Microsoft awoke this week from its winter patching hibernation with a roar.
In a return to its monthly update cadence, Microsoft released 17 bulletins in March Patch Tuesday to close a total of 134 vulnerabilities, most notably ones with Hyper-V and the Server Message Block protocol.
Microsoft abruptly canceled February Patch Tuesday to address "a last-minute issue that could impact some customers," according to a terse statement on its Security Response Center blog. A day later, the company disclosed that the February patches would be pushed back to March Patch Tuesday.
Amol Sarwate, director of vulnerability labs for Qualys Inc. based in Redwood City, Calif., said he wasn't aware of any servers that were affected by the publicly disclosed vulnerabilities in the last month. Most users were concerned by the disruption from the usual patch schedule, he said.
There were 18 bulletins in total, but Microsoft repackaged and added a patch for Adobe Flash Player in bulletin MS17-023 as a courtesy for its users.
Patch closes Hyper-V exploit
Several bulletins address critical or important vulnerabilities that concern Windows Server admins. Bulletin MS17-008 addresses a publicly disclosed critical Hyper-V vulnerability that could allow remote code execution, if an authenticated attacker on a guest operating system runs a specially crafted application to cause the Hyper-V host OS to execute arbitrary code. The patch corrects how Hyper-V validates guest OS user input; systems that do not have the Hyper-V role enabled are not affected. This was a publicly disclosed vulnerability, although Sarwate was not sure if it has been exploited.
"I think it is pretty important," Sarwate said. "It allows machines that are running in the hypervisor guest operating system to break out and get control of the whole system. So it is a server vulnerability."
Server Message Block fix arrives
The SMB vulnerability, which carries a severity of 7.8 according to the CERT Coordination Center, could allow an attacker to crash systems. Microsoft rates this bulletin as critical for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 10 Version 1607 and Windows Server 2016.
In the most severe vulnerability, a user on a Windows client operating system could trigger a remote code execution exploit that would allow an attacker to send malicious requests to the server, Amol said.
Microsoft also provided an update for Exchange Server that is rated important. Bulletin MS17-015 closes a vulnerability in Microsoft Exchange Outlook Web Access to prevent remote code execution if an attacker sends a specially crafted attachment in an email.
New update guide
As expected, Microsoft debuted the Security Update Guide, a portal designed for admins to more easily find specific updates. However, Microsoft also published the March updates in the traditional TechNet security bulletins site.
It's unclear if Microsoft will continue to publish in both formats moving forward.
"They kept the bulletin numbers, which I think is a very good decision," Sarwate said. "I really like [the old format] because it gives very good clarity on what is in the bulletin and it's less work for the user."
For more information about the remaining security bulletins for March Patch Tuesday, visit Microsoft's Security TechCenter site.
Dan Cagen is the associate site editor for SearchWindowsServer.com. Write to him at [email protected].
A roundup of Windows Server patches in 2017
How to handle bad security updates
Streamline the server patching process