution on your system by making you visit a booby-trapped website or open a malware-ridden document. No further user interaction is needed.
Google’s Project Zero also disclosed this flaw with proof-of-concept exploit late last month before Microsoft had fixed it.
All supported releases of Microsoft Windows back to Windows Vista are vulnerable to this flaw. The tech giant originally patched this issue in June last year, but the patch was incomplete.
Microsoft also patched seven other critical flaws, including two cumulative updates for Internet Explorer and its Edge browser, and nine important ones.
In late last month, Google’s Project Zero research team publicly disclosed details and proof-of-concept exploit for a code execution flaw in Microsoft’s Internet Explorer and Edge browsers that could allow attackers to cause a crash of the browsers.
Meanwhile, Adobe also released patches for its Flash Player software for Windows, Macintosh, Linux and Chrome OS.
Users are advised to apply Windows as well as Adobe patches to keep away hackers and cybercriminals from taking control over your computer.