http://www.computerworld.com/article/3022060/security/6-critical-updates-for-january-patch-tuesday.html
By Greg Lambert
Computerworld
Jan 13, 2016
Microsoft has started the year with a truly unusual Patch Tuesday. There
are nine updates for January, with six rated as critical and the remaining
three rated as important (the reverse of the usual distribution in terms
of severity). January has a couple of additional surprises. First, it
looks like MS16-009 did not make this Patch Tuesday release at all and may
only surface later this month. Secondly, we see what has been rated as an
important update with MS16-008 may contain the most severe vulnerability
and the most risky patch contents.
Thanks to Shavlik this month for their very helpful summary infographic
detailing this January Patch Tuesday.
MS16-001 — Critical
The first update rated as critical for the year 2016 is MS16-001, an
update for Microsoft Internet Explorer that attempts to resolve two
reported vulnerabilities, that at worst could lead to a remote code
execution scenario. This update affects all supported versions of Windows
and will require a system restart due to the complete re-release of all IE
related executables and supporting libraries. Microsoft has offered some
advice on how to mitigate the risk of this particular vulnerability.
However, this advice requires changing the ownership (and subsequent
security settings) of one of IE’s core system libraries (VBScript.dll)
which in practice is usually difficult to do and almost impossible to
manage in an enterprise scenario. This is a "Patch Now” Microsoft update.
MS16-002 — Critical
The next critical update for this January Patch Tuesday is MS16-002 which
attempts to resolve two reported vulnerabilities in Microsoft’s latest
browser -- Edge. This update to Edge is intimately related to this month’s
IE update MS16-001 as it also deals with a VBScript and JScript memory
corruption issue in the Chakra JavaScript engine, which could lead to a
remote code execution scenario. Both of these browser patches have a high
exploitation rating and should be a priority in your patch cycle.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
