Microsoft Security Bulletin Release for January, 2016

[Corrine]

Microsoft released nine (9) bulletins.  Six (6) bulletins are identified as Critical and the remaining three (3) are rated Important in severity.

The updates address vulnerabilities in Microsoft Windows, Microsoft Edge, Internet Explorer, Microsoft .NET Framework, Microsoft Office, Visual Basic and Microsoft Silverlight.

Details about the 25 CVEs can be found in the Microsoft Security Bulletin for January 2016.  If you are prioritizing updates, the most critical appears to be MS16-05 which indicates "more severe of the vulnerabilities could allow remote code execution if a user visits a malicious website".  Attention is also directed to MS16-001 which has the last updates for versions of Internet Explorer that have reached end of support.

[plodr]

Not sure how it ties in with the above but I was offered a security update not listed on the bulletins so I did some searching and found this Security Advisory
https://technet.microsoft.com/en-us/library/security/3123479

I was offered KB3123479.

[Corrine]

That is the same issue that resulted in Mozilla updating Firefox to version 43.0.1 to prepare for the new signing requirement, followed by 43.0.2 (ESR 38.5.2) to meet the new signing requirements, followed by 43.0.3 for other bugs and finally followed by 43.0.4 to re-enable SHA-1 certificates.  As I understand it, this was because the update resulted in situations which prevented installed security programs from accessing HTTPS sites to obtain updates.  So, perhaps we'll see 43.0.5 to revert to the new signing requirements.  Note that SHA-1 certificates were not re-enabled on ESR 38.5.2.

As to the Microsoft update, because it isn't a vulnerability in a Microsoft product, it wasn't listed in the Security Bulletin. 

Is this a security vulnerability that requires Microsoft to issue a security update?
No. A signing mechanism alternative to SHA-1 has been available for some time, and the use of SHA-1 as a hashing algorithm for signing purposes has been discouraged and is no longer a best practice. Microsoft will however evaluate any opportunities to strengthen technologies to detect fraudulent certificates. Although this is not a vulnerability in a Microsoft product, Microsoft is issuing this advisory to help clarify the actual risk involved to customers.

[plodr]

Thanks. It is the only update I chose not to install on our four Windows 7 computers. I was afraid I might break my ability to load sites. I will wait to see what Susan Bradley says on Thursday when I get my WindowsSecrets newsletter.

[Corrine]

Let us know what you decide.

[plodr]

Here's what Susan Bradley
https://mvp.microsoft.com/en-us/PublicProfile/7500?fullName=susan%20elise%20bradley

had to say

KB 3123479 might show up in Windows Update, but according to its information page, it’s intended primarily for IT professionals. It’ll mostly have an impact if you manually download patches from the Microsoft Download Center. At worst, it might confuse us slightly when we download files from the Web. Look for a separate article explaining the effects of this update.

Since I do download, at times, things from the MS Download Center, I might install it. I'll first look for an article that explains the effects of this update.
Bottom line: undecided as of today.  ;)