Microsoft Issues Lightest January Patch Tuesday in Years

Experts are warning of potential heavy weather ahead after an unusually light Patch Tuesday security update round yesterday – the last one where Microsoft will use a security bulletin system.

January saw just four bulletins, two of which are critical and publicly disclosed. Fixing 15 vulnerabilities – 12 of which are in Adobe Flash.

MS17-002 is a critical update for Office fixing an RCE flaw, while MS17-004 is an important update which will mitigate the risk of a DDoS attack against a system’s Local Security Authority Subsystem Service (LSASS).

MS17-001 fixes an important elevation of privilege bug in Microsoft’s Edge browser.

MS17-003 is a critical update for Adobe Flash once again fixing RCE issues. Shavlik product manager, Chris Goettl, warned admins to ensure they update all instances of Flash on their systems, including plug-ins for IE, Chrome and Firefox.

“Some of these will auto update; others may take some prodding before they will update,” he explained. “This is why having a solution that can scan for all four variations is critical to make sure you have plugged all the vulnerabilities in your environment.”

Goettl also warned that the light patch load could be the “calm before the storm” next month.

Those sentiments were echoed by Trustwave threat intelligence manager, Karl Sigler.

“Historically January has always been a light month for bulletins and this January is the lightest in years,” he said in a blog post.

“So take a breath, kick your feet up, but don't relax for too long. While January has always been a light month, February is sure to come back with a vengeance.”

January will also be the last month Microsoft offers up security bulletins to admins as a so-called “pivot point.”

Instead, it will publish all information to a single destination – the Security Update Guide – where users can browse and search through relevant information.

“The new model for documenting security updates is the Security Updates Guide,” explained Microsoft in an FAQ. “Instead of bulletin IDs, the new guide pivots on vulnerability ID numbers and KB Article ID numbers.”

What’s Hot on Infosecurity Magazine?