Patch Tuesday: January Patches Bring February Headaches

New year, new steer for Microsoft patching professionals

Microsoft has released four bulletins in total of which two are rated Critical and 2 rated Important. Last week, they released 22 KB non-security updates for Office 2013 / 16 and an update for Word Viewer.

Overall, this is a fairly uneventful release for the first month of 2017 with Microsoft seemingly winding down in preparation for the newly launched Security Updates Guide database that will become the monthly patch Tuesday resource as of next month.This move on the face of things looks like a good idea, but how will this be perceived by businesses that are used to choosing their updates? This new practice changes the way information is referenced and will most certainly cause a headache for IT administrators who will have to rethink their whole patch management procedure.

James Rowney, Service Manager for Verismic said, “When I first read about this last year, I couldn’t believe that Microsoft were taking such a valiant step towards forcing updates. This really feels like Microsoft is taking an intermediary step towards mimicking the Apple approach of just applying a updates / patches without notification. While this approach does seem to work for Apple I am not so sure that Microsoft has an OS stable enough to follow this practice just yet.”

Chrome coming into its own

Google announced at the end of 2016 that they would be marking web pages as unsecure if the page is not served using HTTPS and holds personal data like login details or financial input tables. These changes will only apply from Chrome revision 56 onwards so we can expect to see this take gradual effect as browsers update as opposed to a flick of a switch scenario.These changes go hand in hand with Google’s plan to encourage its users to adopt secure login methods. There are obvious pitfalls here as HTTPS doesn’t keep certificates or TLS liberties up to date and webmasters could also see negative movement on their Google rankings. However, this is generally a positive step forward.

Google recently announced that they hit a milestone where more than 50% of their desktop pages now load over HTTPS. Further information and the official notification can be referenced here.START FREE TRIAL

Microsoft Updates

To help your IT Security Officers, we have chosen one update from this Patch Tuesday to prioritize this month. This recommendation has been made using evidence from industry experts (including our own), anticipated business impact and most importantly the independent CVSS score for the vulnerability.

MS17-003 – Late comer to this month’s releases is this security update to Adobe Flash Player, research indicates that this could have been a Zero Day release later in the week and affects all supported versions of Windows. The urgency to get this out shows the importance of this update, we recommend that this patch is rolled out with high priority at your earliest convenience.

The independent CVSS scores used in the table below range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low.

Bulletin ID

Description

Impact

Restart Requirement

Severity

CVSS Score

MS17-001

Security Update for Microsoft Edge (3199709)

This security update resolves a vulnerability in Microsoft Edge. This vulnerability could allow an elevation of privilege if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited this vulnerability could gain elevated permissions on the namespace directory of a vulnerable system and gain elevated privileges

Elevation of Privilege

Requires restart

Important

6.1

MS17-002

Security Update for Microsoft Office (3214291)

This security update resolves a vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Remote Code Execution

May require restart

Critical

7.8

MS17-003

Security Update for Adobe Flash Player (3214628)

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016

Remote Code Execution

May require restart

Critical

9.3

MS17-004

Security Update for Local Security Authority Subsystem Service (3216771)

A denial of service vulnerability exists in the way the Local Security Authority Subsystem Service (LSASS) handles authentication requests. An attacker who successfully exploited the vulnerability could cause a denial of service on the target system’s LSASS service, which triggers an automatic reboot of the system. The security update addresses the vulnerability by changing the way that LSASS handles specially crafted authentication requests.

Remote Code Execution

Denial of Service

Important

7.5