Patch Tuesday: Keep in Mind X, Y, and Z

Jan 9th was patch Tuesday: the day Microsoft designed to accumulate patches and release them on a regular basis with some kind of schedule.

Otherwise patches would be released whenever problems are solved. So this would be good in some ways(why not resolve problems as soon as practical) but the problem is this release schedule of releasing 1 or 2 patches every few days would make IT planning a mess.

As it is new critical problems may get release on an out of band release date. Such as a different  date as the second Tuesday of he month. (Like this month’s CPU bug released on Jan 3rd)

So we have a set schedule now of a number of accumulated patches which we can schedule around.

Trend Micro said Out of band patches were released by Microsoft January 3rd.

TrendMicro security update summary   

Kaspersky lab security update compatibility summary

Microsoft January 2018 security updates release notes date 1/9/18

“Meltdown” CVE-2017-5754 CVE – Common Vulnerabilities and Exposures

“Spectre” CVE-2017-5753 & CVE-2017-5715

***UPDATE – 1/12/18***

Intel has issued patches at it’s download center

AMD also on its official response

 

I have reviewed CVE before on this blog: http://oversitesentry.com/hackers-please-attack-us/

There are hundreds of CVE’s per year – so this is just the beginning for this year – prepare for a long year of patching.

CVE-2018-0797 is also a bad CVE as it is a Microsoft Word Critical vulnerability with remote code execution, so you have to update Office as well.

Keep in mind, you are not just patching the CPU bug this month, also Office bugs/vulnerabilities and others (including Adobe Flash) it is called the APSB18-01 vulnerability.

Keeping in mind all software may get security or other bugs and then you should update. This process of updating on a consistent basis needs to be planned

X: 2nd Tuesday of month releases most patches – plan for testing and subsequent weekend patch updates on production systems.

Y: Out of band critical releases may disrupt this schedule, so always have a few days available for critical vulnerabilities

Z: Do not forget Office and other applications that users use, these applications are usually in the 2nd Tuesday of month release.

 

Always look for remote execution vulnerabilities first.

I decided to pick out the remote code exec  in a spreadsheet initially created by Ghacks.net

Notice, most of the remote code execs are from Office, there are a couple for Share Point server

Create your own security policy and timeline to patch – contact us to help you design what is right for your circumstances.

 

Updated 1/12/18 to add latest Intel and AMD information