determined - Fotolia

January Patch Tuesday sparse before Windows security updates change

Microsoft offers up a meager January 2017 Patch Tuesday release before bigger changes planned for Windows security update announcements, which are set to take effect in February.

Microsoft released its January 2017 Patch Tuesday fixes today, which targeted a mere three vulnerabilities in its own products. The Patch Tuesday release was comprised of four bulletins, two of which were rated as critical. And one of the critical bulletins was for the Adobe Flash Player, which contained 12 of the 15 vulnerability patches for the month.

There is no bulletin for Internet Explorer this month, so MS17-001 leads the pack with the standard bulletin for the Microsoft Edge browser. The bulletin includes one patch for a privilege escalation flaw rated important for Microsoft Edge on Windows 10 and Windows Server 2016. Microsoft noted that this flaw was publicly disclosed, but no exploits have been found in the wild.

However, Craig Young, security researcher at Tripwire Inc., in Portland, Ore., said this flaw could be more critical than it seems.

"The Edge fix, while rated only as important, should be deployed as soon as possible, since the underlying flaw was publicly disclosed on Broken Browser with enough details for making custom exploits," Young told SearchSecurity. "This flaw could enable an attacker to hijack connections to secure sites after loading an attacker-controlled page. This attack could potentially be incorporated with Malvertising to reach more users."

MS17-002 is the January Patch Tuesday bulletin for Microsoft Office and the lone critical bulletin for a Microsoft product. The patch deals with a remote-code-execution vulnerability in Office 2016 and SharePoint 2016 that could allow an attacker to take complete control of a system if a malicious file is opened.

MS17-003 is the critical bulletin for Adobe Flash Player, containing patches for 12 vulnerabilities, with potential issues that include security bypass, information disclosure, remote code execution and memory corruption flaws.

MS17-004 patches a denial-of-service vulnerability in the way the Local Security Authority Subsystem Service handles authentication requests. Amol Sarwate, director of vulnerability labs at Qualys Inc., in Redwood City, Calif., said this bulletin should be "top of the list" for Windows Server 2008 admins because the flaw was publicly disclosed and could soon have exploits in the wild.

Moving to the Windows Security Updates Guide

In October, Microsoft split up Windows security updates and feature updates into separate monthly rollups. And in February 2017, Microsoft will change the way Patch Tuesday security bulletins are announced. Microsoft has said the new Windows Security Updates Guide will allow customers to "view and search security vulnerability information in a single online database," rather than have to sift through bulletins describing vulnerabilities. 

Sarwate said the changes coming to Windows security updates releases could make it easier for users.

"It is worth noting that starting next month, Microsoft will scrap the existing system where users get a document each month in favor of a new 'single destination for security vulnerability information,' called the Security Updates Guide," Sarwate wrote in a blog post. "The new security portal is driven by an online database, and instead of having to browse through an index of documents, users can sort, search and filter the database to find details about a specific security bulletin and its associated updates."

Tyler Reguly, manager of Tripwire's vulnerability and exposure research team, said it was possible Microsoft "aimed for a minimal patch release to give them time to finalize the transition to the new Security Updates Guide."

"It seems odd to have any 2017 bulletins, given their removal in February. But it may be that the two publicly disclosed vulnerabilities, along with the Adobe Flash update schedule -- which is outside of Microsoft's control -- forced Microsoft's hand and required that updates be released today," Reguly told SearchSecurity via email. "After 20 years and 1535 bulletins, this month may be the end of an era. It will be interesting to see what the future holds for Microsoft and Patch Tuesday."

Next Steps

Catch up on the December 2016 Patch Tuesday news.

Learn more about juggling Windows Server vulnerability scans and patching.

Find out why views are mixed on the new Microsoft patch rollup model.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing