Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

6 critical updates for January Patch Tuesday

From: InfoSec News <alerts () infosecnews org>
Date: Thu, 14 Jan 2016 08:20:18 +0000 (UTC)
http://www.computerworld.com/article/3022060/security/6-critical-updates-for-january-patch-tuesday.html

By Greg Lambert
Computerworld
Jan 13, 2016
Microsoft has started the year with a truly unusual Patch Tuesday. There are nine updates for January, with six rated as critical and the remaining three rated as important (the reverse of the usual distribution in terms of severity). January has a couple of additional surprises. First, it looks like MS16-009 did not make this Patch Tuesday release at all and may only surface later this month. Secondly, we see what has been rated as an important update with MS16-008 may contain the most severe vulnerability and the most risky patch contents.
Thanks to Shavlik this month for their very helpful summary infographic detailing this January Patch Tuesday. 


MS16-001 — Critical
The first update rated as critical for the year 2016 is MS16-001, an update for Microsoft Internet Explorer that attempts to resolve two reported vulnerabilities, that at worst could lead to a remote code execution scenario. This update affects all supported versions of Windows and will require a system restart due to the complete re-release of all IE related executables and supporting libraries. Microsoft has offered some advice on how to mitigate the risk of this particular vulnerability. However, this advice requires changing the ownership (and subsequent security settings) of one of IE’s core system libraries (VBScript.dll) which in practice is usually difficult to do and almost impossible to manage in an enterprise scenario. This is a "Patch Now” Microsoft update. 


MS16-002 — Critical
The next critical update for this January Patch Tuesday is MS16-002 which attempts to resolve two reported vulnerabilities in Microsoft’s latest browser -- Edge. This update to Edge is intimately related to this month’s IE update MS16-001 as it also deals with a VBScript and JScript memory corruption issue in the Chakra JavaScript engine, which could lead to a remote code execution scenario. Both of these browser patches have a high exploitation rating and should be a priority in your patch cycle. 

[...]


--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
Previous By Date Next
Previous By Thread Next

Current thread: