Microsoft has kept IT pros hoping recently. While the monthly Patch Tuesday update load has been surprisingly light for the last four months, we’ve started getting some emergency security advisories and updates that have been released outside the normal cycle schedule.
Even though it’s only a little over a week until this month’s Patch Tuesday, today (Monday, May 5) brought us one more of those, as the fallout from Heartbleed continues. The good news is that this particular vulnerability has limited impact (unlike the last one, which was the Internet Explorer vulnerability that could possibly have affected almost a billion users). It’s a Heartbleed security flaw in the Juniper Networks Windows In-box Junos Pulse Client, and only when running in Windows 8.1 (both 32 bit and 64 bit versions) and Windows RT 8.1.
The affected component is third-party VPN client software, and Juniper had already issued a multiple-product advisory/disclosure regarding Heartbleed that included this product, so you might be wondering why Microsoft is issuing a fix in the first place. The reason is because it’s shipped as part of the Windows operating system and appears as a VPN option in Windows 8.1/RT 8.1 systems. The vulnerability exists in the client libraries in those operating systems.
The other good news is that even if you’re using this VPN client, in order for an attacker to successfully exploit the vulnerability, a user would have to be persuaded somehow to connect to the attacker’s malicious VPN server. Of course, this could be done via redirection.
The update that was released today fixes this problem. The security update differs depending on whether or not the Windows 8.1/RT 8.1 computer has Update 2919355 installed. You can find out more (and links to information regarding each of these circumstances) in Microsoft Security Advisory 2962393.