Skip to main content

windows patch management

Patch Tuesday; January 2015

By Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”2320″ img_size=”full” alignment=”center”]

As we enter another year and another Patch Tuesday, we see that Microsoft has now made the patch notifications that little bit harder for the average customer, by stopping the Advance Notification Service (ANS). Along with the regular Patch Tuesday updates, Microsoft publishes an advanced notification on the first Friday of each month, to give security teams a good idea of what to expect on Patch Tuesday.

They haven’t scrapped it altogether though, they are still offering ANS to paying users. The reasons, according to Microsoft, are that customers no longer use ANS with many simply waiting until Patch Tuesday. However, it could be argued that for smaller businesses that can’t afford a service like this, it could have an impact on how they deploy patches.

Fear not however, all of Verismic’s customers will still have all patches fully tested and rolled out as per agreed schedules via Verismic Syxsense.

A light patch update

We’ve all enjoyed our Christmas break and so, it would seem, have security researchers. This month’s Patch Tuesday is fairly light with only eight patch updates, with only one rated Critical. I’m in a good position to say that there appears to be nothing special or particularly significant about January’s updates – it’s especially rare to be in a position to say that as there are usually at least one or two updates that deserve special attention due to the seriousness or uniqueness of the vulnerability.

As ever, we have broken down the patch updates for you to give you a better understanding of what systems could be affected and have included the independently assessed Common Vulnerability Scoring System (CVSS) score from US-CERT.

Critical updates


The only Critical patch update this month, MS15-002 has a CVSS score of 9.3 [out of a possible 10], this is a relatively serious patch and definitely one that needs to be the top priority to patch. It’s a buffer overflow vulnerability that could allow remote code execution, which is caused by the Microsoft Telnet service improperly validating memory location. Attackers can exploit this vulnerability by sending specially crafted telnet packets to a Windows server that could then enable the attacker to run arbitrary code on a target server.

Important updates

Amazingly, the other seven updates are all rated Critical by Microsoft’s standard, but if we take a look at the table below, US-CERT thinks that only three are actually quite serious (MS15-001, MS15-003, MS15-004), whereas the other four updates are rated as 5.0 and below. Whilst these are vulnerabilities that need to be patched, US-CERT has identified that the chances of the vulnerability being exploited are probably quite low and having assessed the potential impact (again likely to be low), have given the vulnerabilities a low risk score.

It’s such a light Patch Tuesday this month that working out which patches to prioritise is fairly straightforward. Get the Critical update done first, and then work through the list. If, like Verismic, you want to take into account the CVSS scores, then the table below is listed in order of most serious to least – use this to prioritise your patch roll outs as we will for our customers.

Update no.
CVSS score
Microsoft rating
Affected Software
MS15-002 9.3 Critical Microsoft Windows Vulnerability in Windows Telnet Service Could Allow Remote Code Execution (3020393)
MS15-004 7.6 Important Microsoft Windows Vulnerability in Windows Components Could Allow Elevation of Privilege (3025421)
MS15-001 7.2 Important Microsoft Windows Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266)
MS15-003 7.2 Important Microsoft Windows Vulnerability in Windows User Profile Service Could Allow Elevation of Privilege (3021674)
MS15-007 5.0 Important Microsoft Windows Vulnerability in Network Policy Server RADIUS Implementation Could Cause Denial of Service (3014029)
MS15-005 2.9 Important Microsoft Windows Vulnerability in Network Location Awareness Service Could Allow Security Feature Bypass (3022777)
MS15-008 2.1 Important Microsoft Windows Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3019215)
MS15-006 1.7 Important Microsoft Windows Vulnerability in Windows Error Reporting Could Allow Security Feature Bypass (3004365)
patch management

Prioritising patches properly – don’t always listen to Microsoft

By Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”1935″ img_size=”medium”]

It seems that it was only yesterday that patch/update Tuesday came and went, yet the next one is looming already.

As an IT guy I actually look forward to seeing the types of vulnerabilities that have been discovered in Microsoft’s products. Some are obviously more interesting than others, such as the vulnerability in Schannel, but what they all have in common is that they actually do pose a threat to your business.

We all know that patching is a vital process in keeping our businesses safe, but I do have some issues with Microsoft’s approach to patching. It’s very much a “fire and forget” exercise for them, whereby patch updates are released each month and your IT team is then expected to roll them out across the business.

Whilst this may be the most efficient way of releasing patches from Microsoft’s point of view, there are many instances where simply rolling them out is not an option. IT teams need to take a phased approach and test the patch updates before rolling them out, helping to mitigate any problems such as the dreaded blue screen of death.

Case in point was November’s MS14-066 update – there were a lot of reported problems when implementing the update, with Microsoft having to reissue the patch. Imagine if every business had implemented that immediately!

Keep in mind that Microsoft self-certifies vulnerabilities, and have a fairly easy to follow rating system:
• Critical – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
• Important – These vulnerabilities are where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.
• Moderate – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
• Low – The impact is comprehensively mitigated by the characteristics of the component.

If we take a look at November’s Patch Tuesday, there were a total of 14 separate patches fixing almost 40 vulnerabilities as well as an out-of-band patch a week later, five of which were rated as critical. So how do you prioritise these five if they’re all rated the same? Which vulnerability do you patch first?

When rolling out patches, it’s all well and good to do so if your business is located in one or two premises, but what if your business has a number of remote locations? Retail, transportation and oil and gas are all good examples.

If you were to take a large retail store open 24 hours a day, there needs to be a window of time where the systems are taken offline so they can be updated. Microsoft’s approach would be to suggest patching the Critical vulnerabilities first, and then work through the rest.

At Verismic, we provide a service to our customers to ensure that their entire IT infrastructure remains as up-to-date as possible, which includes rolling out any patch updates from vendors. We do this by creating a baseline – what is going to be the most important update for the business, and then we work backwards. It’s important to do this because, as we said, many businesses simply don’t have the time or even the bandwidth to roll out all of the patch updates at once.

To create this baseline we use three different measurements; vendor severity (that would be Microsoft’s self-certified rating), the Common Vulnerability Scoring System (CVSS), and the total number of vulnerable systems in the customer’s environment. By measuring against three separate metrics we can get a much better understanding of the risk a vulnerability really poses.

My advice would be to take Microsoft’s vulnerability ratings with a respectful pinch of salt and start looking at independently assessed scores, such as CVSS. Each month US-CERT uses CVSS to rate all of Microsoft’s patch updates the same day they’re released, giving you a much better understanding of the risk a particular vulnerability poses to your business.

Patching is invaluable to protecting your business. By taking a phased approach to updating systems and creating a baseline to understand the risk of each vulnerability, you can get a much better idea of which patches you should be prioritising first.

Robert Brown is Director of Services at Verismic

Originally published on IT Security Guru