January 2016 Security Updates Summary

=======================
Update: 13th January 2016:
Kaspersky have published a blog post that provides details of the security issue resolved by Silverlight update MS16-006. This issue is a zero-day vulnerability (defined) and for that reason should be installed before all other updates mentioned below.

Thank you.
=======================

=======================
Original Post:
=======================
Earlier today Microsoft made available it’s scheduled security updates for Windows and other Microsoft software.

There are 9 bulletins in total (although MS16-009 is not yet available and may be delayed until next month) addressing 25 security issues more formally known as CVEs (defined).

The Security Bulletin Summary lists 2 Known Issues with regard to MS16-007 (an update to Windows which addresses a number of DLL (defined) loading issues, among others). The issues are both related to software from Citrix namely XenDesktop which will experience compatibility issues with this update if it was to be installed. Microsoft will not offer this update to users with this software installed in order to avoid these issues. Microsoft recommends uninstalling the Citrix software, installing the security update and contacting Citrix for a workaround for these issues. This advice was obtained from these knowledge base articles (article 1, article 2) which are referenced within the Security Bulletin Summary.

Microsoft have also made available 2 security advisories today (an advisory for Adobe Flash was published earlier this month to announce the availability of a non-security update). The Deprecation of SHA-1 Hashing Algorithm (discussed and defined here) and the TLS Session Resumption Interoperability update may or may not apply in your environment, please review these advisories to determine if you need to take further action.

Moreover; an alternative source for information on Known Issues is the IT Pro Patch Tuesday blog which is usually updated shortly after the release of the updates if any issues are encountered.

Adobe have also issued updates for Adobe Acrobat DC, Acrobat XI, Acrobat Reader DC and Adobe Reader XI addressing 17 CVEs within these products. These vulnerabilities have been classified as critical but have been assigned Priority 2 by Adobe, meaning that these updates should be installed sometime within the next 30 days. Further details of these updates are available in this security bulletin.

Please note that Adobe Acrobat X and Adobe Reader X are no longer supported. They did not receive any updates within this bulletin and will no longer do so. Please upgrade to Adobe Acrobat DC/ Acrobat Reader DC or Acrobat XI/Adobe Reader according to your preference.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):
https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with prioritizing Microsoft’s updates I would recommend first installing the Silverlight update since it is a zero day security vulnerability (defined) under attack in the wild ((under attack on computing devices used by the general public in their professional and personal lives)).

This should then be followed by the Windows Kernel update since the kernel (defined) is the core of Windows and exploiting this issue could allow the attacker to gain system level privileges (defined) . Next I would recommend installing the updates for Microsoft Office, Internet Explorer, Microsoft Edge and JScript and VBScript due to their critical severities. You can then install any remaining applicable updates.

One other security pre-caution that you may wish to take if you have Microsoft EMET installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of July’s Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s