Share

Related Links

Related Stories

  • Adobe Issues Out-of-band Emergency Flash Player Update
    "Adobe is aware," says the company, "of reports that an exploit for this vulnerability exists in the wild, and recommends users update their product installations to the latest versions." The vulnerability is a Flash flaw that affects PC, Mac and Linux versions of the software; and users are advised to update as soon as possible.
  • Mozilla Patches Thunderbird Remote Exploit Vulnerability
    Mozilla Thunderbird, a free, open-source, cross-platform application for managing email and news feeds, has a critical validation and filter bypass vulnerability in version 17.0.6.
  • Patch Tuesday Preview: January 2014
    Microsoft is extending the holiday period for Sys Admins this month: there are only four bulletins in January's Patch Tuesday; and not a single one marked 'critical'. Two, however, will require a restart, while the other two 'may' require a restart – so there will still be a degree of disruption involved.
  • Adobe Patches Critical Vulnerabilities in Flash and Shockwave
    Adobe has issued two updates this week to fix critical flaws in both Flash and Shockwave. At least one of the Flash flaws has already been seen exploited in the wild. Both updates address flaws that can lead to remote code execution and should be implemented as soon as possible.
  • Patch Tuesday: December 2013
    Eleven Microsoft bulletins including ten critical vulnerabilities – some of which are already being actively exploited – affecting all supported versions of Windows, Office, SharePoint, Exchange, and Lync make for a busy last month of a busy year (106 bulletins all told) for sys admins.

Top 5 Stories

News

Patch Tuesday Preview: February 2014

07 February 2014

Microsoft yesterday released its advance notification of the content of next week's monthly Patch Tuesday security bulletins. Like January, there are relatively few bulletins this month (just five, two critical and three important); and like January there is no bulletin for Internet Explorer.

Bulletins 1 and 2 concern critical vulnerabilities affecting only the newer Windows 7 and 8 operating systems. "The first patches a remote code execution vulnerability that affects Windows 7 through to Windows 8.1, including 8.1 RT.  The second, also a remote code execution, is actually an issue in Forefront Protection for Exchange Server (2010)," explains Ross Barrett, senior manager of security engineering at Rapid7.

On bulletin 2, Ken Pickering, director of engineering at CORE Security, points out the irony that "a product (Forefront for Exchange) that is a designed to protect a service actually allows a remote code execution and weakens the security posture of the target system." His colleague Tommy Chin, a technical support engineer, CORE Security suggests that this should make bulletin 2 the priority: "It would be tragic to let the Forefront software protecting your Exchange Server be part of the attack path an attacker uses as the open door."

Barrett agrees with this interpretation. "Given a remote code execution in a perimeter service like Forefront, I’d have to say that this is the highest priority patching issue this month." He adds that the next priority is "not surprisingly, the critical [bulletin 1] in Windows 7 and later."

"Bulletins #3 and #4 are local vulnerabilities for all versions of Windows, and address an elevation of privilege and an information disclosure vulnerability respectively," writes Wolfgang Kandek, CTO at Qualys. "Bulletin #5 addresses a Denial of Service condition in Windows 8."

These last three can be given a slightly lower priority. "The other three issues are all of lower risk and likely lower exploitability, ranging from information disclosure to denial of service and elevation of privilege," says Barrett. They're "not to be ignored, but should be of slightly less concern than remote critical vulnerabilities.”

Both Pickering and Chin, however, suggest that bulletin 3 should be the next priority after bulletins 1 and 2. "An elevation of Privilege (Bulletin 3) on .NET is always interesting, warns Pickering, "since if you’re running in a Microsoft shop, you’re also likely running .NET applications. People running .NET applications on machines with reduced permissions (a great policy to have) should make this update as soon as possible." Chin points out that "it can compromise all operating systems via privilege escalation except Windows Server 2008 SP2 Server Core," and adds, "I would pay close attention to patching this one."

Ziv Mador, director of security research at Trustwave, points out that even though it's a light Patch Tuesday this month, nearly everyone will be affected somewhere. "Since the three 'Important' Windows bulletins combined affect a widespread of Windows versions, it’s likely that this security release will affect you. Only one bulletin will require a system restart. Unfortunately this is a Windows patch mitigating a denial-of-service vulnerability affecting all versions of Windows from XP to Windows 8.1.  To keep a long story short, plan on grabbing a cup of coffee sometime next Tuesday while these systems restart after the patch install."

This article is featured in:
Application Security  •  Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×