Related Links

Top 5 Stories


Patch Tuesday Preview: February 2014

07 February 2014

Microsoft yesterday released its advance notification of the content of next week's monthly Patch Tuesday security bulletins. Like January, there are relatively few bulletins this month (just five, two critical and three important); and like January there is no bulletin for Internet Explorer.

Bulletins 1 and 2 concern critical vulnerabilities affecting only the newer Windows 7 and 8 operating systems. "The first patches a remote code execution vulnerability that affects Windows 7 through to Windows 8.1, including 8.1 RT.  The second, also a remote code execution, is actually an issue in Forefront Protection for Exchange Server (2010)," explains Ross Barrett, senior manager of security engineering at Rapid7.

On bulletin 2, Ken Pickering, director of engineering at CORE Security, points out the irony that "a product (Forefront for Exchange) that is a designed to protect a service actually allows a remote code execution and weakens the security posture of the target system." His colleague Tommy Chin, a technical support engineer, CORE Security suggests that this should make bulletin 2 the priority: "It would be tragic to let the Forefront software protecting your Exchange Server be part of the attack path an attacker uses as the open door."

Barrett agrees with this interpretation. "Given a remote code execution in a perimeter service like Forefront, I’d have to say that this is the highest priority patching issue this month." He adds that the next priority is "not surprisingly, the critical [bulletin 1] in Windows 7 and later."

"Bulletins #3 and #4 are local vulnerabilities for all versions of Windows, and address an elevation of privilege and an information disclosure vulnerability respectively," writes Wolfgang Kandek, CTO at Qualys. "Bulletin #5 addresses a Denial of Service condition in Windows 8."

These last three can be given a slightly lower priority. "The other three issues are all of lower risk and likely lower exploitability, ranging from information disclosure to denial of service and elevation of privilege," says Barrett. They're "not to be ignored, but should be of slightly less concern than remote critical vulnerabilities.”

Both Pickering and Chin, however, suggest that bulletin 3 should be the next priority after bulletins 1 and 2. "An elevation of Privilege (Bulletin 3) on .NET is always interesting, warns Pickering, "since if you’re running in a Microsoft shop, you’re also likely running .NET applications. People running .NET applications on machines with reduced permissions (a great policy to have) should make this update as soon as possible." Chin points out that "it can compromise all operating systems via privilege escalation except Windows Server 2008 SP2 Server Core," and adds, "I would pay close attention to patching this one."

Ziv Mador, director of security research at Trustwave, points out that even though it's a light Patch Tuesday this month, nearly everyone will be affected somewhere. "Since the three 'Important' Windows bulletins combined affect a widespread of Windows versions, it’s likely that this security release will affect you. Only one bulletin will require a system restart. Unfortunately this is a Windows patch mitigating a denial-of-service vulnerability affecting all versions of Windows from XP to Windows 8.1.  To keep a long story short, plan on grabbing a cup of coffee sometime next Tuesday while these systems restart after the patch install."

This article is featured in:
Application Security  •  Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×