14 DAY TRIAL // This month’s Patch Tuesday rollout includes two updates resolving Windows vulnerabilities that were actively exploited by cybercriminals, including a security flaw that was made public by Google.
Google disclosed a vulnerability in the Windows GDI library after the company failed to patch it during the 90 days vendors are provided with as part of the Project Zero program, and although a fix was expected last month, Microsoft only released it a few hours ago following the delay of the February 2017 Patch Tuesday rollout.
The patch that you need to look after for this fix is MS17-013, which is the zero-day documented as CVE-2017-0005 and listed by Microsoft as a critical update affecting all supported releases of Windows, Office 2007 and Office 2010, Skype for Business 2016, Microsoft Lync 2013 and 2010, and all editions of Silverlight.
“This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Microsoft Lync, and Microsoft Silverlight. The most severe of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft explains.
Patch your systems
Additionally, Microsoft also patched a second security flaw that allowed attackers to take control of systems with the help of an SMB vulnerability.
This time, it’s the MS17-012 bulletin that fixes all supported versions of Windows, with Microsoft explaining that the security flaw allows remote code execution when users run a compromised application connecting to a malicious iSNS Server.
These fixes are available via Windows Update and Windows users are recommended to install them as soon as possible, considering that both are being exploited as we speak. This month’s Patch Tuesday includes a total of 17 security bulletins, and Microsoft urges customers to deploy them all in order to block any potential exploit that might be developed to take advantage of the patched vulnerabilities.