Microsoft warned of one critical Adobe Flash Player bug and three additional vulnerabilities rated as important, as part of its regular Patch Tuesday update.
The Microsoft vulnerabilities are tied to Office 2016, its Edge browser and its Local Security Authority Subsystem Service (LSASS).
First up is a critical security bulletin issued by Microsoft that is tied to a swath of bugs found in Adobe Flash Player used in its Windows 8.1 OS (64-bit, 32-bit), Windows RT 8.1, multiple versions of Windows 10 and Windows Server 2016.
Those Adobe Flash Player vulnerabilities were outlined earlier Tuesday by Adobe when it announced a bevy of patches that addressed code execution flaws in Flash, Reader and Acrobat.
Besides applying the requisite patches, Microsoft suggested disabling instances of Adobe Flash Player in Internet Explorer and other applications that honor the kill bit feature, such as Office 2007 and Office 2010.
As for the three bulletins market as important, Microsoft identified an Office (MS17-002) bug that could allow remote code execution if a user opened a specially crafted Office file.
This vulnerability was originally identified by Microsoft as critical, but it later downgrading the bulletin to important.
The flaw (CVE-2017-0003) impacts specific Office applications such as Microsoft Word 2016 (64-bit, 32-bit) as well as Microsoft SharePoint Enterprise Server 2016.
“Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights,” according to the bulletin.
Elevation of privilege vulnerabilities (MS17-001), rated important, were found in seven versions of Microsoft’s Edge browser and were also patched.
“An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies with about:blank, which could allow an attacker to access information from one domain and inject it into another domain.
An attacker who successfully exploited this vulnerability could elevate privileges in affected versions of Microsoft Edge,” according to Microsoft.
An additional denial of service vulnerability rated important was also patched, impacting Microsoft Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 (and Server Core).
The DOS vulnerability (MS17-004) exists in the way the Local Security Authority Subsystem Service (LSASS) handles authentication requests, said Microsoft. “An attacker who successfully exploited the vulnerability could cause a denial of service on the target system’s LSASS service, which triggers an automatic reboot of the system,” Microsoft said.
Today’s Patch Tuesday, the first of 2017, marks the first monthly cycle that Microsoft is doing away with bulletins for newer products.
Instead, Microsoft patches will be delivered in one installable package. Under the new patch management regime Microsoft’s Vista operating system will still get bulletins however.
Microsoft’s Patch Tuesday coincides with the release with cumulative updates for nearly all versions of Windows 10 including the Anniversary Update for PCs (Build 14393.693).
The update did not introduce new features, rather fixed several security-related features such as fingerprint authentication, App-V Connection Group and an issue that had allowed two similar input devices to work on the same machine.