Microsoft announced at the recent Ignite conference that the days of monthly patch updates would be scrapped in favour of 24/7 updates, for Windows 10 at least. Since announcing the news, there’s been many arguing the potential pros and cons of moving to a continuous update cycle and for end users. I think this is a great thing but, for IT managers, it’s the worst thing.
Traditionally, you pool a collection of patches into a baseline and roll that baseline out once a month following Patch Tuesday, based on ranking patches by CVSS and severity ratings. These baselines can take weeks to compile due to testing before roll out, so if Microsoft begins releasing patches on an ad-hoc basis, IT teams will have to continually re-run baselines throughout the month.
Some businesses won’t be in a position to run multiple baselines per month to remain up to date and have to wait until the next patching cycle is scheduled – patching multiple times per month means downtime. The problem here is that once Microsoft issues a patch, it lets the whole world know that a vulnerability exists within a particular product. We already know that exploits targeting vulnerabilities go up after each Patch Tuesday, as hackers look to exploit weaknesses in Microsoft’s products. This will be exacerbated by a continuous update cycle.
However, with fewer patches to roll out at any one time, there’s less chance of compatibility issues being encountered with a patch. Patch baselines will be smaller, so testing and roll out will be more controlled and faster, so it will improve change management success. In addition, the impact on the network is reduced, as baseline file sizes will be much smaller.
It remains to be seen how successful continuous patch updates will be, but it will mean IT departments will need to change the way they approach patching.
May’s Patch updates
This month sees three patches rated Critical by Microsoft affecting Internet Explorer, Windows, the .NET Framework, Office, Lync, and Silverlight. The CVSS scores from US-CERT rate all three at 9.3, so they certainly pose a risk if left unpatched.
The first Critical patch, MS15-043, resolves 22 separate vulnerabilities across Internet Explorer; only Internet Explorer 7 installed on Windows Server 2003 is not affected by this vulnerability. To address the vulnerability, the update modifies how IE handles objects in memory, ensures affected versions of Jscript, VBScript and IE to properly implement the ASLR security feature, as well as adding additional permission validations. The most severe of the vulnerabilities could allow for remote code execution if a user view a specially crafted web page.
The second Critical update from Microsoft, MS15-044, address vulnerabilities in Windows, .NET Framework, Office, Lync, and Silverlight by correcting how the Windows DirectWrite library handles OpenType and TrueType fonts. Both vulnerabilities in this update could allow for remote code execution, allowing a hacker to gain the same admin rights as the current user. Those with fewer user rights could be less impacted than those who operate with admin rights.
The final Critical update, MS15-045, addresses six vulnerabilities in Microsoft Windows that could allow remote code execution if a user opens a specially crafted Microsoft Journal file. Two of the vulnerabilities were publicly disclosed but, luckily, are not being actively exploited.
Other updates of note
There are a further ten updates in this month’s Patch Tuesday release, all rated as Important, addressing 18 separate vulnerabilities. There is some disparity however, as US-CERT has given a CVSS of 9.3 for three of the Important updates, meaning they should probably be Critical updates.
MS15-046, MS15-048, and MS-049 should be the next three after your Critical patches to update. The first update address vulnerabilities in Microsoft Office, and could allow for remote code execution. The other two updates here could allow for elevation of privilege and affect Microsoft Windows, .NET Framework, and Silverlight.
Interestingly, US-CERT has given MS15-051 a CVSS of 2.1, whilst Microsoft gives it an Important rating. What’s interesting is one vulnerability within this patch, allowing elevation of privilege, has been publicly disclosed, meaning hackers know about this vulnerability. At the time of writing, Microsoft has confirmed it’s aware of some limited, targeted attacks that are attempting to exploit this vulnerability.
Based on Microsoft’s rating along with US-CERT’s CVSS scores I would recommend prioritising the top six patches in the table below, and then working down the list.
As always, I’d recommend testing patches before rolling them out across your IT estate to avoid any issues or conflicts, and this month you should pay special attention to MS15-044, which may require more testing because of the variety of different products that are impacted.