Another month has passed and Patch Tuesday is once again upon us, with both Microsoft and Adobe having recently released important patches for their product ranges.
It has been a fraught month for IT security since Microsoft decided to stop releasing advanced notice of their patches, while Adobe has been busy dealing with various unpatched flaws involving Flash. So here is our roundup of what you should know about the latest batch.
1. Survival of the fittest for IT security teams
Rapid7 was among the most vocal critics of Microsoft’s decision to stop releasing patch bulletins to the public, and its stance has not softened at all since.
"Customers with Premier support are getting a very sparse advance notification 24 hours before the advisories drop, and myBulletins continues to be useless because it is not updated until well after the patch Tuesday release," said Ross Barrett, senior manager of security engineering at Rapid7.
"Microsoft called this an evolution, and I can certainly see why – they are applying a squeeze to security teams that will eliminate the weak members of the herd."
2. Fix for bug publicly disclosed by Google
Google and Microsoft had a bit of a tiff last month after the search engine publicly disclosed a problem with Windows 8.1 following the lapse of a 90 day waiting period after private disclosure.
The problem, according to Karl Sigler, threat intelligence manager at Trustwave, affected a kernel driver involved in encrypting memory. "This [bug] could potentially allow a normal user to impersonate another session and encrypt or decrypt data in memory meant for a different user," he said.
Two more bugs were then disclosed under similar circumstances, but Microsoft has got around to fixing all three with this latest release.
3. Adobe Flash still needing to be patched
2015 has proved a difficult year for what is arguably Adobe’s most famous product: Flash. The multimedia software has come undone over several unpatched "zero-day" flaws discovered by various researchers.
"Since January there have been three Flash Player updates to cover a series of zero days discovered in the wild. The most recent update on February 5 also included 17 other vulnerability fixes," said Chris Goettl, product manager with security firm Shavlik.
"The expectation is that we will not be seeing a Flash Player update this Patch Tuesday, but you definitely have updates to push if you have not done so since January."
4. Plethora of updates for everyday software "worrying"
Alongside Adobe’s fixes for Flash, Microsoft has released updates for Internet Explorer, Office and even Windows, which are the sort of programs that people use every day of their lives.
Out of nine bulletins from Microsoft, four fix remote code execution flaws (which allow hackers to issue instructions to computers from afar) and five deal with local problems, including elevation of privilege and information disclosure.
"It is worrisome to see the amount of problems that cyber criminals are able to find in software that we all have installed and use in our daily lives," said Wolfgang Kandek, CTO of the security vendor Qualys.
This article is from the CBROnline archive: some formatting and images may not be present.