Administrators who might still be feeling the effects from last month's Meltdown and Spectre CPU bugs won't get...
much rest, with a fairly sizeable patching workload delivered on February Patch Tuesday.
Microsoft released security updates to address 50 vulnerabilities, which includes a fix to close a zero-day exploit that affects Adobe Flash Player. IT departments also spent the past month dealing with the patches from Microsoft and Intel that are designed to protect systems from the Meltdown and Spectre exploits, but instead brought blue screens or caused other issues.
"We had to go back to a lot of businesses and say, 'Oh, your systems aren't stable because we rolled out a bunch of patches that Microsoft said were critical,'" said Dave Kawula, principal consultant at TriCon Elite Consulting.
February Patch Tuesday fixes for Adobe, Office
Adobe released its own patch for the zero-day exploit earlier this month, but Microsoft included the fix with its monthly rollup. For Windows client systems, administrators should pay close attention to the APSB18-02 security update from Adobe that shuts down 41 vulnerabilities -- 17 rated critical -- in the Acrobat and Reader applications.
"With the Flash vulnerabilities having active exploits, those should be a priority. But with 41 vulnerabilities being covered with Reader and Acrobat, those patches should follow shortly after," said Jimmy Graham, director of product management at Qualys Inc., based in Redwood City, Calif. "That's a pretty large number."
Dave Kawulaprincipal consultant at TriCon Elite Consulting
Microsoft also corrected six Office exploits, including CVE-2018-0841, which relates to a critical remote code execution vulnerability in Excel that could give the attacker the same rights as the affected user. Additionally, in CVE-2018-0771, Microsoft closed a security bypass loophole in the Edge browser that an attack could exploit through a compromised website, forcing the browser to disclose restricted information.
Overall, there is a large number of elevation-of-privilege vulnerabilities in the February Patch Tuesday releases, many of them affecting Windows 10 and Windows Server 2016, with a high possibility of exploitation.
"Even if you're doing proper least privilege, this type of attack can give full access to the systems," said Chris Goettl, director of product management at Ivanti, based in South Jordan, Utah. "People need to be aware that remote code execution isn't the only concern out there."
Admins hit with cascading trouble from CPU bugs
Widespread reports indicated Intel's initial Spectre fixes caused intermittent reboot issues. Intel then told customers to postpone the deployment of those patches until the company could provide more stable microcode. In the meantime, Microsoft released a hotfix to correct Intel's update for that Spectre variant 2 mitigation.
But Microsoft's Jan. 3 security updates that addressed the Meltdown exploit caused some older AMD systems to get blue-screen errors. Those machines would then be unable to restart. Microsoft held its patches until the company found that the problem stemmed from antivirus (AV) products that made unsupported calls into kernel memory that caused the blue-screen reboot issue.
"This situation flushed out the AV vendors who were going outside the bounds of what was approved behavior at the kernel level," Goettl said. "They were almost basically rooting the machine."
Microsoft now requires antivirus vendors to set a registry value that indicates their product works alongside the Meltdown patch to get that security update.
Kawula deploys patches as part of his services to customers, with the main goal to protect and maintain the stability of clients' systems. This past month was one of the worst Kawula has experienced professionally in more than 22 years in the IT field, he said.
"This has been a really tough one," he said. "I don't care what your position is -- whether you're a consultant, an IT director or a system administrator. To have to go pull back those patches after they've been rolled out -- there's a lot of egg on all of our faces."
Traditionally, many Windows administrators would roll out a critical security hotfix from Microsoft as soon as possible -- sometimes without going through the quality-assurance process in a dev-test setting. Based on the sense of urgency from Microsoft and hardware vendors, Kawula followed this expedited procedure for the January patches and got burned in the process, he said. Kawula said he plans to take a more conservative approach with system updates in the future and suspects many in IT will do the same.
"The old norm was we used to wait at least six months before deploying any Microsoft service packs, because nobody wanted the blue-screen issues with Windows 2000 and 2003," Kawula said. "It seemed like Microsoft had cleaned up their act with the patching process, but having to go through this takes us way back to the good old days."
As for the current state of CPU bugs, Intel recently released new microcode updates just for its Skylake processors, according to Graham.
"Intel has a lot of processor architectures," he said. "They have to go through each one by one. I'm assuming they're going to do a lot more testing than they did with the previous releases."
For more information about the remaining security bulletins for February Patch Tuesday, visit Microsoft's Security Update Guide.