determined - Fotolia

Windows zero days squashed in May 2017 Patch Tuesday

Microsoft's May 2017 Patch Tuesday fixed multiple Windows zero-day vulnerabilities, two of which have reportedly been exploited by groups linked to Russia.

Microsoft and security researchers disagreed, slightly, over how many Windows zero-day vulnerabilities have been fixed in the May 2017 Patch Tuesday.

According to the Common Vulnerabilities and Exposures (CVE) listings for May Patch Tuesday, Microsoft listed the following Windows zero-day vulnerabilities: one Microsoft Office remote code execution (RCE) flaw (CVE-2017-0261), one Internet Explorer (IE) memory corruption vulnerability (CVE-2017-0222) and one Win32k privilege-escalation bug (CVE-2017-0263). However, researchers at FireEye Inc. and ESET have reported that a second Office RCE issue (CVE-2017-0262) is being exploited in the wild by threat groups associated with Russia.

Security experts agreed that CVE-2017-0261 should take priority for enterprises. The Windows zero day can allow an attacker to fully take over a system if the victim opens a malformed Microsoft Office graphics file.

FireEye researchers said this flaw has been exploited in the wild by the Turla threat group, while CVE-2017-0262 has been used by APT28. FireEye reported that these Windows zero days were used "against European diplomatic and military entities." Both of these threat groups are allegedly connected to Russian cyberespionage, and APT28 -- aka Sednit, Fancy Bear, Sofacy and Strontium -- is the group reportedly behind the Pawn Storm campaign and Democratic National Committee hack.

Also topping the May Patch Tuesday priority list, according to experts, is CVE-2017-0222, a Windows zero-day flaw affecting IE. Amol Sarwate, director of vulnerability labs at Qualys Inc., based in Redwood City, Calif., said "users can be compromised if they visit a malicious website hosted by attackers," and an exploit can lead to an attacker getting full control of a system.

The third Windows zero-day patch tackled CVE-2017-0263, with which Microsoft said an attacker could exploit a flaw in how the Windows kernel-mode driver handles objects in memory. Microsoft said if an attacker logged in to a system, a specially crafted application could exploit this Windows zero day to allow privilege escalation to full user rights.

Beyond the Windows zero days, Microsoft patched a number of RCE vulnerabilities affecting the Windows Server Message Block (SMB) version 1 protocol in the May 2017 Patch Tuesday release. Four SMBv1 patches -- CVE-2017-0272, CVE-2017-0277, CVE-2017-0278 and CVE-2017-0279 -- were rated critical by Microsoft and could allow an attacker to remotely execute code on a target server.

Windows SMBv1 has been in the news regularly since January, when US-CERT reminded users that the protocol was safest when disabled completely. In the March 2017 Patch Tuesday release, Microsoft fixed SMBv1 flaws just before the Shadow Brokers released National Security Agency cyberweapons targeting those exact vulnerabilities.

SHA-1 deprecation

In addition to the Windows zero days and critical vulnerabilities remediated by the Patch Tuesday release, Microsoft also posted a security advisory about the SHA-1 deprecation.

Microsoft said that as of March 9, 2017, both Internet Explorer 11 and Microsoft Edge browsers would "block sites that are protected with a SHA-1 certificate from loading and ... display an invalid certificate warning."

"This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1," Microsoft wrote. "Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates."

Kevin Bocek, chief security strategist for Venafi, based in Salt Lake City, applauded Microsoft's move, which follows both Google Chrome and Mozilla Firefox's SHA-1 deprecation in February. He said, "It will definitely improve the security of the internet."

"It's well within reach of nation states and sophisticated adversaries to compromise SHA-1 certificates. In fact, more than a decade ago, NIST called for the elimination of SHA-1 because of known vulnerabilities," Bocek told SearchSecurity. "Unfortunately, businesses are still struggling to remediate SHA-1, even before Microsoft's announcement. Many lack the visibility to know where SHA-1 certificates are on their networks, and they don't have the automation to replace them quickly."

Next Steps

Catch up on the switch to the Security Update Guide in the April 2017 Patch Tuesday.

Learn more about the out-of-band patch Microsoft released just before Patch Tuesday.

Find out how Mozilla's SHA-1 deprecation will affect enterprises.

Microsoft closes Server Message Block in March 2017 update.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing