Every version of Windows gets patched, as well as Edge, IE, Skype for Business and Office. Pay special attention to the Word zero-day, the DNS security problem, and the TPM patching madness
It’s going to be a banner patching month. I count 151 separate security patches and 48 Knowledge Base articles, as well as the odd Security Advisory.
The Windows patch Release Notes point to four known bugs:
The Monthly Rollup for Win7 also has an acknowledged bug: an error dialog that indicates that an application exception has occurred when closing some applications.
Martin Brinkmann has his usual exhaustive list on ghacks:
SANS Internet Storm Center has released its list — as has the Zero Day Initiative .
There are some worrisome exposures that we’ll be following closely:
Sounds grisly, but Microsoft says the flaw hasn’t been exploited, and rates it as “Exploitation less likely.” If somebody can hijack your DNS server, you’re in a world of hurt anyway.
WARNING: Do NOT apply the TPM firmware update prior to applying the Windows operating system mitigation update. Doing so will render your system unable to determine if your system is affected. You will need this information to conduct full remedation.
ZDI goes on to explain:
The patch provided by Microsoft is only a temporary measure though, and here’s where it gets truly complicated. The TPM manufacturers need to produce a firmware update to completely resolve this, as the bug itself is present in the TPM firmware — not in Windows itself. This patch is one of several designed to offer a workaround by generating software-based keys whenever possible. Even after a vendor’s firmware update is applied, you’ll need to re-generate new keys to replace the previously generated weak ones.
This is just a stop-gap measure and still requires manual intervention. When the actual firmware updates roll out from TPM vendors, the process will need to happen all over again — except this time, new TPM firmware needs to be installed on every affected device.
Sounds like it’s going to be a woolly month.
Note that Microsoft has, in the past, released truly critical security patches for versions of Windows that are beyond end of life. Which is an interesting philosophical observation.
Today also memorializes the demise of Office 2007. No, you don’t need to run out and buy Office 2016 or rent Office 365. But you do need to be aware that Office 2007 is going to sprout security holes — and you won’t be getting any patches, unless Redmond relents and figures that fixing the elderly branches of the Office ecosystem is worth the time and effort.
