View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 11, 2015

4 highlights from Adobe & Microsoft’s Patch Tuesday

Are we entering an era of ‘survival of the fittest’ for security?

By Jimmy Nicholls

Another month has passed and Patch Tuesday is once again upon us, with both Microsoft and Adobe having recently released important patches for their product ranges.

It has been a fraught month for IT security since Microsoft decided to stop releasing advanced notice of their patches, while Adobe has been busy dealing with various unpatched flaws involving Flash. So here is our roundup of what you should know about the latest batch.

1. Survival of the fittest for IT security teams

Rapid7 was among the most vocal critics of Microsoft’s decision to stop releasing patch bulletins to the public, and its stance has not softened at all since.

"Customers with Premier support are getting a very sparse advance notification 24 hours before the advisories drop, and myBulletins continues to be useless because it is not updated until well after the patch Tuesday release," said Ross Barrett, senior manager of security engineering at Rapid7.

"Microsoft called this an evolution, and I can certainly see why – they are applying a squeeze to security teams that will eliminate the weak members of the herd."

2. Fix for bug publicly disclosed by Google

Google and Microsoft had a bit of a tiff last month after the search engine publicly disclosed a problem with Windows 8.1 following the lapse of a 90 day waiting period after private disclosure.

The problem, according to Karl Sigler, threat intelligence manager at Trustwave, affected a kernel driver involved in encrypting memory. "This [bug] could potentially allow a normal user to impersonate another session and encrypt or decrypt data in memory meant for a different user," he said.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Two more bugs were then disclosed under similar circumstances, but Microsoft has got around to fixing all three with this latest release.

3. Adobe Flash still needing to be patched

2015 has proved a difficult year for what is arguably Adobe’s most famous product: Flash. The multimedia software has come undone over several unpatched "zero-day" flaws discovered by various researchers.

"Since January there have been three Flash Player updates to cover a series of zero days discovered in the wild. The most recent update on February 5 also included 17 other vulnerability fixes," said Chris Goettl, product manager with security firm Shavlik.

"The expectation is that we will not be seeing a Flash Player update this Patch Tuesday, but you definitely have updates to push if you have not done so since January."

4. Plethora of updates for everyday software "worrying"

Alongside Adobe’s fixes for Flash, Microsoft has released updates for Internet Explorer, Office and even Windows, which are the sort of programs that people use every day of their lives.

Out of nine bulletins from Microsoft, four fix remote code execution flaws (which allow hackers to issue instructions to computers from afar) and five deal with local problems, including elevation of privilege and information disclosure.

"It is worrisome to see the amount of problems that cyber criminals are able to find in software that we all have installed and use in our daily lives," said Wolfgang Kandek, CTO of the security vendor Qualys.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU