If you, like me, are still basking in the afterglow of a relaxing holiday respite, the relentless re-introduction of Microsoft Patch Day may seem like a harsh reminder of some of the drudgery suffered by an InfoSec professional. Don’t get me wrong! Patching is one of the most effective ways of keeping your systems safe. Yet, its ceaseless nature can’t help but put me into a Sisyphean mood.
That said, here comes another round of Microsoft patches, so get ready to push that security boulder back up another hill next Tuesday.
According to their first advanced Notification post for the year, Microsoft plans to release seven new security bulletins next Tuesday, as part of their January Patch Day. The bulletins will include updates to fix security vulnerabilities in Windows, Office, the .NET Framework, and some of Microsoft’s Server Software. Microsoft rates two of the bulletins as Critical, and the rest as Important.
Regular followers might notice that a fix for the recent Internet Explorer (IE) zero day vulnerability is missing from Microsoft’s expected updates. Researchers discovered this issue very recently, so I frankly wasn’t expecting a fix yet. It wouldn’t surprise me though if Microsoft releases an “out-of-cycle” update later in the month. In any case, if you applied the FixIt workaround I recommended previously, you should be fine. As an aside, WatchGuard’s signature writers developed a signature for the known exploit, so if you use our IPS service you are further protected.
I’ll post more information about Microsoft’s updates next week, so keep posted. — Corey Nachreiner, CISSP (@SecAdept)