February’s Microsoft Patch Tuesday bulletin has just been released. Here to comment is Ross Barrett, Senior Manager of Security Engineering at Rapid7.
“For the second straight month Microsoft is holding fast to their blockade of information. Customers with ‘Premier’ support are getting a very sparse advance notification 24 hours before the advisories drop, and ‘myBulletins’ continues to be useless because it is not updated until well after the patch Tuesday release. Microsoft called this an evolution, and I can certainly see why – they are applying a squeeze to security teams that will eliminate the weak members of the herd.
Free eBook: Modern Retail Security Risk – Get your copy now.
“This month we are on the receiving end of nine advisories. The almost ubiquitous critical cumulative patch for all supported versions of Internet Explorer is back (MS15-009) after a one month hiatus. Clearly, Microsoft was saving up from last month because this advisory addresses 41 CVEs including CVE-2014-8967, which has been publically disclosed and CVE-2015-0071, which is under limited targeted attack.
“The IE CVE free-for-all is paired up with two critical remote code execution issues affecting all supported versions of Windows, except Server Core variants. For MS15-010, this includes CVE-2015-0010 which has been publically disclosed and is the probably reason for the Critical designation here, even though over all Microsoft deems this vulnerability as less likely to be exploited. MS15-011 relates to how group policy is applied and is deemed as likely to be exploitable. The three Critical issues will undoubtedly be the patching priorities due to their public exposure and risk of exploitation.
“This month’s fellowship (‘cause there are nine, get it?) is rounded out by two Important issues affecting Office or components thereof, and three Important ones affecting the majority of supported Windows versions. Interestingly, MS15-013 with the single CVE-2014-6362 is only listed as Important even though it has been publically disclosed and exploitation is considered likely. This is probably due to it being ‘only’ a Security Feature Bypass, meaning it would have to be used in conjunction with some other attack or other information to negatively affect a system. Definitely worth patching any and all Office vulnerabilities as they are found.
“The curveball this month is MS15-017, which is an Important Elevation of Privilege that applies to ‘Microsoft System Center Virtual Machine Manager 2012 R2’ (Update Rollup 4). Hypervisor and Virtual Machine management applications are often overlooked in routine patching and can be a challenge for Administrators to locate on their network. Those going to patch may find the system requires an update rollup or other patches prior to this patch being offered, which could hide a vulnerable state.”
By Ross Barrett, Senior Manager of Security Engineering, Rapid7
About Rapid7
Rapid7’s mission is to develop simple, innovative solutions for security’s complex challenges. The company understands the attacker better than anyone and builds that insight into its security software and services. Rapid7’s IT security analytics solutions collect, contextualize, and analyze the security data users need to dramatically reduce threat exposure and detect compromise in real-time. They speed investigations so customers can halt threats and clean up systems fast. Unlike traditional vulnerability assessment or incident management, Rapid7 provides insight into the security state of your assets and users, across virtual, mobile, private and public cloud networks.
The company offers advanced capabilities for vulnerability management, penetration testing, endpoint controls assessment, and incident detection and investigation. Its attacker intelligence is informed by more than 200,000 members of the Metasploit community, the industry-leading Rapid7 Research Labs, and its experienced security services team. Rapid7 is trusted by more than 3,000 organizations across 78 countries, including more than 250 of the Fortune 1000.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.