[ISN] 6 critical updates for January Patch Tuesday

www.computerworld.com/article/3022060/security/6-critical-updates-for-january-patch-tuesday.html By Greg Lambert Computerworld Jan 13, 2016 Microsoft has started the year with a truly unusual Patch Tuesday. There are nine updates for January, with six rated as critical and the remaining three rated as important (the reverse of the usual distribution in terms of severity). January has a couple of additional surprises. First, it looks like MS16-009 did not make this Patch Tuesday release at all and may only surface later this month. Secondly, we see what has been rated as an important update with MS16-008 may contain the most severe vulnerability and the most risky patch contents. Thanks to Shavlik this month for their very helpful summary infographic detailing this January Patch Tuesday. MS16-001 — Critical The first update rated as critical for the year 2016 is MS16-001, an update for Microsoft Internet Explorer that attempts to resolve two reported vulnerabilities, that at worst could lead to a remote code execution scenario. This update affects all supported versions of Windows and will require a system restart due to the complete re-release of all IE related executables and supporting libraries. Microsoft has offered some advice on how to mitigate the risk of this particular vulnerability. However, this advice requires changing the ownership (and subsequent security settings) of one of IE’s core system libraries (VBScript.dll) which in practice is usually difficult to do and almost impossible to manage in an enterprise scenario. This is a “Patch Now” Microsoft update. MS16-002 — Critical The next critical update for this January Patch Tuesday is MS16-002 which attempts to resolve two reported vulnerabilities in Microsoft’s latest browser