Microsoft Patching: Don’t Forget to Read the Fine Print

Thursday, May 21, 2015

Tripwire Inc


By: Lane Thames 

During my career, I have built and managed hundreds of production-level client and server systems, and nothing can be more worrisome than when it comes time to apply patches and upgrades to software. Why? Because things can, and often times, do go wrong during patch and upgrade cycles.

According to a few reports, it is possible that system administrators will have some minor side effects to deal with after applying this month’s patches. I cannot really comment on the accuracies of these failure reports that are surfacing. However, I can say that Microsoft’s May 2015 Patch Tuesday contained a few complexities that, if nothing else, could result in confusion for administrators.

So, let me explain. First, let’s look at the overall bulletin numbers.

Microsoft released 13 bulletins: MS15-043 thru MS15-055. These thirteen bulletins covered 47 unique CVE IDs. With 47 unique CVE IDs, we can assume that at least 47 vulnerabilities were addressed—sometimes a single CVE ID is used to track more than one vulnerability.

Further, these 13 bulletins touched a slew of products and subsystems, including kernel, kernel mode drivers, Microsoft Office, .NET, Silverlight, Lync, SharePoint, SCM, JScript, VBScript, MMC, Schannel, and, of course, Internet Explorer. Indeed, it was a big patch cycle for system admins to deal with.

Second, we have MS15-052 and MS15-055. MS15-052 addressed a security feature bypass in the Windows kernel, whereas MS15-055 addressed an information disclosure vulnerability in Schannel (Secure Channel).

One potential area of confusion for admins, as well as a source of potential patch installation errors, related to these two bulletins is that KB3061518 in MS15-055 actually supersedes KB3050514 in MS15-052. According to Microsoft, manual installation of these patches requires that administrators install MS15-052 first, before installing MS15-055.

One of the reports surfacing is related to machines not being able to contact licensing servers after installing the Schannel patch. I don’t suspect that issue to be related to this MS15-052/MS15-055 supersession and upgrade sequence. This is likely due to some other software dependency. Software dependency is a huge factor that must be considered with developing, testing and deploying any type of patch or upgrade.

Lastly, we have MS15-044. MS15-044 was a beast of a bulletin.

One area of confusion results from the various updates provided by MS15-044 having identical update files provided by other bulletins released in the same cycle.

For example, MS15-049 addressed an elevation of privilege vulnerability in Silverlight, whereas MS15-044 addressed, amongst other things, a remote code execution vulnerability in Silverlight due to improper processing of TrueType fonts. However, both of these bulletins shipped the exact same patch set given as KB3056819.

This is not a huge deal but could cause confusion for those who choose to install patches manually and who don’t read the fine print.

This was cross-posted from Tripwire's The State of Security blog.

Budgets Enterprise Security Policy Security Awareness Security Training Breaches CVE DB Vulns US-CERT
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.