Rumors of the demise of Patch Tuesday have been squelched for now, with today’s release of 13 security bulletins from Microsoft. It’s May Patch Tuesday and while last week’s announcement of Windows Update for Business (WUB) makes it clear as mud whether or not Microsoft will in fact continue to provide monthly security patches for the enterprise as they have since 2003 on the second Tuesday of every month, one thing is certain today. IT departments everywhere will have their work cut out for them this month with 13 bulletins released from Microsoft. Of the 13, 3 are critical and 10 are important. In addition, we have new critical patches from Adobe for Reader, Acrobat and Flash Player as well as Apple, Mozilla and others.
Before diving into your May priorities, it’s important to understand what Microsoft announced – and what they didn’t – during last week’s Ignite Conference. Slated for release sometime this summer, the enterprise version of Windows 10 will ship with WUB. Using a ring approach, organizations can choose to immediately install the first ring of updates issued by Microsoft as they are ready or, to wait for the patches to be vetted and install them from a second or third ring. This new approach will allow for 24/7 updates for organizations that already have a well-established patch management process, and regularly scheduled patches for others.
While I’m optimistic about WUB, many people are wondering if the as-they-are-ready patch deployments will replace the traditional Patch Tuesday updates. At this point, we can only surmise as Microsoft has not clearly articulated their strategy. What we do know is WUB won’t be your cure-all. It won’t patch Windows 7 or 8 so if you plan to continue on either or those OS, you will be at risk. (Microsoft is offering Windows 10 for free to business to address this issue.) Nor will it solve the problem of third party application vulnerabilities. We know these continue to be a popular attack vector and Microsoft’s new updater will not address those.
Back to the job at hand, the May patches. First on the list for any organization using Internet Explorer should be MS15-043. This is a critical, cumulative update to Internet Explorer that impacts versions 6-11. This update patches 22 CVEs in all – the most serious of which could allow a remote code execution when a user visits a specially crafted webpage while using IE.
Second on your list of priorities this month is MS15-044. It resolves 2 CVEs in Microsoft Windows, .NET, Office, Lync and Silverlight. The most severe of the font driver vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage. This vulnerability has the highest exploitability index for both the latest platforms and application versions, as well as older versions. Given the broad scope of impacted software and the relative ease attackers could turn around exploit code, this update should be deployed quickly.
Also, pay particular attention to MS15-051, an elevation of privilege vulnerability in Windows Kernel Mode Driver. Even though Microsoft ranks this update as important, it’s the only bulletin that addresses an actively exploited vulnerability this month. In all, it addresses 6 CVEs.
Also in your queue for this month should be an update for Adobe Acrobat and Reader – the first we’ve seen since December. A total of 34 vulnerabilities, some of which could result in remote code execution, are updated with apsb15-10. Interestingly, 11 of these vulnerabilities were discovered by a single researcher and 21 were reported through the HP Zero Day initiative. While the pay for zero-day model is our unfortunate reality, it’s refreshing to see responsible vulnerability reporting working as designed.
Adobe Flash Player has also been updated again – this time for 18 CVEs. Already, Flash Player has been targeted 7 times this year, more often than IE if you’re counting. If you’re using it, patch it quickly.
Other May Patches:
- MS15-045 Vulnerability in Windows Journal
- MS15-046 Vulnerabilities in Microsoft Office
- MS15-047 Vulnerabilities in Microsoft SharePoint Server
- MS15-048 Vulnerabilities in .NET Framework
- MS15-049 Vulnerability in Silverlight
- MS15-050 Vulnerability in Service Control Manager
- MS15-052 Vulnerability in Windows Kernel
- MS15-053 Vulnerabilities in JScript and VBScript Scripting Engines
- MS15-054 Vulnerability in Microsoft Management Console File Format
- MS15-055 Vulnerability in Schannel
Organizations with well-established patch management processes in place should welcome Microsoft’s WUB announcement. It will likely lead to quicker security updates and should be able to mix these more continual updates into tiered deployments. For those that don’t, the news should be something of a call to action. If you aren’t conducting strategic patch management, which includes patching outside of Microsoft, you should start now.