Light Microsoft Patch Tuesday Update For January

It is an easy start to 2017 for system administrators with the news that Microsoft has continued its tradition of delivering relatively light Patch Tuesday updates in January.

Indeed, January’s update is one of the smallest ever with just four bulletins, but two of the bulletins are critical as they are dominated by remote code execution (RCE) vulnerabilities.

Compare this to December’s Patch Tuesday update that saw Microsoft deliver a total of 12 security bulletins, six of which were rated as ‘critical’ and six as ‘important.’

Patch Tuesday

This month’s security update for Windows users contains no fixes or improvements for either Windows 8.1 or Windows Server 2012 R2.

Instead the four bulletins cover vulnerabilities to do with the Edge web browser, Microsoft Office, and the Adobe Flash Player.

“Microsoft starts off the year with four bulletins, and unfortunately continues a long running trend with their products where the majority of bulletins (2) are dominated by remote code execution (RCE) vulnerabilities, which predominantly affect consumer applications,” commented Adam Nowak Lead Engineer at Rapid7.

“These types of vulnerabilities are difficult to distinguish as they typically lure users to visit/open an email, webpage or multimedia, making use of specially crafted content,” said Nowak. “Upon viewing this content (emails, webpages, etc.), a bad actor can execute malicious code and take complete control of an affected system with the same privileges of the user. This action is known as remote code execution.”

According to Trustwave, MS17-002 is a critical update for Microsoft Office, as the vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file.

Trustwave points out that the other critical update (MS17-003) fixes flaws in Adobe Flash by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

“Adobe has started 2017 with the release of two security bulletins – one for Flash and the other for Acrobat and Reader,” said Amol Sarwate, director of vulnerability research at Qualys.

“Since Flash vulnerabilities have a high potential of being weaponised in exploit kits, organisations should apply both the updates as soon as possible,” said Sarwate. “For Microsoft, it’s an unusually small patch update and will definitely make system administrators happy.”

The two other bulletins are rated as important. MS17-001 for example fixes a vulnerability in Microsoft Edge that could allow an elevation of privilege if a user views a specially crafted webpage using Microsoft Edge.

The last bulletin, MS17-004, also rated as important, concerns a denial of service vulnerability with the Local Security Authority Subsystem Service, which if successful, could trigger an automatic reboot of the system.

Update Change

Meanwhile Qualys’ Sarwate points out that Microsoft is changing its update system from next month.

“It is worth noting that starting next month Microsoft will scrap the existing system where users get a document each month in favour of a new ‘single destination for security vulnerability information’ called the Security Updates Guide,” said Sarwate.

“The new security portal is driven by an online database, and instead of having to browse through an index of documents, users can sort, search, and filter the database to find details about a specific security bulletin and its associated updates.”

Another point to remember is that whilst this month maybe relatively light duties for system administrators, the February update will see a return to more usual workloads.

Quiz: Know all about Microsoft?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

12 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

13 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

14 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

15 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

18 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

18 hours ago