Here’s a superquick overview of what happened on Patch Tuesday for January 2015.
I’m sorry, I’ll say that again.
Here’s a superquick overview of what happened on Update Tuesday for January 2015.
Microsoft’s own security geeks can’t remember if they’re issuing patches or updates now they’ve stopped announcing them in advance.
But we’ll try to remember to call them “Updates.”
Like fingers and thumbs, not all updates are patches, even if all patches are updates.
Adobe updated Flash on all supported platforms, patching nine known vulnerabilities.
These include Remote Code Execution holes (RCEs), whereby a rogue Flash file played in your browser could escape and do harm, such as infecting you with malware.
Adobe AIR, which is effectively a standalone Flash player than doesn’t need a browser to host it, gets updated at the same time.
I’ve never actually met anyone who still uses AIR, but as it includes the Flash Player code, it inevitably needs security fixes whenever Flash gets them.
Microsoft caused some consternation by deciding it would “evolve” its security reporting process by not giving advance reports about Update Tuesday fixes any more.
Sure, the advance notifications contained almost no meaningful technical information, presumably to avoid giving too many hints to cybercrooks by suggesting where to look to find a short-lived zero day hole.
Nevertheless, given the vast number of Microsoft products, there was some comfort in knowing which components were not getting fixed.
An obvious example is that it’s handy to know in advance that you won’t need to reboot your Server Core installations, or that the Office version that they’re still using down in the Legal department won’t need any critical fixes this month.
On the day, eight bulletins appeared, affecting Windows only.
“Windows” is still a giant target, of course, but I’d still have been happy to know in advance, for example, that there were no Lync-specific or SharePoint-specific patches this month.
Amusingly, there was only one patch this month denoted Critical and leading to a possible Remote Code Execution (RCE); that one is listed as a “Vulnerability in Windows Telnet Server.”
Telnet is a 1970s-style internet-based terminal protocol that is totally unencrypted, including the part of the protocol where your password is presented to the server.
If you have telnet anywhere on your network, I’m saying you have much bigger problems than a potential RCE exploit.
Telnet isn’t enabled by default on any supported Microsoft platform, and is only present at all by default on Server 2003.
In short, if you actually need this patch, you’d be much better off removing telnet entirely and replacing it with an encrypted alternative like SSH (Secure Shell), whereupon you won’t need the patch anyway.
Amongst the remaining seven Microsoft bulletins are two that patch the bugs controversially given “full disclosure” treatment by Google’s Project Zero team.
Both of those holes were effectively turned into zero-days because Google released of Proof of Concept (PoC) code that publicly demonstrated how to exploit the vulnerabilities.
So, if you are the sort of administrator who likes to do your patches in sequence, rather than in parallel, you might as well start with these two.
And let’s not forget Mozilla, whose Firefox product hit one of its Fortytwosday Tuesdays this week.
Rather than a monthly Update Tuesday, Mozilla goes for updates every 42 days. (Yes, it’s a tribute to Douglas Adams.)
Firefox 35 adds various new features but also patches several potential RCE holes.
Like Apple, Firefox has a standard “portal page” where the latest security-related fixes are detailed; like Apple, Mozilla seems to publish the new list rather late, some time after an update has gone live .
On Fortytwosday itself, the Known Vulnerabilities page still documented changes only as far as Firefox 34, giving the impression that Firefox 35 was about features only, with no security holes patched.
But that page has just been updated, and now [2015-01-14T12:00Z] lists several potential RCEs amongst the updates in this release.
The bottom line
Update early, update often!
In this case, “updates” include “patches,” and patches close holes that could help the crooks if left unpatched.