January’s Patch Tuesday carries warnings for Meltdown & Spectre
Microsoft has added to the workload for system administrators after its January Patch Tuesday update fixed 56 flaws, including four public disclosures and one zero-day vulnerability.
Microsoft has already released special security advisories for fixes for the Meltdown and Spectre flaws, but has warned admins to beware of the potential performance impact these fixes could bring.
Meanwhile Adobe has released a single Priority 2 update for Flash Player (APSB18-01), which addresses an out-of-bounds read flaw that could lead to information exposure.
Not withstanding the Meltdown and Spectre flaws, the first Patch Tuesday update in 2018 contained more than enough to keep system admins busy with 56 flaws, 16 of which are ranked ‘critical’ with 28 potentially leading to remote code execution.
Security firm Ivanti advised system admins to take the Meltdown and Spectre fixes seriously, as threat actors can be expected to exploit them in the wild.
But admins should “spend some time testing these as there are BSOD scenarios to avoid and potential for performance impacts,” the firm warned.
“Microsoft has released a total of 14 updates including the OS, IE, and SQL updates from last week and updates for .Net Framework, Office, and Flash Player for IE today,” explained Chris Goettl, director of product management at Ivanti. “These updates resolve a total of around 55 unique CVEs including 4 public disclosures and 1 zero day.”
“Three of the public disclosures are relating to the Meltdown and Spectre vulnerabilities. These were outlined in the Microsoft Advisory ADV180002. Microsoft has resolved the Meltdown vulnerability through code changes to the kernel. The other two vulnerabilities relating to Spectre are mitigated by firmware updates. You must install the OS updates and the firmware updates to fully mitigate these attack methods.
“The Zero Day pertains to a vulnerability in Office (CVE-2018-0802) that could allow the attacker to gain control of the target system. This can be mitigated by users running with less privileges.”
“Aside from Microsoft there are a number of 3rd party updates to be concerned about this month,” he added, pointing to the fix for the single vulnerability with Adobe Flash Player, as well as updates to Mozilla Firefox, VMware, and Oracle’s product suite.
Meanwhile Jimmy Graham, director of product management at Qualys also warned system admins to test all the OS-level and BIOS (microcode) patches for Meltdown and Spectre, as they “may lead to performance issues.”
“Some of these updates are incompatible with third-party antivirus software, and may require updating AV on workstations and servers,” said Graham. “Microsoft has released guidance documents for both Windows clients and servers. Windows Server requires registry changes in order to implement the protections added by the patches.
“Aside from these patches, today Microsoft has released patches covering 56 other vulnerabilities. Of these vulnerabilities, 16 are ranked as “Critical,” with 28 potentially leading to remote code execution.”
The patches cover a range of Microsoft products including both Word and Outlook, which should also be prioritised, although most of the patches are (as usual) for Microsoft’s browsers (Internet Explorer and Edge) and the Scripting Engine.
Graham says the priority for system admins this month are CVE-2017-5753 (Bounds check bypass – Spectre); CVE-2017-5715 (Branch target injection – Spectre); CVE-2017-5754 (Rogue data cache load – Meltdown); CVE-2018-0793 (Outlook); CVE-2018-0794 (Word), and finally multiple CVEs (browser patches – scripting engine).
Do you know all about security in 2017? Try our quiz!