HEAT Blog

Patch Tuesday Still Alive and Well – And Offering Something for Everyone

Despite the launch of Windows 10 and all the talk about mandatory updates, today is still Patch Tuesday. And this month, everyone should pay attention. Microsoft shared a vulnerability smorgasbord today – offering a little something for everyone. From office and browser applications to desktops and servers, Microsoft covered them all with 14 bulletins. Some are for Windows 10, but the majority are for legacy versions of the OS, as expected. Regardless of the Windows version you are using, it’s time to patch. Again. Of the 14 bulletins this month, 4 are considered critical. The August patch load addresses 58 CVEs in all although 6 of those are shared across multiplebulletins. If you are a Windows 10 user, Microsoft rolled all 6 of their fixes into a single Cumulative Update (KB3081436). First on your list of priorities should be MS15-081. This critical update addresses 8 CVEs in Office 2007, 2010 and 2013 and exploits are being detected in the wild now. Second on your list should be MS15-079, a critical, cumulative update to Internet Explorer that addresses 13 CVEs in all. With user interaction, attackers could successfully pull off a remote code execution could result in the attacker gaining full user rights. And speaking of web browsers, if you’re using Windows 10, Microsoft has also updated their new browser, Edge. Said to be the new IE, this new browser isalready under attack and critical-ranked MS15-091 addresses 4 CVEs. And, for all the Adobe Flash users out there, you will want to update with APSB15-19. Published today, this update fixes 34 vulnerabilities in Flash Player, including fixes for Flash Player for Edge. There are no active exploits known at this time but it of course won’t be long. For those using all legacy versions of Windows, MS15-080 should be third on your list of priorities. It is another critical patch that addresses 16 vulnerabilities across .NET, Office, Lync and Silverlight in all legacy versions of Windows and Windows 10. And lastly, another zero-day is addressed with MS15-085 and should also be high on your list of priorities, even though Microsoft ranks it as important. This update addresses CVE 2015-1769 in Mount Manager that could allow an elevation of privilege. To accomplish it, attackers need to insert a malicious USB. Since the launch of Windows 10 on July 29, the mandatory update policy is giving many users heartburn. Update KB3081424 released last week reportedly has problems. Forum users report it reaches various percentages of installation before failing, causing the machine to continually reboot. If you’re using the new OS, proceed with caution. With the Windows 10 cumulative update approach, be sure to thoroughly test in your environment before applying this all or nothing update. According to StatCounter, in the week August 3-9, Windows 10 accounted for 3.55% of desktop operating systems. In addition, there was a combined 2.27% dip among Windows 7 to 8.1. Are you using Windows 10? If not, is it in plan?
Posted in Patch Tuesday, Unified Endpoint ManagementTagged