Eager administrators didn't need to wait until the regular Patch Tuesday release cycle to get their monthly fix.
Microsoft released a rare out-of-band patch on Monday to address a dangerous remote code execution flaw on Windows Server 2016, before its regularly scheduled May Patch Tuesday that sealed several other Windows Server vulnerabilities.
A Microsoft patch closes the CVE-2017-0290 exploit in the Microsoft Malware Protection Engine that enables attackers to perform remote code execution or trigger a denial-of-service attack through type confusion and application crashes. A vulnerability in the Malware Protection Engine can be particularly damaging, because it has high privilege and access throughout the system.
The flaw affects Windows Server 2016, the only version of Windows Server that supports Windows Defender. An Exchange Server or IIS web server that runs on Windows Server 2016 would be vulnerable until patched.
"An attacker can just send an email, and they can take control of the machine," said Amol Sarwate, director of vulnerability labs for Qualys Inc., based in Redwood City, Calif.
Google's Project Zero researchers discovered the vulnerability on May 5, and Microsoft reacted quickly to address the issue. The company typically waits until Patch Tuesday to release security updates, but this flaw's severity forced Microsoft to release the update earlier.
Sarwate was "pleasantly surprised" by the move, but he said he does not expect Microsoft to make out-of-band patches a habit.
"Microsoft had installed [the Malware Protection Engine] to protect you, and it was compromised here," Sarwate said. "The attack vector was pretty bad in the sense that if just an email had been sent to someone and it went through the Malware Protection, you could own the machine. So, I'm not sure this is going to be a general trend."
Microsoft patches 57 vulnerabilities
Microsoft provided patches for 57 vulnerabilities on May Patch Tuesday, including the out-of-band patch.
Windows Server administrators should focus on three critical remote code execution vulnerabilities -- CVE-2017-0277, CVE-2017-0278 and CVE-2017-0279 -- in Microsoft Server Message Block (SMB) 1.0.
An unauthenticated attacker could send a specially crafted packet to the SMB server to gain access, and then execute code on the machine.
"An attacker could basically take complete control of the machine, so I think the SMBv1 vulnerability is pretty critical [to patch]," Sarwate said.
New format causing headaches
May Patch Tuesday was the second month since Microsoft discontinued its security bulletin format, which grouped related fixes. The new Security Update Guide features a searchable database that lists vulnerability ID numbers and Knowledge Base article ID numbers.
Microsoft said the switch allows it to follow the ICASI Common Vulnerability Reporting Framework, the industry standard for vulnerability reporting. However, businesses that built their Patch Tuesday workflow around the bulletin system still have trouble adjusting to the new format.
"When you're a key player like Microsoft, many people are waiting for your monthly release of bulletins and have implemented scripts to process them automatically," said Xavier Mertens, a security consultant. Processing the new vulnerabilities automatically can allow an IT admin to populate other tools, such as SIEM, or generate internal reporting.
"When you decide to change something in place for years, people might become angry," he said. "I don't say that the new system is better or worse, it just changed and forced people to adapt."
The new guide is also more work for administrators who want to scan the updates and determine which ones are important for them. Enterprises can install a computer program that will analyze the spreadsheet Microsoft provides, but that might be an expense smaller businesses cannot afford. In March, when Microsoft still used both formats, there were only 17 bulletins. But with the Security Update Guide, there were more than 1,000 vulnerabilities to sort through, Sarwate said.
"At least with the old format, I could get a quick glance on what the patch was and its severity," said Christopher McMillan, CIO at CEEK Technology in Charlotte, N.C. "I will find this time-consuming to find the details I am looking for."
For more information about the remaining security vulnerabilities released on May Patch Tuesday, visit Microsoft's Security Update Guide.
Dan Cagen is the associate site editor for SearchWindowsServer.com. Write to him at [email protected].
How to adapt to Microsoft's patching changes
New patching process may mean less control
Security Update Guide brings growing pains