WavebreakmediaMicro - Fotolia

New-format Patch Tuesday reveals Office and Hyper-V flaws

Microsoft has changed the way it alerts Windows admins and has issued critical patches for Office and Hyper-V

Microsoft has introduced a new Patch Tuesday format, and with it a host of patches for the Windows Server Hyper-V hypervisor.

The company has also issued a critical patch (CVE-2017-0199) to Office and WordPad, which may already have been exploited, according to some reports.

Microsoft said a remote code execution vulnerability exists in the way that Microsoft Outlook parses specially crafted email messages. “An attacker who successfully exploited this issue could take control of an affected system,” it said.

The CVE-2017-0199 security issue that affects Microsoft Office and WordPad is an Outlook issue, but the bug stems from an issue within RTF files, according to a blog post on the Zero Day Initiative site.

“These attacks can be thwarted by enabling Office’s Protective View feature,” Zero Day Initiative said. “There are updates for both Office and Windows to be applied, and both should be considered necessary for complete protection.”

In a blog post, Chris Goettl from security software company Ivanti said: “Microsoft has finally done away with the bulletin pages. You must now use the Security Update Guide, which provides a number of nice filtering options, but you lose a bit of the organisation. For instance, to look at all CVEs that are resolved for a single update, you must now look at each individually, where the bulletin page had them organised into one place. It is likely to take a while for people to get used to it.”

Microsoft issued 14 of the 46 CVE security alerts for Hyper-V, with four of them patching critical Remote Code Execution vulnerabilities. It said a remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.

Read more about Patch Tuesday

Microsoft also issued a critical update to Edge, the browser it advertises as more secure than Google Chrome. “A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory,” it said. “This issue may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”

Amol Sarwate, director of Vulnerability Labs, Qualys, said the three critical vulnerabilities – CVE-2017-0162, CVE-2017-0163 and CVE-2017-0180 – could allow malicious guest applications to execute code on the Hyper-V host operating system. “The security update addresses the vulnerability by correcting how Windows Hyper-V Network Switch validates guest operating system network traffic,” said Sarwate.

Read more on IT supplier relationship management