It is important to note that OS-level and BIOS (microcode) patches that are designed to mitigate Meltdown and Spectre may lead to performance issues. It is important to test all patches before deploying.
Some of these updates are incompatible with third-party antivirus software, and may require updating AV on workstations and servers. Microsoft has released guidance documents for both Windows clients and servers. Windows Server requires registry changes in order to implement the protections added by the patches.
Microsoft has also halted the deployment of patches for some AMD systems, as there have been issues with systems after installation.
Aside from these patches, Microsoft has released patches covering 56 other vulnerabilities. Of these vulnerabilities, 16 are ranked as “Critical,” with 28 potentially leading to remote code execution.
For this release there are patches for both Microsoft Word and Outlook, which should also be prioritized for workstation-type devices. Most of the patches released are for browsers and involve the Scripting Engine. These patches should be prioritized for systems that access the internet via a browser.
Patch priority ranking:
- CVE-2017-5753 – Bounds check bypass (Spectre)
- CVE-2017-5715 – Branch target injection (Spectre)
- CVE-2017-5754 – Rogue data cache load (Meltdown)
- CVE-2018-0793 – Outlook
- CVE-2018-0794 – Word
- (Multiple CVEs) – Browser patches (Scripting engine)
Adobe has released an update to Flash Player, and has given it a Priority of 2, meaning there are no active attacks, and future attacks are not imminent. Microsoft has ranked this vulnerability as Critical for systems that receive Flash updates through Microsoft.
The following Excel spreadsheet lists all security updates for all Microsoft products that the company released in January 2018.
• Microsoft released security patches for all supported client and server versions of the Windows operating system.
• Security updates are also released for Microsoft Edge, Internet Explorer, Microsoft Office, SQL Server, .NET Framework, .NET Core, ASP.NET Core and Adobe Flash
• No critical updates for any supported version of Windows.
• Cumulative updates are only distributed to systems who did not install them earlier (released as out-of-bound patches on January 4).
Operating System Distribution
• Windows 7: 7 vulnerabilities of which 7 are rated important
• Windows 8.1: 10 vulnerabilities of which 10 are rated important
• Windows 10 version 1607: 11 vulnerabilities of which 11 are rated important
• Windows 10 version 1703: 11 vulnerabilities of which 11 are rated important
• Windows 10 version 1709: 11 vulnerabilities of which 11 are rated important
Windows Server products:
• Windows Server 2008: 7 vulnerabilities of which 7 are rated important
• Windows Server 2008 R2: 7 vulnerabilities of which 7 are rated important
• Windows Server 2012 and 2012 R2: 10 vulnerabilities of which 10 are rated important
• Windows Server 2016: 9 vulnerabilities of which 9 are rated important
Other Microsoft Products
• Internet Explorer 11: 2 vulnerabilities, 2 critical
• Microsoft Edge: 17 vulnerabilities, 14 critical, 3 important