Here’s a superquick overview of what happened on Patch Tuesday for January 2015.
I’m sorry, I’ll say that again.
Here’s a superquick overview of what happened on Update Tuesday for January 2015.
Microsoft’s own security geeks can’t remember if they’re issuing patches or updates now they’ve stopped announcing them in advance.
But we’ll try to remember to call them “Updates.”
Like fingers and thumbs, not all updates are patches, even if all patches are updates.
Adobe updated Flash on all supported platforms, patching nine known vulnerabilities.
These include Remote Code Execution holes (RCEs), whereby a rogue Flash file played in your browser could escape and do harm, such as infecting you with malware.
Adobe AIR, which is effectively a standalone Flash player than doesn’t need a browser to host it, gets updated at the same time.
I’ve never actually met anyone who still uses AIR, but as it includes the Flash Player code, it inevitably needs security fixes whenever Flash gets them.
Microsoft caused some consternation by deciding it would “evolve” its security reporting process by not giving advance reports about Update Tuesday fixes any more.
Sure, the advance notifications contained almost no meaningful technical information, presumably to avoid giving too many hints to cybercrooks by suggesting where to look to find a short-lived zero day hole.
Nevertheless, given the vast number of Microsoft products, there was some comfort in knowing which components were not getting fixed.
An obvious example is that it’s handy to know in advance that you won’t need to reboot your Server Core installations, or that the Office version that they’re still using down in the Legal department won’t need any critical fixes this month.
On the day, eight bulletins appeared, affecting Windows only.
“Windows” is still a giant target, of course, but I’d still have been happy to know in advance, for example, that there were no Lync-specific or SharePoint-specific patches this month.
Amusingly, there was only one patch this month denoted Critical and leading to a possible Remote Code Execution (RCE); that one is listed as a “Vulnerability in Windows Telnet Server.”
Telnet is a 1970s-style internet-based terminal protocol that is totally unencrypted, including the part of the protocol where your password is presented to the server.
If you have telnet anywhere on your network, I’m saying you have much bigger problems than a potential RCE exploit.
Telnet isn’t enabled by default on any supported Microsoft platform, and is only present at all by default on Server 2003.
In short, if you actually need this patch, you’d be much better off removing telnet entirely and replacing it with an encrypted alternative like SSH (Secure Shell), whereupon you won’t need the patch anyway.
Amongst the remaining seven Microsoft bulletins are two that patch the bugs controversially given “full disclosure” treatment by Google’s Project Zero team.
MS15-001 fixes the Application Compatibility Cache Elevation of Privilege bug publicised by Google at the end of December 2014.
MS15-003 fixes the User Profile Service flaw exposed by Google just two days before Microsoft’s updates went live.
Both of those holes were effectively turned into zero-days because Google released of Proof of Concept (PoC) code that publicly demonstrated how to exploit the vulnerabilities.
So, if you are the sort of administrator who likes to do your patches in sequence, rather than in parallel, you might as well start with these two.
And let’s not forget Mozilla, whose Firefox product hit one of its Fortytwosday Tuesdays this week.
Rather than a monthly Update Tuesday, Mozilla goes for updates every 42 days. (Yes, it’s a tribute to Douglas Adams.)
Firefox 35 adds various new features but also patches several potential RCE holes.
Like Apple, Firefox has a standard “portal page” where the latest security-related fixes are detailed; like Apple, Mozilla seems to publish the new list rather late, some time after an update has gone live .
On Fortytwosday itself, the Known Vulnerabilities page still documented changes only as far as Firefox 34, giving the impression that Firefox 35 was about features only, with no security holes patched.
But that page has just been updated, and now [2015-01-14T12:00Z] lists several potential RCEs amongst the updates in this release.
The bottom line
Update early, update often!
In this case, “updates” include “patches,” and patches close holes that could help the crooks if left unpatched.
5 comments on “Update Tuesday wrap-up, January 2015 – See? We didn’t use the word “Patch”!”
Toshiba’s laptop management tool uses air. The only reason we still have it installed on anything sadly.
My company uses Chatter Desktop (Salesforce) and it requires Adobe Air
My company uses Chatter Desktop from Salesforce, which requires Adobe AIR be installed. So we have to update AIR on every computer every time we update Flash Player.
Strangely, my W7Pro system didn’t tell me about the availability of the MS updates when I booted it in the UK today despite having it set to tell me they are available (I refuse to let them interrupt critical activities just to install the ‘updates’ when MS decide!)
So Have MS not only stopped sending out the advanced notice but also stopped warning people that the patches, sorry ‘updates’, are now available?
If you boot your computer up before the patches are released that day then you won’t get a notification as your computer only checks for updates once a day unless you do so manually. I’m not sure but I think they are released at 10 am PST, 1 pm EST. So if you booted your computer early that day do a manual check after those times.