May Patch Tuesday delivers critical and important fixes

In this month’s Patch Tuesday Microsoft has released 13 security bulletins addressing 48 vulnerabilities in Internet Explorer, Windows, Office, and Silverlight.

Over half of the patched vulnerabilities are considered critical (as defined by ISC: “need little to become ‘interesting’ for the dark side”), the rest have been designated as important.

MS15-043 is a cumulative security update for Internet Explorer that fixes 22 remote code execution, elevation of privilege, information disclosure and security feature bypass vulnerabilities

MS15-944 and MS15-945 fix, respectively, two flaws in Silverlight and six flaws in Windows Journal, some of which could lead to remote code execution.

For a more detailed rundown, check out ISC’s helpful summary.

“Attackers have at their disposal a number of exploits for a diverse set of vulnerabilities to adapt to the target’s machine,” commented Qualys CTO Wolfgang Kandek. “It is safe to say that their favorite attack vectors include Internet Explorer, native Windows vulnerabilities and Adobe Flash, which all receive monthly updates publishing upwards of 20 CVEs per month. You should be prepared to install these updates as quickly as possible.”

Still, that doesn’t mean that all the vulnerabilities will be exploited by attackers. For example, in 2014 only 5% of all remote code execution (RCE) type vulnerabilities in Microsoft software have ultimately been exploited (according to latest Verizon Data Breach Investigation Report).

“The difficulty is predicting which 5%,” says Kandek, but attackers have a definite predilection for flaws in Windows, Internet Explorer, Adobe Flash, Java, and Office.

As regards the Windows Journal vulnerabilities, he points out that two of the vulnerabilities are publicly known, but are not being exploited.

“Patch quickly and evaluate disabling Windows Journal (a notebook application),” he advises. “I do not know anybody who uses Windows Journal, so I would recommend following the workaround described in the advisory and neutering the file description ‘.jnl’ to counter this and future attacks on this software.”

Whether this Patch Tuesday is the last one is unknown. Microsoft has announced earlier this month that with the advent of Windows 10, security updates and other software innovations will be pushed to PCs, tablets and phones as soon as they are ready, effectively ending the need for a Patch Tuesday for home users.

Enterprise users will be able to take advantage of Windows Update for Business WUB), a free service for all Windows Pro and Windows Enterprise devices, which will still keep the monthly update cycle.

“While I’m optimistic about WUB, many people are wondering if the as-they-are-ready patch deployments will replace the traditional Patch Tuesday updates. At this point, we can only surmise as Microsoft has not clearly articulated its strategy,” commented Russ Ernst, Director of Product Management at HEAT Software.

“What we do know is WUB won’t be your cure-all. It won’t patch Windows 7 or 8, so if you plan to continue on either or those OS, you will be at risk. (Microsoft is offering Windows 10 for free to businesses to address this issue.) Nor will it solve the problem of third party application vulnerabilities. We know these continue to be a popular attack vector and Microsoft’s new updater will not address those.”

“Organisations with well-established patch management processes in place should welcome Microsoft’s WUB announcement. It will likely lead to quicker security updates and should be able to mix these more continual updates into tiered deployments,” he noted. “For those that don’t, the news should be something of a call to action. If you aren’t conducting strategic patch management, which includes patching outside of Microsoft, you should start now.”