Light Microsoft Patch Tuesday Update For January

Small beer for system admins this month with only four bulletins to worry about, two of which are critical

It is an easy start to 2017 for system administrators with the news that Microsoft has continued its tradition of delivering relatively light Patch Tuesday updates in January.

Indeed, January’s update is one of the smallest ever with just four bulletins, but two of the bulletins are critical as they are dominated by remote code execution (RCE) vulnerabilities.

Compare this to December’s Patch Tuesday update that saw Microsoft deliver a total of 12 security bulletins, six of which were rated as ‘critical’ and six as ‘important.’

Patch Tuesday

microsoft-patch-lThis month’s security update for Windows users contains no fixes or improvements for either Windows 8.1 or Windows Server 2012 R2.

Instead the four bulletins cover vulnerabilities to do with the Edge web browser, Microsoft Office, and the Adobe Flash Player.

“Microsoft starts off the year with four bulletins, and unfortunately continues a long running trend with their products where the majority of bulletins (2) are dominated by remote code execution (RCE) vulnerabilities, which predominantly affect consumer applications,” commented Adam Nowak Lead Engineer at Rapid7.

“These types of vulnerabilities are difficult to distinguish as they typically lure users to visit/open an email, webpage or multimedia, making use of specially crafted content,” said Nowak. “Upon viewing this content (emails, webpages, etc.), a bad actor can execute malicious code and take complete control of an affected system with the same privileges of the user. This action is known as remote code execution.”

According to Trustwave, MS17-002 is a critical update for Microsoft Office, as the vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file.

Trustwave points out that the other critical update (MS17-003) fixes flaws in Adobe Flash by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

“Adobe has started 2017 with the release of two security bulletins – one for Flash and the other for Acrobat and Reader,” said Amol Sarwate, director of vulnerability research at Qualys.

“Since Flash vulnerabilities have a high potential of being weaponised in exploit kits, organisations should apply both the updates as soon as possible,” said Sarwate. “For Microsoft, it’s an unusually small patch update and will definitely make system administrators happy.”

The two other bulletins are rated as important. MS17-001 for example fixes a vulnerability in Microsoft Edge that could allow an elevation of privilege if a user views a specially crafted webpage using Microsoft Edge.

The last bulletin, MS17-004, also rated as important, concerns a denial of service vulnerability with the Local Security Authority Subsystem Service, which if successful, could trigger an automatic reboot of the system.

Update Change

Meanwhile Qualys’ Sarwate points out that Microsoft is changing its update system from next month.

“It is worth noting that starting next month Microsoft will scrap the existing system where users get a document each month in favour of a new ‘single destination for security vulnerability information’ called the Security Updates Guide,” said Sarwate.

“The new security portal is driven by an online database, and instead of having to browse through an index of documents, users can sort, search, and filter the database to find details about a specific security bulletin and its associated updates.” 

Another point to remember is that whilst this month maybe relatively light duties for system administrators, the February update will see a return to more usual workloads.

Quiz: Know all about Microsoft?