Security Trends for May 2017

Malicious attacks from third-parties could occur at any time. Hence, it is crucial to keep your computer updated with the latest security patches to keep your identity or organization and your data safe. The latest Microsoft Security Bulletins were released on May 9th, 2017 to provide an added layer of protection against attacks. Computers running on Windows 10 should have automatically received those updates by default. The same applies to computers running on previous versions of Windows and have automatic updates turned on.

Most of Microsoft’s updates are critical, as they prevent remote attackers from accessing and exploiting vulnerabilities to gain control of a system. There are non-security updates, too, not just for the operating system, but also for Microsoft Edge, Office suite apps, .NET Framework, and Internet Explorer. Microsoft patched three zero-days found in live attacks and removed support in IE and Edge for SSL/TLS certificates signed with SHA1. Fixes were provided to .NET Framework, as well as for Adobe Flash Player.

Microsoft changed the usual format it has been using for its Security Bulletin in April 2017 in favor of the new Security Update Guide, which uses an interactive table. Reports found that most users did not like the new format, as information on critical updates have become scattered and difficult to learn. However, most administrators should eventually get used to the latest tool, as Microsoft will continue to release updates this way. One of the critical fixes for May 2017 addresses a security feature bypass in Internet Explorer where Mixed Content warnings are ignored and could result in the loading of non-secure content from secure locations.

Microsoft delivered security fixes for remote code vulnerabilities in JavaScript engines in Microsoft browsers. Vulnerabilities were found that could corrupt memory and enable attackers to execute a code to gain the user’s rights and gain control of the system. Fixes for adobe are aimed at preventing remote code execution, which will enable attackers to hijack computers.