Hello, welcome to the Wednesday, May 10th, 2017 edition of the Sansanet Storm Center's Stormcast. My name is Johannes Ulrich,

and today I'm recording from Jacksonville, Florida. Microsoft Patch Tuesday today, of course, a little bit

difficult to compare to past Patch Tuesdays given the new format, but I would guess that today's Patch Tuesdays probably

would have been one of the smaller ones based on the number of bulletins, maybe five or six

bulletins, I think. We do have updates for In The Explorer and Microsoft Edge.

Aside from fixing a number of vulnerabilities, this

also turns off Shah 1 support in these two browsers. This change will however

not affect Enterprise certificates so if you have your own certificate authority

then you can still use Shah 1 certificates. That's a nice option if you have your own certificate authority, then you can still use SHA-1 certificates.

That's a nice option if you, for example, have things like cameras.

For example, I ran into that that only support Sha-1, so you can still use your own certificate

authority for these devices.

And then there are patches for a number of

dot net core or a sp.net core packages. The vulnerabilities being addressed here can lead to

privilege escalation. The tricky part is that these are essentially libraries that you're

including in your dot net project.

So in order to really apply these patches, you not only have to update the libraries,

you also have to include the updated libraries in your project.

There is a configuration file that essentially specifies which versions of these libraries you include

and you have to update these configuration files.

The vulnerability is really exposed by applications written using these libraries.

And then there's an interesting Windows Update vulnerability in Windows 10 and Server 2016 that's being patched here.

...