A New Year Signals the End of Patch Tuesday as We Know It
The big news in today’s January Patch Tuesday is that this release marks the end of the 12-year Patch Tuesday update cycle as we know it. Last month, Microsoft announced impending changes to their security update process, which is set to begin in February. Before jumping into more detail on what the coming year will look like for your patch team however, we have four updates to address now. You heard me right…only four. And none of them are reported under active exploit.
Of the four security bulletins released, just two are rated critical. And your first priority this month actually comes from Adobe. MS17-003 is an update for Adobe Flash Player when installed on Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge. You’ll find more in Adobe Security Bulletin APSB17-02.
Your second priority should be MS17-002 which resolves a vulnerability in Office which could allow a remote code execution if a user opens a malicious file. Microsoft Word 2016 and Enterprise Sharepoint Server are impacted.
If your users rely on Microsoft Edge, MS17-001 will take third priority. It’s an important, cumulative update for the browser and the vulnerability could result in elevation of privilege. Lastly, MS17-004 is an update for Local Security Authority Subsystem Service (LSASS). The update addresses a denial of service vulnerability in the way the LSASS handles authentication requests in older versions of Windows. The denial of service on the target system’s LSASS service could trigger an automatic reboot of the system. If you’re running old Windows, make this update or better yet, upgrade.
Next month, Microsoft will categorize needed updates by unique vulnerability IDs through the Security Update Guide which will be accessible by a dashboard and API. Security bulletin IDs will no longer be used, though past bulletins will remain online for your reference and use as needed. One important item to note: the software maker says they will continue to issue out-of-band patch notifications as required. For more, visit the frequently asked questions to the Security Update Guide.