Three critical patches for Microsoft and six updates that may need some attention

January and February have been a busy time for Microsoft and for anyone else involved with security patches. First, Microsoft removed the (very useful) Advance Notification Service (ANS), which allowed everyone a sneak preview of the updates proposed for the following Patch Tuesday. This Patch Tuesday preview is now only available for paid Premier Account subscribers and members of the Microsoft Active Protection Program (MAPP). Microsoft has redirected users that require ANS type information and that are not paid Premier Subscriber or MAPP members to the new Microsoft My Security Bulletin Dashboard. I have spent some time with the new MyBulletin dashboard, and after subsequent daily refreshes prior to this February Patch Tuesday, I have not been able generate any results for prospective patches for this month's Patch Tuesday.  Hmmm.

In addition to this major change, both Microsoft and Google have been embroiled in a bitter "lack of coordination" standoff as a result of Google's 90-day hard-line exploit disclosure policy. Microsoft has responded to Google’s “throwing down of the gauntlet” by releasing two of the Microsoft January updates MS15-001 and MS15-003, which appear to be direct responses to the Google's 90-day exploit policy. Both Microsoft and Google have to work together on how exploits are discovered, published and subsequently patched. One solution would be for Google to acknowledge that both Microsoft and Adobe have standardized on the second Tuesday of each month as their date for delivering security updates and adjust the 90-day deadline to correspond to the Patch Tuesday after Google's deadline expires.  I am still not entirely comfortable with one competitor publicly disclosing security exploits (with sample code) of another competitor after an arbitrary period, but this would at least present some measure of cooperation between the companies.

For this Microsoft Patch Tuesday, we have three updates rated as critical by Microsoft and six updates rated as important. There are a number of what seem to be straightforward patches included in the February release schedule, but I think that some of these patches may require additional testing, especially for critical line of business applications.  

MS15-009 — Critical

MS15-009 delivers a critical update that resolves 40 privately reported and one privately resolved vulnerability that may result in a remote code execution scenario that affects all versions of Microsoft Internet Explorer across all Microsoft desktop and server platforms. This is a massive update that addresses a number of security vulnerabilities including: memory corruption, multiple elevation of privilege scenarios, ASLR bypass vulnerabilities and Internet Explorer cross-domain information disclosure issues. In addition, this again looks like a complete recompile of Microsoft Internet Explorer (IE) with a fully updated file list for the IE patch.  With no published mitigating factors or work-arounds from Microsoft, this is a “Patch Now” update from Microsoft

MS15-010 — Critical

The second critical update from Microsoft for this February patch cycle is MS15-010, which attempts to patch the Windows kernel mode driver. This update addresses five privately and one publicly reported issue in the Truetype fonts rendering engine. Again, this Microsoft patch attempts to resolve a multi-faceted series of vulnerabilities including: CNG feature bypass issues, Win32K elevation of privileges, Windows cursor object double free vulnerabilities, and Truetype parsing issues. The worst of these vulnerabilities may result in a remote code execution scenario that may allow for a remote attacker to take complete control of the affected system. This is a critical patch for all supported versions of Microsoft desktop and server platforms (including RT), however it is rated as important for the Microsoft Server Core platform. Updating Microsoft kernel mode drivers is a risky operation for most system administrators. This is an important update from Microsoft, and though I strongly recommend a very robust testing program (and waiting a week), Microsoft has published an interim solution that will reduce an organisation’s exposure to these sorts of security issues, including the following local system security modifying command line options:   

    “ Takeown.exe /f "%windir%\system32\t2embed.dll"

    Icacls.exe "%windir%\system32\t2embed.dll" /deny everyone:(F)"

This command will lock-down the TrueType embedding libraries to everyone. It may provide some protection until your patch testing program for this key system file update has been successfully completed.

MS15-011 — Critical

The third update from Microsoft for February that is rated as critical is the update MS15-011 which addresses a remote code execution scenario in Microsoft Group Policy. This update affects all currently supported Microsoft desktop and server platforms (including Microsoft Server Core). This is an interesting security issue as it appears that an attacker can tamper with the communications between a client and server that may allow an attacker to run arbitrary scripts, execute programs or implement group policy settings (i.e. loosen security settings) on a number of machines in a particular domain. You may want to deploy this patch as soon as possible (test on a small department like IT before global deployment) but I highly recommend reading and following the Microsoft Group Policy hardening advice found in the Microsoft Knowledge base article KB3000483.

MS15-012 — Important

The first update MS15-012 rated as important for February by Microsoft relates to a Microsoft Office remote code execution vulnerability update that addresses three privately reported security issues affecting all currently supported versions of Microsoft Office, including the Office Compatibility Pack. There are at least 13 known issues with this Office update which have been documented in the Microsoft KB article KB3032328, which therefore deserves a quick read over. Include this update as part of your normal desktop update deployment schedule.

MS15-013 — Important

The second update to Microsoft Office for this month is MS15-013, which is rated as important by Microsoft, since an attacker could invoke a security bypass scenario if a user opens a specially crafted office file. This security vulnerability is a little more complicated than your standard office security issue, as this vulnerability could be used in conjunction with other Office security issues to result in a remote code execution scenario - something a lot more critical to both users and system administrators. This update affects all currently supported versions of Microsoft Office including the latest service pack for Microsoft Office 2013.

MS15-014 — Important

The second update to Microsoft’s Group policy engine this month is MS15-014 which addresses a man-in-the-middle type attack in the Microsoft Group Policy configuration engine, which could lead to the group policy settings on the affected machine becoming unreadable. Microsoft has not published any workarounds or mitigating factors for this issue which affects all currently supported versions of Microsoft’s desktop and server platforms. Include this Microsoft update in your standard patch deployment efforts.

MS15-015 - Important

The update MS15-015 addresses a single privately reported vulnerability in Windows that could lead to an elevation of privilege scenario where an attacker takes advantage of the lack of impersonation-level security checks during the Windows internal process creation process. This update is rated as important by Microsoft and affects all currently supported versions of both Windows desktop and server platforms (32 and 64-bit). There are three known security issues with this update, referenced in the Microsoft Knowledge Base article KB3031432, which documents that certain applications from third-party vendors may fail due to the use of the now deprecated API. I recommend a thorough testing of all your 3rd party business critical applications prior to deployment of this update. Given that deprecated system API’s will be an issue with Windows 10 migrations, it may be time to have a look at what your internal and external applications are using at the Windows API system level.

MS15-0016 — Important

The second to last update, MS15-016, rated as important by Microsoft for this February relates to a single privately reported vulnerability in the Windows TIFF image handling feature that could lead to an information disclosure security scenario. This update may seem innocuous, but if you examine the Microsoft patch manifest (list of files and potential registry settings that will be changed by this update), you will notice that the core system DLL GDIPLUS.DLL has been updated. The GDI Plus library (contained in the GDIPLUS.DLL) is a major windows component and ANY update should be treated as a major or at least very significant update to your desktop or server platform. I would test this update, and given the lower security and exploit rating for this MS15-0016 update, I would test it thoroughly for all line of business applications, all core build applications and be prepared for a system level roll-back scenario. The testing surface for this kind of update is enormous, and very difficult to debug. Maybe wait a few days, first?

MS15-017 — Important

The last update for this February Microsoft Patch Tuesday is MS15-017, which deals with a single privately reported vulnerability in Microsoft’s Virtual Machine Manager (VMM) that could lead to an elevation of privilege security scenario if an attacker has physical access to the targeted system and had valid Active Directory credentials. This update only affects Microsoft System Center 2012 R2 Virtual Machine Manager and should be included in your standard patch deployment program.

Adobe -- APSB15-04

The security bulletin for Adobe Flash Player (APSB15-04) addresses 18 publicly disclosed vulnerabilities affecting Windows, OS X and Linux of which the most seriousmay result in a remote code execution scenario. In particular these updates address CVE-2015-0313, which is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. This is a patch now update from Adobe for February 2015.

Google -- Chrome 40.0.2214.111

Google released a security update for Chrome on February 5th, 2015 that included 11 security fixes. Exploitation of these vulnerabilities could allow a remote code execution scenario on Windows, OSX and Linux systems. Many of these security vulnerabilities were automatically detected by the Google security vulnerability analysis tools - Address-Sanitzer and Memory-Sanitizer.

Copyright © 2015 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon