Patch Tuesday: February 2015

This month’s Patch Tuesday is a bit of an interesting one…

MS15-011 affects all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 RT, and Windows RT 8.1. Essentially, any domain-joined Windows Clients and Servers may be at risk.

The flaw, dubbed JASBUG, was discovered by JAS Global Advisors back in January 2014. The company however, adhered to good disclosure practices and the vulnerability wasn’t made public until Microsoft had prepared a fix. The fact that it has taken Microsoft over a year to develop a fix should indicate just how wide ranging and complex the vulnerability is.

According to JAS Global Advisors: “The fix required Microsoft to re-engineer core components of the operating system and to add several new features.”

Outlined below are the critical updates you need to be focusing on. As usual, we have cross-checked Microsoft’s own rating with US-CERT’s independent assessment of the patches so you are in the best position to choose the most important updates for your business.

MS15-011

This security update, which I mentioned above, is a remote code execution vulnerability existing in how group policy receives and applies connection data when a domain-joined system connects to a domain controller. An attacker who successfully exploits this vulnerability could take complete control of an affected system, letting them install programs; change, view, or delete data; or even create new accounts with full user rights.

MS15-010

The most severe of the six privately reported vulnerabilities could, again, allow remote code execution if an attacker is able to convince a user to open a specially crafted document, or to visit an untrusted website that contains embedded TrueType fonts.

MS15-009

This security update resolves one publicly disclosed and 40 privately reported vulnerabilities in Internet Explorer, with the most severe of these allowing remote code execution. If a user views a specially crafted web page it could allow an attacker to gain the same user rights as the current user.

Microsoft rates the remaining six patches in February’s update as Important. A full breakdown of these ratings compared to the US-CERT ratings can be found in the table below. I’d always advise to use US-CERT’s rating in conjunction with Microsoft’s, which will give you a much clearer picture of which patches you should be prioritising.

Update no.
CVSS score
Microsoft rating
Affected Software
Details
MS15-012 9.3 Important Microsoft
Office
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3032328)
MS15-011 8.3 Critical Microsoft Windows Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)
MS15-010 7.2 Critical Microsoft Windows Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)
MS15-009 6.8 Critical Microsoft Windows, Internet
Explorer
Security update for Internet Explorer (3034682)
MS15-017 6.8 Important Microsoft Server Software Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege (3035898)
MS15-015 6.0 Important Microsoft Windows Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432)
MS15-013 4.3 Important Microsoft
Office
Vulnerability in Microsoft Office Could Allow Security Feature Bypass (3033857)
MS15-016 4.3 Important Microsoft Windows Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3029944)
MS15-014 3.3 Important Microsoft Windows Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361)