Today, Microsoft released four security bulletins as part of its monthly security update train known as "Patch Tuesday."
This month, two of the four Microsoft security bulletins are rated as critical, the highest severity rating a bulletin can receive. Because of this, users should make sure they install this month's updates as soon as they have some free time.
The Patch Tuesday update fixes 15 unique vulnerabilities, among which 12 are inherited from Adobe Flash, and only three affect Microsoft native products. In fact, this month's security updates are one of the smallest security bulletin Microsoft has released to date.
This is also Microsoft's last security bulletin published in this format, as separate web pages. In November, Microsoft announced it will retire the current security bulletins format in favor of a new searchable database.
Note: There are no security fixes or quality improvements for Windows 8.1 or Windows Server 2012 R2 for release on Update Tuesday for January 2017. As such, there is no Security Only Quality Update or Security Monthly Quality Rollup release for these platforms this month.
Besides the security updates, Microsoft also released new Windows 10 cumulative updates KB3213986, KB3210720, and KB3210721, for which there are no changelogs available at the time of writing.
This security update resolves a vulnerability (CVE-2017-0002) in Microsoft Edge. This vulnerability could allow elevation of privilege if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerability could elevate privileges in affected versions of Microsoft Edge.
This security update is rated Important for Microsoft Edge on Windows 10 and Windows Server 2016.
The update addresses the vulnerability by assigning a unique origin to top-level windows that navigate to Data URLs. For more information about this update, see Microsoft Knowledge Base Article 3214288.
This security update resolves a vulnerability (CVE-2017-0003) in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
The security update addresses the vulnerability by correcting how affected versions of Office and Office components handle objects in memory. Microsoft Word 2016 and Microsoft SharePoint Enterprise Server 2016 are affected. For more information about this update, see Microsoft Knowledge Base Article 3214291.
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.
This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.
This security update addresses the following vulnerabilities, which are described in Adobe Security Bulletin APSB17-02:
For more information about this update, see Microsoft Knowledge Base Article 3214628.
A denial of service vulnerability (CVE-2017-0004) exists in the way the Local Security Authority Subsystem Service (LSASS) handles authentication requests. An attacker who successfully exploited the vulnerability could cause a denial of service on the target system's LSASS service, which triggers an automatic reboot of the system.
This security update is rated Important for Microsoft Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 (and Server Core).
The security update addresses the vulnerability by changing the way that LSASS handles specially crafted authentication requests. For more information about this update, see Microsoft Knowledge Base Article 3216771.