February’s Microsoft Patch Tuesday bulletin has just been released. Here to comment is Ross Barrett, Senior Manager of Security Engineering at Rapid7.
“For the second straight month Microsoft is holding fast to their blockade of information. Customers with ‘Premier’ support are getting a very sparse advance notification 24 hours before the advisories drop, and ‘myBulletins’ continues to be useless because it is not updated until well after the patch Tuesday release. Microsoft called this an evolution, and I can certainly see why – they are applying a squeeze to security teams that will eliminate the weak members of the herd.
Free eBook: Modern Retail Security Risk – Get your copy now.
“This month we are on the receiving end of nine advisories. The almost ubiquitous critical cumulative patch for all supported versions of Internet Explorer is back (MS15-009) after a one month hiatus. Clearly, Microsoft was saving up from last month because this advisory addresses 41 CVEs including CVE-2014-8967, which has been publically disclosed and CVE-2015-0071, which is under limited targeted attack.
“The IE CVE free-for-all is paired up with two critical remote code execution issues affecting all supported versions of Windows, except Server Core variants. For MS15-010, this includes CVE-2015-0010 which has been publically disclosed and is the probably reason for the Critical designation here, even though over all Microsoft deems this vulnerability as less likely to be exploited. MS15-011 relates to how group policy is applied and is deemed as likely to be exploitable. The three Critical issues will undoubtedly be the patching priorities due to their public exposure and risk of exploitation.
“This month’s fellowship (‘cause there are nine, get it?) is rounded out by two Important issues affecting Office or components thereof, and three Important ones affecting the majority of supported Windows versions. Interestingly, MS15-013 with the single CVE-2014-6362 is only listed as Important even though it has been publically disclosed and exploitation is considered likely. This is probably due to it being ‘only’ a Security Feature Bypass, meaning it would have to be used in conjunction with some other attack or other information to negatively affect a system. Definitely worth patching any and all Office vulnerabilities as they are found.
“The curveball this month is MS15-017, which is an Important Elevation of Privilege that applies to ‘Microsoft System Center Virtual Machine Manager 2012 R2’ (Update Rollup 4). Hypervisor and Virtual Machine management applications are often overlooked in routine patching and can be a challenge for Administrators to locate on their network. Those going to patch may find the system requires an update rollup or other patches prior to this patch being offered, which could hide a vulnerable state.”
By Ross Barrett, Senior Manager of Security Engineering, Rapid7
About Rapid7
The company offers advanced capabilities for vulnerability management, penetration testing, endpoint controls assessment, and incident detection and investigation. Its attacker intelligence is informed by more than 200,000 members of the Metasploit community, the industry-leading Rapid7 Research Labs, and its experienced security services team. Rapid7 is trusted by more than 3,000 organizations across 78 countries, including more than 250 of the Fortune 1000.
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.