As we enter another year and another Patch Tuesday, we see that Microsoft has now made the patch notifications that little bit harder for the average customer, by stopping the Advance Notification Service (ANS). Along with the regular Patch Tuesday updates, Microsoft publishes an advanced notification on the first Friday of each month, to give security teams a good idea of what to expect on Patch Tuesday.
They haven’t scrapped it altogether though, they are still offering ANS to paying users. The reasons, according to Microsoft, are that customers no longer use ANS with many simply waiting until Patch Tuesday. However, it could be argued that for smaller businesses that can’t afford a service like this, it could have an impact on how they deploy patches.
Fear not however, all of Verismic’s customers will still have all patches fully tested and rolled out as per agreed schedules via Verismic Cloud Management Suite.
A light patch update
We’ve all enjoyed our Christmas break and so, it would seem, have security researchers. This month’s Patch Tuesday is fairly light with only eight patch updates, with only one rated Critical. I’m in a good position to say that there appears to be nothing special or particularly significant about January’s updates – it’s especially rare to be in a position to say that as there are usually at least one or two updates that deserve special attention due to the seriousness or uniqueness of the vulnerability.
As ever, we have broken down the patch updates for you to give you a better understanding of what systems could be affected and have included the independently assessed Common Vulnerability Scoring System (CVSS) score from US-CERT.
The only Critical patch update this month, MS15-002 has a CVSS score of 9.3 [out of a possible 10], this is a relatively serious patch and definitely one that needs to be the top priority to patch. It’s a buffer overflow vulnerability that could allow remote code execution, which is caused by the Microsoft Telnet service improperly validating memory location. Attackers can exploit this vulnerability by sending specially crafted telnet packets to a Windows server that could then enable the attacker to run arbitrary code on a target server.
Amazingly, the other seven updates are all rated Critical by Microsoft’s standard, but if we take a look at the table below, US-CERT thinks that only three are actually quite serious (MS15-001, MS15-003, MS15-004), whereas the other four updates are rated as 5.0 and below. Whilst these are vulnerabilities that need to be patched, US-CERT has identified that the chances of the vulnerability being exploited are probably quite low and having assessed the potential impact (again likely to be low), have given the vulnerabilities a low risk score.
It’s such a light Patch Tuesday this month that working out which patches to prioritise is fairly straightforward. Get the Critical update done first, and then work through the list. If, like Verismic, you want to take into account the CVSS scores, then the table below is listed in order of most serious to least – use this to prioritise your patch roll outs as we will for our customers.
|MS15-002||9.3||Critical||Microsoft Windows||Vulnerability in Windows Telnet Service Could Allow Remote Code Execution (3020393)|
|MS15-004||7.6||Important||Microsoft Windows||Vulnerability in Windows Components Could Allow Elevation of Privilege (3025421)|
|MS15-001||7.2||Important||Microsoft Windows||Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266)|
|MS15-003||7.2||Important||Microsoft Windows||Vulnerability in Windows User Profile Service Could Allow Elevation of Privilege (3021674)|
|MS15-007||5.0||Important||Microsoft Windows||Vulnerability in Network Policy Server RADIUS Implementation Could Cause Denial of Service (3014029)|
|MS15-005||2.9||Important||Microsoft Windows||Vulnerability in Network Location Awareness Service Could Allow Security Feature Bypass (3022777)|
|MS15-008||2.1||Important||Microsoft Windows||Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3019215)|
|MS15-006||1.7||Important||Microsoft Windows||Vulnerability in Windows Error Reporting Could Allow Security Feature Bypass (3004365)|