Qualys Blog

www.qualys.com

January Patch Tuesday – Meltdown/Spectre, 16 Critical Microsoft Patches, 1 Adobe Patch

Due to the disclosure of Meltdown and Spectre, Microsoft released several patches last week with the ranking “Important.” While there are no active attacks against these vulnerabilities, a special focus should be placed on any of the browser patches, due to potential attacks using JavaScript.

It is important to note that OS-level and BIOS (microcode) patches that are designed to mitigate Meltdown and Spectre may lead to performance issues. It is important to test all patches before deploying.

Some of these updates are incompatible with third-party antivirus software, and may require updating AV on workstations and servers. Microsoft has released guidance documents for both Windows clients and servers. Windows Server requires registry changes in order to implement the protections added by the patches.

Microsoft has also halted the deployment of patches for some AMD systems, as there have been issues with systems after installation.

Aside from these patches, today Microsoft has released patches covering 56 other vulnerabilities. Of these vulnerabilities, 16 are ranked as “Critical,” with 28 potentially leading to remote code execution.

In today’s release there are patches for both Microsoft Word and Outlook, which should also be prioritized for workstation-type devices. Most of the patches released today are for browsers and involve the Scripting Engine. These patches should be prioritized  for systems that access the internet via a browser.

Patch priority ranking:

  1. CVE-2017-5753 – Bounds check bypass (Spectre)
  2. CVE-2017-5715 – Branch target injection (Spectre)
  3. CVE-2017-5754 – Rogue data cache load (Meltdown)
  4. CVE-2018-0793 – Outlook
  5. CVE-2018-0794 – Word
  6. (Multiple CVEs) – Browser patches (Scripting engine)

Adobe has released an update to Flash Player, and has given it a Priority of 2, meaning there are no active attacks, and future attacks are not imminent. Microsoft has ranked this vulnerability as Critical for systems that receive Flash updates through Microsoft.

Leave a Reply